I spent this weekend like I do many weekends: at a soccer tournament where one of my daughters played. It usually means at least three hours outside, but it's a fair bit of fun. As it's just the first week of April, it was still pretty cool; the high for the first day didn't go above 52 degrees, with a stiff wind blowing the entire day. It was a good day, my daughter's team didn't give up any goals, and it tied the first game and won the second.
It wasn't until I got home that I realized the damage that had been done. One look in the mirror was enough to tell me that I had a big sunburn on my face, complete with the white skin around my eyes thanks to the sunglasses protecting that patch of my face. It's not unlike what happens with many people when they go mobile.
They look for the experience to be as frictionless as possible. The first thing they worry about is whether they can get their email, calendar, and contacts on their device. Then they start asking for more information. They want to be able to work wherever they are. Quickly, though, they start to push back against existing corporate policies. The first bit of pushback always concerns signing into the device. Most organizations require that users have a passcode on their device. It is the first line of defense for most devices: A casual user can't log into it if they find it, and for many devices, it kickstarts the encryption process.
But many users react to that requirement very much as I did at the soccer game this weekend: It really wasn't hot out, it's too early in the season, I was only going to be in the open for a short time. I told myself all those great excuses to rationalize why I hadn't applied sunblock. To be fair, I really didn't think about it -- I felt no need and gave it no significant thought.
That's no different from what users think regarding their smartphones. They aren't the type to ever lose their phone, they never leave it unattended for anyone to pick up, no one would ever want to steal their device -- the list goes on. As human beings, we are very good at rationalizing. As someone said to me when I was quite young, it is very easy to tell rational lies to yourself.
It isn't until an incident happens to a user that he or she starts to see the issues. When I went to the second day of my daughter's tournament, you bet I put on sunscreen. I had no desire to run the risk or make myself any worse. A similar lesson from a bad experience happened to my daughter's coach: His apartment was broken into on Friday night. A deadbolt was installed on Saturday, and he asked what he could do to protect his laptop in the future because his had been stolen.
The sad bit is that even though we can train our users six different ways to Sunday, unless they can internalize the experience of losing their device or having it compromised, it is very difficult to get them to follow form.
However, that human reality doesn't mean we can't force the issue by using mobile device management (MDM) tools or Exchange ActiveSync password policies. But doing so will cause more grumbling or even employees avoiding the use of personal devices in a corporate setting, reducing their work flexibility and availability.
It is a lot easier to win users over to your side of security when you make the issue about them. When you talk to your users, especially if you have a BYOD program, spend less time talking about the corporate data and more time focusing on their personal data. Do they want someone to be able to get into their bank account? How about if a thief could post on Facebook or Twitter as them? Have discussions about the kind of data they keep on their phone and teach them to protect that. You get to protect your corporate data too, but your users will care about their own stuff.
When you show users what's in it for them, you have a better shot that they will buy into the program. It's always easy to get a sunburn, but it's even easier to protect yourself against one if you know why you're doing it and when you need to.
This article, "When users protect their data, they protect the business's data, too," originally appeared at A Screw's Loose and is republished at CITEworld with permission (© Brian Katz).