Can you train your way to mobile security?


While attending the Federal Mobile Computing Summit in Washington, D.C., I noticed several panelists touting the virtues of employee training as a way to ensure security on agency-provisioned and employee-provided mobile devices.

Everything is shared and open for the next generation coming into government, said D.J. Kachman, mobile infrastructure and device director at the Veterans Affairs Department, referring to 21-year-olds who aren't always the best at enabling their Facebook privacy settings.

"Convincing them that the data they are trusted with for a veteran or some other citizen is something that is private, that has to be kept private and you don't want it out there," is critical said Kachman. "We have to educate users."

Not all security experts believe training is a worthwhile effort, however.

A recent column in CSO Magazine from Dave Aitel, of Immunity Inc. cites West Point's attempt to train students to be more resilient against phishing schemes. The effort failed miserably, with 90 percent of students who completed training still falling for social engineering ploys.

In many ways mobile is no different than any other technology and, while training is commendable, agencies must be prepared for non-compliance. The prevalence of consumer devices in the workplace could make it even more likely employees will revert back to their lax, consumer behaviors.

Perhaps agencies should emphasize planning for the eventual failure of workers to comply with security training rather than hope they can teach an old dog new tricks. - Molly