Getting security right is about more than technology: getting people to understand the issues is just as important.
President Trump may still be using his old Android phone, as opposed to the new, secure one given him by the Secret Service.
Image: Matt Rourke, AP
Rarely has a single smartphone generated so much excitement as the one used by President Trump.
Earlier this month it was reported that the President had swapped his Android phone for a more secure encrypted device approved by the Secret Service. President Obama was given a similar device, which could not take photos, play music, or even send text messages, because of security concerns. But it looks like President Trump’s old phone has made at least one re-appearance.
According to the New York Times, President Trump has been using his old Android device to tweet while watching TV:
Mr. Trump’s wife, Melania, went back to New York on Sunday night with their 10-year-old son, Barron, and so Mr. Trump has the television — and his old, unsecured Android phone, to the protests of some of his aides — to keep him company. That was the case after 9 p.m. on Tuesday, when Mr. Trump appeared to be reacting to Bill O’Reilly’s show on Fox News, which was airing a feature on crime in Chicago.
It’s perhaps no surprise, as President Trump generated so much momentum during his campaign with his tweets. However, the news has raised concerns: smartphone security is still a work in progress, even for state-of-the-art devices, which is exactly why government agencies spend so much on security-hardened phones that can be carried safely in secure environments like the White House.
Even if this outing for the old Android was a one-off, it’s also a reminder to all that security policies might be easy to write, but they’re hard to get right, and even harder to enforce.
Firstly, if a company’s security policy is so strict that it stops people from doing their jobs (or from tweeting while watching TV), then chances are they will either try to get around it, or simply ignore it.
Policies need to understand the reality of life day-to-day, as well as the security risks your organization faces. That means they need to be developed with the users, not in spite of them.
Banning certain actions (like using cloud services or personal devices) may well be appropriate from a security point of view but may be a disaster for productivity or morale. So the security policy (and infrastructure) may have to change or be updated on a regular basis, otherwise they risk encouraging bad behaviors, not stopping them.
And even if an organization has a security policy that makes sense for most staff, there will be those who will consider themselves to be the exception, either because they think they are too smart or because they are too senior. It’s tough for junior staff tasked with security to criticize the chief executive — or the President — for using the wrong device.
This is why it’s important for everyone to understand the security threat level for each organization: a small business will face different threats to a school, or a big business, or a government agency. Understanding the consequences of a security leak will help concentrate the mind of everyone from top to bottom.
Education is the key, both helping staff to understand what risky behaviors are, and what the consequences might be. Technology, while important, is only part of the problem.