Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

3 Steps For SMBs To Tame Their Mobile Threats

Before jumping into managing employees' smartphones and tablets, companies should try a few other ways of protecting their data from nonbusiness-owned devices

Mobile device management gives companies a great deal of control over employees' devices, but for small and midsize businesses (SMBs) that are embracing the bring-your-own-device movement, the technology can be too much complexity for too little gain.

Apart from the difficulties in implementing a mobile device management (MDM) solution, mixing the technology with employee-owned devices poses pitfalls for companies, especially smaller ones.

"Do you want to become responsible for my employees' mobile devices? Do you want your IT department inside your mobile users' lives? If the answer to those questions is no, then you don't want mobile device management," says Jonathan Sander, director of identity and access management strategy at Dell.

Currently, 61 percent of SMBs allow employees to use their own devices -- a number that is set to jump to nearly 70 percent by the end of the year, according to Spiceworks, an IT community and service firm. The majority of those businesses have no specific solution for tracking their workers' mobile devices because -- for the most part -- they do not see a true need for a mobile-device management (MDM) solution, says Kathryn Pribish, the manager in charge of Spiceworks' Voice of IT survey group. In a May 2013 survey of BYOD trends in small businesses, the company discovered that 56 percent of companies had no plans to implement mobile device management in the next six months.

SMBs can tackle the trend without adding too much complexity to their information-technology manager's workload, she says.

"There is a realization that this is happening, and they need to deal with it, rather than trying to say, 'That is not going to happen in our company,'" Pribish says.

Three basic strategies can bridge the gap from having no plan to managing employees' devices:

1. Admit you have a problem
More than 80 percent of employees use a personal device for work, according to a study conducted by Harris Interactive and funded by security firm ESET. Managers who assert that employees are not using their personally owned devices for business are in denial, says Dell's Sander.

"Whenever a prospective client tells me that, it makes me want to walk them through their building and show them what their employees are using in their cubicles," he says.

Business and information-technology managers need to accept that employees are using personal devices for work and start planning a strategy for keeping the business secure. In general, the smaller the company, the more accepting they are of the trend: Sixty-three percent of companies with fewer than 20 employees have positive reactions to the employees bringing in their own devices, compared to only 44 percent of companies with more than 250 employees, according to Spiceworks.

Next, managers and executives have to sit down and craft a plan to deal with the influx of new devices, says Spiceworks' Pribish.

"It is really important to bring the right parties to the table so the company and the department can make the right decisions based on the types of information being accessed from those devices," she says.

2. Educate your users
Employees need to be on board as well. Workers who do not understand the security considerations of accessing business data with their personal devices should not be doing it, says Kevin Haley, director of Symantec's security response group.

It's not an easy task: Just convincing employees to lock their phone is hard, never mind other "onerous actions," he says.

"The amount of hassle that an employee can become over just the requirement to set their PIN code is enormous, and that's just the PIN code," Haley says.

[Straight-shooting advice -- and some out-of-the-box thinking -- on how smaller companies can save money on security while doing it better. See 5 Ways For SMBs To Boost Security But Not Costs.]

Despite that, every user should have a passcode on his mobile device and the ability to wipe the device remotely, say Haley. Companies should also not let users bring in jailbroken phones inside their networks. Finally, companies should attempt to entice users to use more secure applications -- such as file sharing and e-mail -- to handle business data.

"Lots of these IT pros have a lot going on, so they have not had time to educate their users," says Spiceworks' Pribish. "But there is a huge opportunity here to make this much simpler, and make it easier to monitor and manage the mobile devices that are coming into the organization."

3. Force devices to use a separate network
Finally, even if employees bring their devices into the building, they should not be given internal access to the network, says Dell's Sander. By building a virtual LAN or guest network that connects out to the Internet, companies can make sure that devices are kept off the internal network.

In addition, by managing and monitoring the guest network, companies can both learn about their employees' needs and detect possible security threats, says Sander.

"Scan the device, figure out what is on it, and whether those applications are acceptable," he says. "Does it have the latest patches? There is a lot you can do without being invasive."

Once companies understand how employees are using their devices and to what corporate resources they are connecting, then they can make a more informed decision about whether to adopt more involved technology to deal with personal devices in the workplace.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JohnF513
50%
50%
JohnF513,
User Rank: Apprentice
7/13/2014 | 12:57:11 AM
Threaths are unavoidable
The threaths for mobile divices are many. There are the threaths like bugs for instance insufficient storage available that are annoying but harmless. But on the ather hand the real threaths we had with the PC's are unavoidable in the cell and Andoid phones and neads to be taken serious.
MROBINSON000
50%
50%
MROBINSON000,
User Rank: Apprentice
7/18/2013 | 7:30:34 AM
re: 3 Steps For SMBs To Tame Their Mobile Threats
I believe the most threatening of security risks to the enterprise outside malicious or unknowing insiders are clearly malicious third-party applications that often use sensitive user data. These applications take control over mobile devices for personal data retrieval, UI impersonation, unauthorized dialing and payments, or unauthorized network connectivity. Check this article for few quick ways IT security professionals should respond to these increasing threats to enforce security controls on mobile devices and social media networks http://blog.securityinnovation...
anon7046545777
50%
50%
anon7046545777,
User Rank: Apprentice
7/3/2013 | 3:19:36 PM
re: 3 Steps For SMBs To Tame Their Mobile Threats
Gaining control over mobile vulnerabilities needs to be a priority as mobility continues to gain traction. According to the HP Cyber Risk Report, 48 percent of all mobile apps are vulnerable to unauthorized access.

Peter Fretty, IDG blogger working on HP's behalf
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment:   It's a PEN test of our cloud security.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7245
PUBLISHED: 2020-01-23
Incorrect username validation in the registration processes of CTFd through 2.2.2 allows a remote attacker to take over an arbitrary account after initiating a password reset. This is related to register() and reset_password() in auth.py. To exploit the vulnerability, one must register with a userna...
CVE-2019-14885
PUBLISHED: 2020-01-23
A flaw was found in the JBoss EAP Vault system in all versions before 7.2.6.GA. Confidential information of the system property's security attribute value is revealed in the JBoss EAP log file when executing a JBoss CLI 'reload' command. This flaw can lead to the exposure of confidential information...
CVE-2019-17570
PUBLISHED: 2020-01-23
An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code. Apache XML-RPC is no longer maintained and this issue...
CVE-2020-6007
PUBLISHED: 2020-01-23
Philips Hue Bridge model 2.X prior to and including version 1935144020 contains a Heap-based Buffer Overflow when handling a long ZCL string during the commissioning phase, resulting in a remote code execution.
CVE-2012-4606
PUBLISHED: 2020-01-23
Citrix XenServer 4.1, 6.0, 5.6 SP2, 5.6 Feature Pack 1, 5.6 Common Criteria, 5.6, 5.5, 5.0, and 5.0 Update 3 contains a Local Privilege Escalation Vulnerability which could allow local users with access to a guest operating system to gain elevated privileges.