It seems a thin line, the balance between a safe, secured ICT environment on the one hand, and a user-friendly, workable system on the other. You need to make sure all possible openings in and out of your network are properly shielded. But you also want happy users who utilise the company's assets properly, and don't try to find workarounds for security measures that slow them down.
During this session on Workable Security, we took a close look at how to create and maintain that balance. We also explored best practices for making your users fully aware of the why’s and how’s of security measures. Our experts from mobco, Awingu and Microsoft guided and answered the many questions of our participants! Presentations from the event are available, exclusively for Beltug members (after login):
The world is changing, Ulrik Van Schepdael, Managing Director at mobco, opened the session. And while we are increasingly going mobile, many enterprises’ ICT departments are lagging behind, including regarding security measures. It is a balancing act between operations, user experience and security, he stated.
Operational efficiency is of course critical: we now have 3 times more devices to manage, for more or less the same number of employees. Make sure, Ulrik recommended, to deploy solutions that combine an excellent operational efficiency and a top user experience.
The user is often the challenging part of the balancing act. Increasingly 'device-savvy', they don't want to follow trainings to learn about a mobile device or app (slide 8).
When setting up mobile devices, certificates are a key factor in securing them. For mail, for example, security should be based on multi-factor authentication: a unique device, a unique user and a unique certificate to unlock the device.
The intranet experience and your document management also need to become mobile (slides 17-19).
At the end, Ulrik shared his four keys to securing mobile devices in a user-friendly way:
Next on the agenda was Pieter De Clerck, responsible for Evangelisation and Business Development at Awingu. He stated that too much security inevitably leads to more fraud and bypasses: a seeming contradiction, yet true.
His talk began with a call for simplicity: in networking, security and infrastructure. Treat your passwords like your underpants, he joked:
Pieter agreed with the previous speaker: multi-factor authentication is the answer! But as an important note: so-called 'personal questions' (e.g. 'what is the name of your dog', 'what is the town where you grew up') and captchas do not count as 'factors' in this authentication.
Pieter advises against blocking shadow IT. Instead, stay in pace with your users, monitor what they do, and embrace it.
To conclude, he emphasised: if it's not usable, it's not secure!
Our final speaker of the day was An Lenders, Technology Advisor Threat Management & Office 365 at Microsoft. She brought another angle to the table: classification of data as a starting point in protecting your company data.
Classifying data allows you to monitor documents and to make sure that highly confidential data can't be shared with external parties. But you need to make sure an end-user can't lower a security level for his own convenience.
Again, balance is key: between your end-users’ and your ICT department's expectations. It doesn't make sense to put the highest security level on all documents and to block all accesses - then users will find workarounds.
Classifying and labelling documents protects sensitive information (with labels like 'highly confidential’, ‘sensitive’, ‘low sensitivity'), including across cloud services. The label can also help in the retention or deletion of data (as required by the GDPR (see Beltug's GDPR tools)).
What labels are best? A company can focus on permissions, business impact or content. There is no single recipe, An shared. The labels depend on the company's policies. As a best practice, An shared a way to get started right away (slides 12 & 13). But keep in mind that, after the start-up, you will need to finetune your labels based on the feedback of your users.
Assign someone to manage the labels, to make sure they are accurate and to avoid label proliferation. You can create subsets of labels e.g. for different departments, but don't overdo this, An emphasised.
Then, allow your users to adopt the right behaviour. Communicate! While it might sometimes be frustrating for your users, make document labelling mandatory, so that users must think and decide on the content of their documents. This increases their awareness of policies and data protection.
In a second stage, you can monitor your users’ behaviour and educate them: inform them of wrong usage where necessary or ask for a business justification.
#beltug another TOP-class session on the approach towards increased security in a mobile & cloud world. Beltug helps to create the "learning society" !!— alex vanzegbroek (@alexvzb) December 7, 2017
Access to more information about this topic and/or to download the paper is easy and fast, but exclusively for Beltug members (just login to get access).
Beltug gathers a lot of information. Here you find the advantages of Beltug membership
The Beltug Team
Click here to login