How to Reduce the Disconnect Between IT Policy & Employee Behavior

Posted on June 02, 2015

Breezy looks at reducing the gap between IT policy and employee behaviorIt?s not news that there is a security disconnect between IT and employees, especially when it comes to personally-owned mobile devices. But several recent studies show just how wide the gap is. For instance, SOTI found that 73% of consumers accessed corporate data from a free or public Wi-Fi connection, nearly 65% forwarded a work document or file to personal email address, and nearly 65% used consumer cloud storage such as DropBox, Google Drive or SkyDrive for work files.

In a consumer security risks survey by Kaspersky Labs, 92% of respondents said that they keep sensitive corporative information on smartphones and tablets which they use for both work and personal activities. Six in 10 employees say that they are worried over the threat of surveillance and data theft through mobile devices, but feel that it is the company?s responsibility to keep its data safe, and to protect employee privacy as well.

So it?s no wonder that Mobile Enterprise found that a third of IT professionals think accidental data exposure caused by employee behavior is the top security threat for their company, compared to only 16% for phishing, outside hackers and government spying. The same article says that 60% of enterprises have actively prevented a data breach, but less than 50% have a mobility strategy, and only 34% are using an EMM solution.

?I can cite a number of surveys like these that show the significant difference in how employees and employers view the use of personally-owned devices in the workplace,? says Prat Agarwal, director of business development at secure mobile printing leader Breezy. ?But the truth is that it takes proactive steps on the part of both employers and employees to prevent accidental data leakage or data theft.?

MDM, EMM & Employee Behavior

Mobile device management (MDM) was once all the rage ? but companies are increasingly upgrading to an enterprise mobility management (EMM) solution. What?s the difference? EMM, Agarwal says, takes MDM to the next level with more robust application and content management suites in addition to device management.

Terrence Cosgrove, one of the authors of Gartner?s Magic Quadrant ranking of EMM solutions, wrote in his report that what sets modern EMM solutions apart from earlier MDM products is the broader toolset included with EMM. To qualify for the Gartner Magic Quadrant, he says that an EMM package has to include: mobile security, policy management, configuration management and a management overlay for applications and content intended for mobile devices based on smartphones.

But Cosgrove and Agarwal are both quick to point out that EMM and MDM solutions only work so long as the policies and procedures are enforced. ?Employee behavior is the unknown factor in any mobile security solution,? Agarwal says. ?Over half of workers under 35 say they will violate a policy or disobey their boss in order to get their job done. If you have employees who deliberately circumvent IT policy by downloading or using unsecured apps, or sending data to an outside device, then that data is at risk.?

So how does IT protect sensitive company data? Agarwal says that a strong policy about personally owned devices and BYOD is the first step, followed by an EMM implementation that considers how employees actually use their mobile devices in their day-to-day jobs.

?For example, Breezy?s secure mobile printing solution closes a critical gap in most mobile device strategies. Employees want and need to be able to print from smartphones and tablets, and if they can?t do it easily with a secure tool like Breezy, they will download an unsecured printing app or send the data to an personal email account or cloud storage device they can use to print it.?

But, he adds, technology alone isn?t enough. ?I can?t stress enough how important communication, training, and ongoing reminders are to preventing a data breach. Mobile device security isn?t a set-it-and-forget-it deal. And a policy statement covered during new employee orientation isn?t enough to convince employees of the need to be vigilant with their mobile device security.?

Training, Training, and More Training

Mobile technology at its heart is still a consumer technology that changes at a pace outside of IT�s traditional comfort zone. It has led to more and more devices and apps entering the enterprise, including new wearables like the Apple Watch. ?When someone buys a new gadget, security is usually the last thing on their mind,? Agarwal says. ?The idea that the fitness tracker or smart watch they just bought could become a way for someone to steal data from their employer isn?t even the farthest thing from their mind because it doesn?t occur to them at all.?

And that, he adds, is why training is imperative. Gartner research Vice President Andrew Wells said the security awareness training market exceeds $1 billion in annual revenue (globally), and is growing approximately 13% each year.

According to Gartner, employees? actions can detrimentally impact security and risk performance. CISOs and employee communication leaders are increasingly turning to educational security awareness solutions to help improve organizational compliance, expand security knowledge and change poor security behaviors.

In the 2014 U.S. State of Cybercrime Survey co-sponsored by Carnegie Mellon University and the Secret Service, 28% of cybersecurity incidents were blamed on current or former employees, contractors and other trusted parties. Nearly a third of respondents said such incidents cost more or inflict more damage than outside attacks.

?A single training session just won?t do it,? Agarwal says. ?When a new employee is hired, you need to make them aware of your security policies, including your BYOD policy. But that?s just the tip of the iceberg. Ongoing training, as often as once a quarter or whenever there is a data breach, a new device enters the market and therefore your workforce, is essential.?

Breezy adds an extra layer of protection to the mobile devices that connect to your network or store your data. For more information on mobile device security and secure mobile printing, watch this video from Breezy, download The Definitive Guide to Mobile Printing, a free ebook, or click here to schedule a Breezy demo now. If you?re a MobileIron user or are in the Bay Area or Silicon Valley, stop by to see Breezy during MobileIron?s Mobile First Conference, June 9-12, 2015, at the Hilton Union Square in San Francisco. There?s still time to register ? click here to register now.

Photo credit: This image of the manager's face behind binary code was created by Geralt, and is used under a Creative Commons license from Pixabay.

Easy to deploy and manage

Customers report that Breezy installations are among the easiest they’ve ever seen for an enterprise product.