Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

3 Steps For SMBs To Tame Their Mobile Threats

Before jumping into managing employees' smartphones and tablets, companies should try a few other ways of protecting their data from nonbusiness-owned devices

Mobile device management gives companies a great deal of control over employees' devices, but for small and midsize businesses (SMBs) that are embracing the bring-your-own-device movement, the technology can be too much complexity for too little gain.

Apart from the difficulties in implementing a mobile device management (MDM) solution, mixing the technology with employee-owned devices poses pitfalls for companies, especially smaller ones.

"Do you want to become responsible for my employees' mobile devices? Do you want your IT department inside your mobile users' lives? If the answer to those questions is no, then you don't want mobile device management," says Jonathan Sander, director of identity and access management strategy at Dell.

Currently, 61 percent of SMBs allow employees to use their own devices -- a number that is set to jump to nearly 70 percent by the end of the year, according to Spiceworks, an IT community and service firm. The majority of those businesses have no specific solution for tracking their workers' mobile devices because -- for the most part -- they do not see a true need for a mobile-device management (MDM) solution, says Kathryn Pribish, the manager in charge of Spiceworks' Voice of IT survey group. In a May 2013 survey of BYOD trends in small businesses, the company discovered that 56 percent of companies had no plans to implement mobile device management in the next six months.

SMBs can tackle the trend without adding too much complexity to their information-technology manager's workload, she says.

"There is a realization that this is happening, and they need to deal with it, rather than trying to say, 'That is not going to happen in our company,'" Pribish says.

Three basic strategies can bridge the gap from having no plan to managing employees' devices:

1. Admit you have a problem
More than 80 percent of employees use a personal device for work, according to a study conducted by Harris Interactive and funded by security firm ESET. Managers who assert that employees are not using their personally owned devices for business are in denial, says Dell's Sander.

"Whenever a prospective client tells me that, it makes me want to walk them through their building and show them what their employees are using in their cubicles," he says.

Business and information-technology managers need to accept that employees are using personal devices for work and start planning a strategy for keeping the business secure. In general, the smaller the company, the more accepting they are of the trend: Sixty-three percent of companies with fewer than 20 employees have positive reactions to the employees bringing in their own devices, compared to only 44 percent of companies with more than 250 employees, according to Spiceworks.

Next, managers and executives have to sit down and craft a plan to deal with the influx of new devices, says Spiceworks' Pribish.

"It is really important to bring the right parties to the table so the company and the department can make the right decisions based on the types of information being accessed from those devices," she says.

2. Educate your users
Employees need to be on board as well. Workers who do not understand the security considerations of accessing business data with their personal devices should not be doing it, says Kevin Haley, director of Symantec's security response group.

It's not an easy task: Just convincing employees to lock their phone is hard, never mind other "onerous actions," he says.

"The amount of hassle that an employee can become over just the requirement to set their PIN code is enormous, and that's just the PIN code," Haley says.

[Straight-shooting advice -- and some out-of-the-box thinking -- on how smaller companies can save money on security while doing it better. See 5 Ways For SMBs To Boost Security But Not Costs.]

Despite that, every user should have a passcode on his mobile device and the ability to wipe the device remotely, say Haley. Companies should also not let users bring in jailbroken phones inside their networks. Finally, companies should attempt to entice users to use more secure applications -- such as file sharing and e-mail -- to handle business data.

"Lots of these IT pros have a lot going on, so they have not had time to educate their users," says Spiceworks' Pribish. "But there is a huge opportunity here to make this much simpler, and make it easier to monitor and manage the mobile devices that are coming into the organization."

3. Force devices to use a separate network
Finally, even if employees bring their devices into the building, they should not be given internal access to the network, says Dell's Sander. By building a virtual LAN or guest network that connects out to the Internet, companies can make sure that devices are kept off the internal network.

In addition, by managing and monitoring the guest network, companies can both learn about their employees' needs and detect possible security threats, says Sander.

"Scan the device, figure out what is on it, and whether those applications are acceptable," he says. "Does it have the latest patches? There is a lot you can do without being invasive."

Once companies understand how employees are using their devices and to what corporate resources they are connecting, then they can make a more informed decision about whether to adopt more involved technology to deal with personal devices in the workplace.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JohnF513
50%
50%
JohnF513,
User Rank: Apprentice
7/13/2014 | 12:57:11 AM
Threaths are unavoidable
The threaths for mobile divices are many. There are the threaths like bugs for instance insufficient storage available that are annoying but harmless. But on the ather hand the real threaths we had with the PC's are unavoidable in the cell and Andoid phones and neads to be taken serious.
MROBINSON000
50%
50%
MROBINSON000,
User Rank: Apprentice
7/18/2013 | 7:30:34 AM
re: 3 Steps For SMBs To Tame Their Mobile Threats
I believe the most threatening of security risks to the enterprise outside malicious or unknowing insiders are clearly malicious third-party applications that often use sensitive user data. These applications take control over mobile devices for personal data retrieval, UI impersonation, unauthorized dialing and payments, or unauthorized network connectivity. Check this article for few quick ways IT security professionals should respond to these increasing threats to enforce security controls on mobile devices and social media networks http://blog.securityinnovation...
anon7046545777
50%
50%
anon7046545777,
User Rank: Apprentice
7/3/2013 | 3:19:36 PM
re: 3 Steps For SMBs To Tame Their Mobile Threats
Gaining control over mobile vulnerabilities needs to be a priority as mobility continues to gain traction. According to the HP Cyber Risk Report, 48 percent of all mobile apps are vulnerable to unauthorized access.

Peter Fretty, IDG blogger working on HP's behalf
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15208
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
CVE-2020-15209
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
CVE-2020-15210
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
CVE-2020-15211
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
CVE-2020-15212
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...