One of the big advantages SMBs often have over their larger competitors is the ability to stay nimble. But when it comes to technology, that flexibility may come with strings attached. Take mobility, for instance. Whether they choose BYOD or to issue phones to employees, they may end up overlooking security in the drive to stay competitive.

"SMBs often already have their hands full with managing the demands of their traditional IT infrastructure and endpoints," says Andy Singer, director of the SMB group at Symantec. "Add mobility to the mix and often overtaxed IT staffs become spread even thinner."

And that thin coverage can add up to real effects to the bottom line. In fact, according to Symantec's State of Mobility Survey released earlier this year, SMBs' average losses associated with mobility incurred during 2011 equaled $126,000.

As SMBs seek to avoid those kinds of crippling penalties incurred through security lapses, they need to balance their nimbleness with the stability of risk mitigation. And that comes through foresight, policy planning, and best practices. Here are five of the most important considerations about mobile security experts recommend they weigh in their quest to achieve that balance.

1. Mobile Policy Development

The recent Ponemon Institute 2012 Global Study on Mobility Risks showed that only a little over a third of companies in the U.S. have developed any kind of acceptable mobile device usage policy. This number is undoubtedly smaller within the SMB space and is a glaring hole within SMB security strategies.

"The creation of policies that addresses mobile device security risks and outlines acceptable usage behavior by employees should be a top priority it today's BYOD world," says Sajal Sahay, senior director of product marketing for Rapid7 Mobilisafe.

That's because technology details might be important to enforcing security mandates, but without sound policy in place there's not much to enforce.

"While the technical details are a big piece of the mobile security puzzle, policies and procedures are equally – if not more – important," says Dave Glenn, executive vice president of security consultancy Creative Breakthroughs, Inc. "Make sure these policies and procedures are in place and that employees are trained appropriately."

Some of the key policies in place may specify how remote wipe procedures are to take place, how devices connect to the network, what the strength of encryption algorithms will be used, how users authenticate and what kind of devices users can connect to company resources.

2. Lost Device Contingencies

Compared to larger organizations, SMBs may not need the same granularity or scope in a mobile device management practices, but according to Lee Cocking, vice president of corporate strategy for Fixmo, there are a few bare minimums smaller businesses should be looking to control.

"An SMB doesn't need as much control as a large enterprise typically, but leveraging MDM capability to lock (and) wipe devices, and container technology to protect confidential business information should be on their radar," Cocking says.

Not only that, but the business really has to educate employees about what they put at risk when they lose devices and give them a way to report lost or stolen devices so those lock and wipe functions can be activated.

"End users should be trained and have access to a 24x7 hotline to report their device lost or stolen so that it can be remotely tracked and/or disabled," says Justin Clarke, senior security researcher for Cylance. "With positive confirmation of a remote wipe, an organization may be able to avoid having to report loss of sensitive data [to regulatory bodies]."

3. App Safety

Reports keep streaming in about the increasingly hostile malware environment facing mobile device users, particularly those using Android devices. At a bare minimum, Singer of Symantec recommends SMBs lay down the law and ban jailbroken or rooted devices, which "have security holes that leave them vulnerable to attack."

In the same vein, mobile security software is a must, he says.

[Hackers fixate on SQL injections--CSOs, not so much. See The SQL Injection Disconnection.]

"Mobile devices connecting to company resources should have mobile security software installed and have their encryption features activated," Singer says.

Also, small business leaders need to remember that users are still subject to the same scams as they would be on their PCs, so anti-phishing training is crucial to heading off future mobile attacks. But perhaps most important is policing how and where employees download their apps.

"Only use app marketplaces hosted by well-known, legitimate vendors for downloading and installing apps," Singer says. "Mobile malware authors often use unregulated, third-party app stores to peddle malware."

4. Data Control

According to Jonathan Sander, director of IAM business development at Quest Software, now a part of Dell, "BYOD security is data security."

As he puts it, the size of an organization doesn't change the value of the data and, especially in highly regulated environments, the risks of mobility are high regardless of whether there are 40 or 4,040 employees.

"What does matter is the types of business data and applications mobile workers need to access on their devices and what the potential security or compliance ramifications are if that data leaks or is compromised," says Tyler Lessard, CMO of Fixmo.

This means that first and foremost, organizations have got to do a formal assessment of which employees need access to what data through their devices. Understanding how the data will be touched will allow them to then decide what the security measures will be needed to protect that data, he says.

"For organizations that have highly sensitive information that may be accessed on mobile devices owned by the employee, they need to look for ways to secure and protect those applications independent of the device itself," Lessard says, "such that those applications have strong password controls, the necessary data encryption applied, and are able to wiped from the device when the employee leaves the company without wiping their personal data."

5. Establish Secure Connections

How a device connects to corporate assets is also a critical consideration.

"Enterprises allowing mobile access from mobile devices should consider minimizing that risk by enforcing access to data through virtualization and enforcing VPN access to these resources with strong authentication," says Tom Flynn, vice president of online authentication at Gemalto North America.

Additional segmentation within the network may also be necessary to accommodate riskier mobile connections.

"There may be cases where third-party apps could perform malicious actions against internal corporate networks," says Clarke of Cylance. "At a minimum I'd recommend an IDS and firewall placed between any BYOD network and the rest of the corporate network."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.