Free pizza can go a long way in helping to raise the awareness of security among employees, according to the chief information security officer (CISO) of Lehman Brothers Holdings.
Speaking on a panel at the Infosecurity Europe conference in London yesterday discussing the security of mobile devices in the workplace, Michael Everall, CISO at LAMCO LLC – Lehman Brothers Holdings, said that education, training and raising awareness of end users was key to addressing security issues around mobile devices.
It follows a recent survey from (ISC)2 which found that after application vulnerabilities, information security professionals are most concerned by the threats posed by mobile devices.
Everall said that enticing end users to security awareness training sessions with the offer of pizza was surprisingly successful.
“A little bit of stick and a little bit of pizza helps to get things across,” he said.
In addition, offering a freebie for employees who complete training programmes is also a good way to engage with end users, Everall said.
He added: “Make sure each individual is aware about what is happening and how it helps them. Articulate not just the how [you are implementing security] but also the why. We are trying to protect the individual, in some cases, from themselves.”
Gary Cheetham, CISO at insurance firm NFU Mutual, said that developing this culture of accountability with end users, and introducing some light-touch policies to start off with, will help organisations manage the risks associated with the growth of mobile devices used in the business.
“It [mobile devices in the business] is inevitable. We just have to manage the risk,” he said.
Everall agreed, saying that his business, having outsourced most of its IT, cannot do the same for risk.
“You can’t outsource your risk, and it comes down to the individual. You [the user] handle that risk.”
One of the main challenges to managing the risk is the speed of adoption of mobile devices in the business – especially when it is led by senior management. This leads to IT departments continually having to play catch-up.
“We are a predominantly BlackBerry estate, but our senior management want other devices and want them very quickly,” said Cheetham.
“We are up against a timescale where we cannot secure the devices to the timescale they want to use them.”
While Cheetham seems prepared to accommodate mobile devices, other than BlackBerry,, in contrast, John Lewis Partnership’s information security officer said he did not think many mobile devices were secure enough yet for his organisation.
“We are under pressure to go down the Apple route,” said Louis Gamon, information security officer at John Lewis.
“I don’t think currently the Android or any other mobile [platforms] are secure enough. People lose them on a regular basis. I don’t have any confidence in the Googles of this world.”