Greetings Fellow Security Members,
We are currently in the process of rolling out and enabling MFA for all Office365 accounts/users.
For those who've already done so, what strategy or approach have you taken for employees who
refuses to setup MFA on personally-owned devices?
Thanks in advance!
@JKWiniger you certainly make an interesting point. It's very easy for someone to dismiss another persons solution, but asking for feedback/recommendations do make those folks think about it in a different way. I think I'll start implementing your strategy moving forward, which opens the door for deeper conversation and where I can get staff more engaged in the thought process and strategy behind our solution selections & implementation.
I'm fairly confident I'll see some of the same the results you've experienced where folks are more agreeable.
I agree with this approach. What it really comes down to is if the company deems it wants to go with MFA to increase security, either for compliance reasons or just to enhance their security then that is what happens. A policy is made and it gets implemented. The use of a personal devices varies from company to company, some pay for the device and the bill others do not. I think it really comes down to how much the device would be used for company business. One could argue that your boss couldn't call you on your cell because that would be using it for business. It's all a matter of where you draw the line.
For us, it was to increase security. We typically hand out COPE, company owned personally enabled, mobile phones for workers who need to always be connected.
@CISSP-Surf I haven't really thought this out long term because we would never, at least not at this point, have BYOD in our regulated environment but maybe adding an extra $5-$10 a paycheck for staff who choose to use their own devices? Just as an incentive for saving the company money.
I think what is really needed to find find out why people object to is and asking them what solutions they would suggest. You can come up with a lot of different solutions but if you don't communicate that this is now required and work with them to negotiate an acceptable solution or compromise you might just end up going in circles, but if the end, this is our policy, then end!
I would like to know what other think about this, a level of acceptance is always needed but there are always those who just try to refuse changes and sadly sometimes those people may need to find a different place.
Just my .02
@JKWiniger This part in bold will enhance any CISSP's career. If y'all do not get anything else from this conversation understand the part in bold above. Find out why people are objecting to whatever security idea, policy, procedure, whatever, you are proposing or enforcing..
Maybe they have a misconception and think that if they have MFA on their personal phone then they will be required to do work on personal time, or that they can be tracked by the company, or that by having this on their phone it opens the possibility of their phone being seized if a lawsuit happens, etc..
I have seen more InfoSec careers derailed by people not understanding this principle of "Seek first to understand and then to be understood" and just trying to force security on people.
Infosec is not tyranny, it is symmetry.
Hmmm I never really thought about providing some incentive for not only saving the company money long term, but also to create internal ambassadors to assist us with getting others on the same page. Thank you for sharing these insights with us!
I just want to take a moment to thank the newer people for contributing and starting this thread. To me, it's really why we are here, to think about things and try to think of what we could or should be doing! So thank you and please keep it up!