informa
/
Risk
News

3 Steps For SMBs To Tame Their Mobile Threats

Before jumping into managing employees' smartphones and tablets, companies should try a few other ways of protecting their data from nonbusiness-owned devices
Mobile device management gives companies a great deal of control over employees' devices, but for small and midsize businesses (SMBs) that are embracing the bring-your-own-device movement, the technology can be too much complexity for too little gain.

Apart from the difficulties in implementing a mobile device management (MDM) solution, mixing the technology with employee-owned devices poses pitfalls for companies, especially smaller ones.

"Do you want to become responsible for my employees' mobile devices? Do you want your IT department inside your mobile users' lives? If the answer to those questions is no, then you don't want mobile device management," says Jonathan Sander, director of identity and access management strategy at Dell.

Currently, 61 percent of SMBs allow employees to use their own devices -- a number that is set to jump to nearly 70 percent by the end of the year, according to Spiceworks, an IT community and service firm. The majority of those businesses have no specific solution for tracking their workers' mobile devices because -- for the most part -- they do not see a true need for a mobile-device management (MDM) solution, says Kathryn Pribish, the manager in charge of Spiceworks' Voice of IT survey group. In a May 2013 survey of BYOD trends in small businesses, the company discovered that 56 percent of companies had no plans to implement mobile device management in the next six months.

SMBs can tackle the trend without adding too much complexity to their information-technology manager's workload, she says.

"There is a realization that this is happening, and they need to deal with it, rather than trying to say, 'That is not going to happen in our company,'" Pribish says.

Three basic strategies can bridge the gap from having no plan to managing employees' devices:

1. Admit you have a problem
More than 80 percent of employees use a personal device for work, according to a study conducted by Harris Interactive and funded by security firm ESET. Managers who assert that employees are not using their personally owned devices for business are in denial, says Dell's Sander.

"Whenever a prospective client tells me that, it makes me want to walk them through their building and show them what their employees are using in their cubicles," he says.

Business and information-technology managers need to accept that employees are using personal devices for work and start planning a strategy for keeping the business secure. In general, the smaller the company, the more accepting they are of the trend: Sixty-three percent of companies with fewer than 20 employees have positive reactions to the employees bringing in their own devices, compared to only 44 percent of companies with more than 250 employees, according to Spiceworks.

Next, managers and executives have to sit down and craft a plan to deal with the influx of new devices, says Spiceworks' Pribish.

"It is really important to bring the right parties to the table so the company and the department can make the right decisions based on the types of information being accessed from those devices," she says.

2. Educate your users
Employees need to be on board as well. Workers who do not understand the security considerations of accessing business data with their personal devices should not be doing it, says Kevin Haley, director of Symantec's security response group.

It's not an easy task: Just convincing employees to lock their phone is hard, never mind other "onerous actions," he says.

"The amount of hassle that an employee can become over just the requirement to set their PIN code is enormous, and that's just the PIN code," Haley says.

[Straight-shooting advice -- and some out-of-the-box thinking -- on how smaller companies can save money on security while doing it better. See 5 Ways For SMBs To Boost Security But Not Costs.]

Despite that, every user should have a passcode on his mobile device and the ability to wipe the device remotely, say Haley. Companies should also not let users bring in jailbroken phones inside their networks. Finally, companies should attempt to entice users to use more secure applications -- such as file sharing and e-mail -- to handle business data.

"Lots of these IT pros have a lot going on, so they have not had time to educate their users," says Spiceworks' Pribish. "But there is a huge opportunity here to make this much simpler, and make it easier to monitor and manage the mobile devices that are coming into the organization."

3. Force devices to use a separate network
Finally, even if employees bring their devices into the building, they should not be given internal access to the network, says Dell's Sander. By building a virtual LAN or guest network that connects out to the Internet, companies can make sure that devices are kept off the internal network.

In addition, by managing and monitoring the guest network, companies can both learn about their employees' needs and detect possible security threats, says Sander.

"Scan the device, figure out what is on it, and whether those applications are acceptable," he says. "Does it have the latest patches? There is a lot you can do without being invasive."

Once companies understand how employees are using their devices and to what corporate resources they are connecting, then they can make a more informed decision about whether to adopt more involved technology to deal with personal devices in the workplace.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Recommended Reading: