Case study: Physical security awareness and smartphone security policy

Even if employees are aware of the importance of keeping data secure, they may not be so thoughtful when it comes to the data-storing devices themselves. In this expert tip, Michael Cobb explains how to incorporate physical security awareness into a smartphone security policy.

Recently, I worked with a small/medium-sized company employing more than 250 people. It was struggling to bring its mobile sales force's use of BlackBerry smartphones under control. All the salespeople had been issued phones to enable them to sync their contacts and diaries, as well as submit reports and orders, just like any typical mobile worker. The productivity gains had been impressive, but the high number of damaged, lost or stolen BlackBerrys in the first year was a cause for concern.

Data ownership is a key aspect of any smartphone security policy and is usually an area that requires a lot of work to get employees within an organisation to appreciate fully.


The company had a good acceptable usage policy: All sensitive data held on employees' BlackBerrys was encrypted, and the sales force largely followed the rules regarding encryption and sensitive data-handling procedures. Its in-house security awareness training had done a great job ensuring everyone appreciated the value of company data and the need to keep it protected. While some of its phones had been lost or stolen, data wasn't exposed. What was missing, however, was physical security awareness, namely an appreciation of the value and cost of the BlackBerry itself.

Since the BlackBerrys were handed out by the company, they were treated in much the same way as a paper notepad might have been: If one was lost or damaged, employees thought they'd just get a new one. The task was to promote appropriate care for these company assets by way of policies, including, potentially, financial penalties for losing or damaging the phones. Such penalties were rejected, however, as they were not only onerous to implement, but also didn't match the culture that the company aimed to foster.

To help individual users do a better job of keeping track of their devices, I suggested that each salesperson could receive a free case for his or her Blackberry when they attended a short presentation on physical security for mobile devices. I persuaded the CSO not to order a set of cases with the company logo emblazoned on them, as this would potentially make the phones more of a target for a professional data thief in search of sensitive corporate data. Instead we decided to let each person choose the colour case he or she wanted.

It worked beautifully: Everyone left the presentation proudly clutching a BlackBerry wrapped in the case of his or her choice, ranging from pink to black, striped to spotted. This is exactly what the company's management had hoped for: Everyone had taken ownership of his or her smartphone .

Data ownership is a key aspect of any smartphone security policy and is usually an area that requires a lot of work to get employees within an organisation to appreciate fully. In this instance, the company had done a good job of embedding data ownership into everything it did; what was needed was a way to extend that to all information assets.

To back up the presentation on physical security, the acceptable usage policy was revised to place suitable emphasis on protecting physical information assets, and various posters enforcing the key messages have been put up. This may seem to be a light-handed way to get employees to treat company assets with respect, but it has proved effective -- only one BlackBerry has needed replacing so far this year -- and helped the company avoid a heavy-handed smartphone security mandate that could have alienated employees.

Obviously not ever such campaign is this successful, and sometimes a more stringent policy may be needed to ensure employees take due care of company assets. It may be necessary to discipline staff or make them pay for the replacement of lost assets such as laptops, mobiles or electronic ID cards in order to highlight the point that these have a monetary value. It can be difficult to restrict the use of certain assets if they're needed for a particular job, but staff who fail to follow policy could be put last in the queue for upgrades to the latest model.

The key lesson is that no matter what it takes, employees take ownership of the organisation's information assets. The degree of difficulty in achieving this level of personal responsibility will vary from one organisation to another, but however this is achieved, the strength of the company's security can improve dramatically.

About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications.

Read more on Security policy and user awareness