Endpoint
7/2/2013
01:57 AM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

3 Steps For SMBs To Tame Their Mobile Threats

Before jumping into managing employees' smartphones and tablets, companies should try a few other ways of protecting their data from nonbusiness-owned devices

Mobile device management gives companies a great deal of control over employees' devices, but for small and midsize businesses (SMBs) that are embracing the bring-your-own-device movement, the technology can be too much complexity for too little gain.

Apart from the difficulties in implementing a mobile device management (MDM) solution, mixing the technology with employee-owned devices poses pitfalls for companies, especially smaller ones.

"Do you want to become responsible for my employees' mobile devices? Do you want your IT department inside your mobile users' lives? If the answer to those questions is no, then you don't want mobile device management," says Jonathan Sander, director of identity and access management strategy at Dell.

Currently, 61 percent of SMBs allow employees to use their own devices -- a number that is set to jump to nearly 70 percent by the end of the year, according to Spiceworks, an IT community and service firm. The majority of those businesses have no specific solution for tracking their workers' mobile devices because -- for the most part -- they do not see a true need for a mobile-device management (MDM) solution, says Kathryn Pribish, the manager in charge of Spiceworks' Voice of IT survey group. In a May 2013 survey of BYOD trends in small businesses, the company discovered that 56 percent of companies had no plans to implement mobile device management in the next six months.

SMBs can tackle the trend without adding too much complexity to their information-technology manager's workload, she says.

"There is a realization that this is happening, and they need to deal with it, rather than trying to say, 'That is not going to happen in our company,'" Pribish says.

Three basic strategies can bridge the gap from having no plan to managing employees' devices:

1. Admit you have a problem
More than 80 percent of employees use a personal device for work, according to a study conducted by Harris Interactive and funded by security firm ESET. Managers who assert that employees are not using their personally owned devices for business are in denial, says Dell's Sander.

"Whenever a prospective client tells me that, it makes me want to walk them through their building and show them what their employees are using in their cubicles," he says.

Business and information-technology managers need to accept that employees are using personal devices for work and start planning a strategy for keeping the business secure. In general, the smaller the company, the more accepting they are of the trend: Sixty-three percent of companies with fewer than 20 employees have positive reactions to the employees bringing in their own devices, compared to only 44 percent of companies with more than 250 employees, according to Spiceworks.

Next, managers and executives have to sit down and craft a plan to deal with the influx of new devices, says Spiceworks' Pribish.

"It is really important to bring the right parties to the table so the company and the department can make the right decisions based on the types of information being accessed from those devices," she says.

2. Educate your users
Employees need to be on board as well. Workers who do not understand the security considerations of accessing business data with their personal devices should not be doing it, says Kevin Haley, director of Symantec's security response group.

It's not an easy task: Just convincing employees to lock their phone is hard, never mind other "onerous actions," he says.

"The amount of hassle that an employee can become over just the requirement to set their PIN code is enormous, and that's just the PIN code," Haley says.

[Straight-shooting advice -- and some out-of-the-box thinking -- on how smaller companies can save money on security while doing it better. See 5 Ways For SMBs To Boost Security But Not Costs.]

Despite that, every user should have a passcode on his mobile device and the ability to wipe the device remotely, say Haley. Companies should also not let users bring in jailbroken phones inside their networks. Finally, companies should attempt to entice users to use more secure applications -- such as file sharing and e-mail -- to handle business data.

"Lots of these IT pros have a lot going on, so they have not had time to educate their users," says Spiceworks' Pribish. "But there is a huge opportunity here to make this much simpler, and make it easier to monitor and manage the mobile devices that are coming into the organization."

3. Force devices to use a separate network
Finally, even if employees bring their devices into the building, they should not be given internal access to the network, says Dell's Sander. By building a virtual LAN or guest network that connects out to the Internet, companies can make sure that devices are kept off the internal network.

In addition, by managing and monitoring the guest network, companies can both learn about their employees' needs and detect possible security threats, says Sander.

"Scan the device, figure out what is on it, and whether those applications are acceptable," he says. "Does it have the latest patches? There is a lot you can do without being invasive."

Once companies understand how employees are using their devices and to what corporate resources they are connecting, then they can make a more informed decision about whether to adopt more involved technology to deal with personal devices in the workplace.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Robert Lemos is a veteran technology journalist of more than 16 years and a former research engineer, writing articles that have appeared in Business Week, CIO Magazine, CNET News.com, Computing Japan, CSO Magazine, Dark Reading, eWEEK, InfoWorld, MIT's Technology Review, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MROBINSON000
50%
50%
MROBINSON000,
User Rank: Apprentice
7/18/2013 | 7:30:34 AM
re: 3 Steps For SMBs To Tame Their Mobile Threats
I believe the most threatening of security risks to the enterprise outside malicious or unknowing insiders are clearly malicious third-party applications that often use sensitive user data. These applications take control over mobile devices for personal data retrieval, UI impersonation, unauthorized dialing and payments, or unauthorized network connectivity. Check this article for few quick ways IT security professionals should respond to these increasing threats to enforce security controls on mobile devices and social media networks http://blog.securityinnovation...
anon7046545777
50%
50%
anon7046545777,
User Rank: Apprentice
7/3/2013 | 3:19:36 PM
re: 3 Steps For SMBs To Tame Their Mobile Threats
Gaining control over mobile vulnerabilities needs to be a priority as mobility continues to gain traction. According to the HP Cyber Risk Report, 48 percent of all mobile apps are vulnerable to unauthorized access.

Peter Fretty, IDG blogger working on HP's behalf
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-5704
Published: 2014-04-15
The mod_headers module in the Apache HTTP Server 2.2.22 allows remote attackers to bypass "RequestHeader unset" directives by placing a header in the trailer portion of data sent with chunked transfer coding. NOTE: the vendor states "this is not a security issue in httpd as such."

CVE-2013-5705
Published: 2014-04-15
apache2/modsecurity.c in ModSecurity before 2.7.6 allows remote attackers to bypass rules by using chunked transfer coding with a capitalized Chunked value in the Transfer-Encoding HTTP header.

CVE-2014-0341
Published: 2014-04-15
Multiple cross-site scripting (XSS) vulnerabilities in PivotX before 2.3.9 allow remote authenticated users to inject arbitrary web script or HTML via the title field to (1) templates_internal/pages.tpl, (2) templates_internal/home.tpl, or (3) templates_internal/entries.tpl; (4) an event field to ob...

CVE-2014-0342
Published: 2014-04-15
Multiple unrestricted file upload vulnerabilities in fileupload.php in PivotX before 2.3.9 allow remote authenticated users to execute arbitrary PHP code by uploading a file with a (1) .php or (2) .php# extension, and then accessing it via unspecified vectors.

CVE-2014-0348
Published: 2014-04-15
The Artiva Agency Single Sign-On (SSO) implementation in Artiva Workstation 1.3.x before 1.3.9, Artiva Rm 3.1 MR7, Artiva Healthcare 5.2 MR5, and Artiva Architect 3.2 MR5, when the domain-name option is enabled, allows remote attackers to login to arbitrary domain accounts by using the corresponding...

Best of the Web