Menaced by an ever-expanding array of increasingly potent threats, today’s highly mobile employees are frontline participants in the struggle to secure the enterprise. So while solid security strategies must include smart policies, rigorous enforcement, and deep monitoring/ reporting, they must also reflect the needs and habits of the company’s users.

“When policies are developed collaboratively across the company, and security awareness is woven into the culture, violations are infrequent.”

Unfortunately, keeping employees both safe and satisfied isn’t easy. Employees want anywhere, anytime access to information from any device without cumbersome security protections slowing them down. Business managers want to safeguard important information without inhibiting growth, innovation, and competitiveness. IT departments want to keep everyone productive while recognizing that employees and their devices are often the weak links in the security chain.

To balance those competing interests, security leaders should follow these best practices:

1. Educate users

An informed, security-conscious workforce is every company’s first line of defense against security threats, so teaching people how to work safely from any location on any device must be a top priority.

Simply preaching best practices is a recipe for failure. Take the time to understand who your users are, what they do, and what they need. Then explain your company’s security policies to them in terms that are easily understood and relevant to their role.

“Relevance is key,” Roemer says. “Everything you present should be specific to a person’s function rather than onesize- fits-all.”

It should also be personal, Stan Black, chief information security officer at Citrix adds. For example, in addition to work-related security training, Citrix gives its employees advice on topics like securing a home wireless network and helping their kids use the Internet safely.

“We try to tie all our education efforts to the full lifecycle of security, not just what people do at the office,” Black says. That makes security training more valuable for employees while also protecting sensitive data from poorly secured personal hardware.

2. Engage with line-of-business organizations

Close working relationships between IT executives and line-of-business managers are an essential ingredient for effective security. Meeting regularly with business decision makers empowers security leaders to build appropriate safeguards into new business initiatives right from the beginning. It also gives them an indispensable, up-close perspective on a business group’s unique risks and requirements.

“You’ll learn more about operational processes and potential dangers that you’d never know about otherwise,” Black says. “You can then incorporate those insights into your security plans and make them even richer.”

3. Take a modern and mobile look at security policies

As critical as it is, training alone doesn’t ensure strong security. Many of the devices, networks, and storage systems employees rely on these days are outside of IT control.

Want more like this?

Want more like this?

Insight delivered to your inbox

Keep up to date with our free email. Hand picked whitepapers and posts from our blog, as well as exclusive videos and webinar invitations keep our Users one step ahead.

sign up

By clicking 'SIGN UP', you agree to our Terms of Use and Privacy Policy

SIGN UP

By clicking 'SIGN UP', you agree to our Terms of Use and Privacy Policy

“IT needs to update traditional security policies for the new mobile and cloud services reality,” Roemer observes.

Start by thinking through how strictly you want to limit access to your company’s data based on where an employee is located and what kind of device they’re using. Most companies adopt graduated policies that protect sensitive information more carefully than public information and provide less access from consumer-grade and “bring your own devices” (BYOD) than from more thoroughly “locked down” enterprise-grade devices.

Then revise your security policies to reflect risks like storing business data on personally owned devices, posting passwords on a computer monitor, or using a USB storage device you found on the floor.

4. Enforce policies fairly and consistently

Security policies can lose value over time if users don’t believe violating them has consequences—or worse yet, if they believe bypassing them improves productivity. Policies must be maintained and kept current with the business. Security leaders must therefore enforce policies fairly and consistently.

“When policies are developed collaboratively across the company, and security awareness is woven into the culture, violations are infrequent,” Black says.

5. Automate security seamlessly

To further reduce policy violations, use security software to automate policy enforcement. For example, many security solutions can implement desired behaviors—like encrypting business data on mobile devices—by default. They can also build tighter security into core elements of the user experience by automatically preventing employees from running unauthorized apps over the company network or limiting which apps people can open email attachments with, for example. Other solutions provide logging and reporting functionality that can help you prove to auditors that you’ve applied appropriate policies scrupulously.

Even so, software is ultimately just one piece of the security puzzle.

“To really protect the company you have to get to know your line-of-business groups and your end users,” Roemer says.

Ultimately, the best security strategies are as much about people as technology.