01:57 AM

3 Steps For SMBs To Tame Their Mobile Threats

Before jumping into managing employees' smartphones and tablets, companies should try a few other ways of protecting their data from nonbusiness-owned devices

Mobile device management gives companies a great deal of control over employees' devices, but for small and midsize businesses (SMBs) that are embracing the bring-your-own-device movement, the technology can be too much complexity for too little gain.

Apart from the difficulties in implementing a mobile device management (MDM) solution, mixing the technology with employee-owned devices poses pitfalls for companies, especially smaller ones.

"Do you want to become responsible for my employees' mobile devices? Do you want your IT department inside your mobile users' lives? If the answer to those questions is no, then you don't want mobile device management," says Jonathan Sander, director of identity and access management strategy at Dell.

Currently, 61 percent of SMBs allow employees to use their own devices -- a number that is set to jump to nearly 70 percent by the end of the year, according to Spiceworks, an IT community and service firm. The majority of those businesses have no specific solution for tracking their workers' mobile devices because -- for the most part -- they do not see a true need for a mobile-device management (MDM) solution, says Kathryn Pribish, the manager in charge of Spiceworks' Voice of IT survey group. In a May 2013 survey of BYOD trends in small businesses, the company discovered that 56 percent of companies had no plans to implement mobile device management in the next six months.

SMBs can tackle the trend without adding too much complexity to their information-technology manager's workload, she says.

"There is a realization that this is happening, and they need to deal with it, rather than trying to say, 'That is not going to happen in our company,'" Pribish says.

Three basic strategies can bridge the gap from having no plan to managing employees' devices:

1. Admit you have a problem
More than 80 percent of employees use a personal device for work, according to a study conducted by Harris Interactive and funded by security firm ESET. Managers who assert that employees are not using their personally owned devices for business are in denial, says Dell's Sander.

"Whenever a prospective client tells me that, it makes me want to walk them through their building and show them what their employees are using in their cubicles," he says.

Business and information-technology managers need to accept that employees are using personal devices for work and start planning a strategy for keeping the business secure. In general, the smaller the company, the more accepting they are of the trend: Sixty-three percent of companies with fewer than 20 employees have positive reactions to the employees bringing in their own devices, compared to only 44 percent of companies with more than 250 employees, according to Spiceworks.

Next, managers and executives have to sit down and craft a plan to deal with the influx of new devices, says Spiceworks' Pribish.

"It is really important to bring the right parties to the table so the company and the department can make the right decisions based on the types of information being accessed from those devices," she says.

2. Educate your users
Employees need to be on board as well. Workers who do not understand the security considerations of accessing business data with their personal devices should not be doing it, says Kevin Haley, director of Symantec's security response group.

It's not an easy task: Just convincing employees to lock their phone is hard, never mind other "onerous actions," he says.

"The amount of hassle that an employee can become over just the requirement to set their PIN code is enormous, and that's just the PIN code," Haley says.

[Straight-shooting advice -- and some out-of-the-box thinking -- on how smaller companies can save money on security while doing it better. See 5 Ways For SMBs To Boost Security But Not Costs.]

Despite that, every user should have a passcode on his mobile device and the ability to wipe the device remotely, say Haley. Companies should also not let users bring in jailbroken phones inside their networks. Finally, companies should attempt to entice users to use more secure applications -- such as file sharing and e-mail -- to handle business data.

"Lots of these IT pros have a lot going on, so they have not had time to educate their users," says Spiceworks' Pribish. "But there is a huge opportunity here to make this much simpler, and make it easier to monitor and manage the mobile devices that are coming into the organization."

3. Force devices to use a separate network
Finally, even if employees bring their devices into the building, they should not be given internal access to the network, says Dell's Sander. By building a virtual LAN or guest network that connects out to the Internet, companies can make sure that devices are kept off the internal network.

In addition, by managing and monitoring the guest network, companies can both learn about their employees' needs and detect possible security threats, says Sander.

"Scan the device, figure out what is on it, and whether those applications are acceptable," he says. "Does it have the latest patches? There is a lot you can do without being invasive."

Once companies understand how employees are using their devices and to what corporate resources they are connecting, then they can make a more informed decision about whether to adopt more involved technology to deal with personal devices in the workplace.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Robert Lemos is a veteran technology journalist of more than 16 years and a former research engineer, writing articles that have appeared in Business Week, CIO Magazine, CNET News.com, Computing Japan, CSO Magazine, Dark Reading, eWEEK, InfoWorld, MIT's Technology Review, ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
7/13/2014 | 12:57:11 AM
Threaths are unavoidable
The threaths for mobile divices are many. There are the threaths like bugs for instance insufficient storage available that are annoying but harmless. But on the ather hand the real threaths we had with the PC's are unavoidable in the cell and Andoid phones and neads to be taken serious.
User Rank: Apprentice
7/18/2013 | 7:30:34 AM
re: 3 Steps For SMBs To Tame Their Mobile Threats
I believe the most threatening of security risks to the enterprise outside malicious or unknowing insiders are clearly malicious third-party applications that often use sensitive user data. These applications take control over mobile devices for personal data retrieval, UI impersonation, unauthorized dialing and payments, or unauthorized network connectivity. Check this article for few quick ways IT security professionals should respond to these increasing threats to enforce security controls on mobile devices and social media networks http://blog.securityinnovation...
User Rank: Apprentice
7/3/2013 | 3:19:36 PM
re: 3 Steps For SMBs To Tame Their Mobile Threats
Gaining control over mobile vulnerabilities needs to be a priority as mobility continues to gain traction. According to the HP Cyber Risk Report, 48 percent of all mobile apps are vulnerable to unauthorized access.

Peter Fretty, IDG blogger working on HP's behalf
Register for Dark Reading Newsletters
White Papers
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-06-29
CRLF injection vulnerability in IBM WebSphere Commerce 6.0 through and 7.0 before Cumulative iFix 2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL.

Published: 2015-06-29
EMC Unisphere for VMAX 8.x before sets up the Java Debugging Wire Protocol (JDWP) service, which allows remote attackers to execute arbitrary code via unspecified vectors.

Published: 2015-06-29
IBM InfoSphere DataStage 8.1, 8.5, 8.7, 9.1, and 11.3 through on UNIX allows local users to write to executable files, and consequently obtain root privileges, via unspecified vectors.

Published: 2015-06-28
IBM Unified Extensible Firmware Interface (UEFI) on Flex System x880 X6, System x3850 X6, and System x3950 X6 devices allows remote authenticated users to cause an unspecified temporary denial of service by using privileged access to enable a legacy boot mode.

Published: 2015-06-28
Cross-site request forgery (CSRF) vulnerability in IBM Security Network Protection 5.3 before 5.3.1 allows remote attackers to hijack the authentication of arbitrary users.

Dark Reading Radio
Archived Dark Reading Radio
Marc Spitler, co-author of the Verizon DBIR will share some of the lesser-known but most intriguing tidbits from the massive report