BYOD and Mobile Security for Small Business

by Pam Baker

If you're not sure how to protect your small business from security threats posed by your employees’ personal mobile devices, we've got seven ways to help you keep your company data safe.

The bring-your-own-device (BYOD) trend provides both good and bad news for small business. Allowing employees to work using their own mobile devices saves small businesses a ton of money in device and carrier plan costs. However, personal mobile devices rank among the greatest security threats your company faces. Obviously, you need to reconcile these two extremes. More good news: you can do that affordably.

Before you begin constructing your mobile device management (MDM) strategy, keep in mind that security threats aren’t limited to external hackers. Your own employees can also pose a threat—intentional or inadvertent—to your company. Several studies show that data breeches come more commonly from internal sources, e.g., your employees, than from outside sources.

"Not a day goes by that my CTO doesn't remind me that he's up all night worrying about data security," says Joshua Weiss, CEO of TeliApp, a mobile application development firm. "Our primary data access is through a cloud, and we constantly backup our data locally and to a remote server. Still, an employee with access could potentially inflict significant damage if he or she truly wanted to do so."

Weiss says that the risks still exist, even though his company enjoys great relationships with its employees. "I take them because I have no choice. I suppose that I wouldn't be an entrepreneur if I wasn't willing to put myself out there and take a risk or two," he says.

Improving BYOD Mobile Security

While taking risks is a fact of life for entrepreneurs of all stripes, failing to contain them as best you can is an even bigger risk and an all-around bad idea.

In the case of addressing security risks on personal mobile devices, you can do quite a bit to curtail employee access to information and to thwart outside attackers. These seven mobile security best practices can help small businesses manage the personally owned devices in their company.

1. Make a policy and stick to it  

Write an official company policy that spells out exactly what you expect employees to do—and not to do—on and with their mobile devices.

"As with any IT management process, a technological solution is only half of the equation," says Timothy J. LaFleur, mobility and global events manager at the International Association of IT Asset Managers (IAITAM). "Having solid procedures in place to manage the people using the device is equally important."

This is especially true with mobile assets LaFleur points out because, more often than not, the installing, moving, adding, and changing process will fall to the mobile device owner rather than to an IT service manager.

"Any policy should include real-time communication and education channels to distribute information to mobile users," says LaFleur. Typically the information pertains to "hardware and software opportunities or issues that might occur due to an update or versioning that is out of the control of the company's IT service management department."

One word of warning: don’t make exceptions to your policy—not even for yourself or for key employees. You must set the example or everyone will ignore your policy. Oh, and you expose company data to outside threats if you and your top employees don’t follow security protocols, too.

2. Disconnect employees immediately when they leave your employ

Make sure you control how much data and exactly what data any given employee can access. Employees should never have access to more data than they need to get the job done. Also, be sure you have the means to disconnect or wipe company data from personal devices when an employee leaves the company—voluntarily or otherwise.

3. Don’t forget security basics

Be sure to deploy antivirus and malware solutions across all mobile devices. Rather than expect your busy staff (or your busy self) to maintain and upgrade the software as necessary, automate the process so that you know security software is in place and current on every device.

More Mobile Security Tips for Small Business BYOD

4. Leverage the built-in freebie security controls on devices

"All modern mobile devices have some built-in security controls, including some capabilities to manage many mobile devices together," says WatchGuard's director of security strategies, Corey Nachreiner.

These features include lock screens and the capability to wipe the device after a certain number of failed authentication attempts. Some devices even let you locate it via GPS.

"Several platforms include free tools that let you manage the configuration of many devices," says Nachreiner. "For example, Apple provides the iPhone Configuration Utility, which can help you create a profile to load onto your iOS devices. These tools may help you provide some simple security until you adopt the more modern BYOD technologies."

5. Use a Mobile Device Management (MDM) solution

"Choose a mobile device management product that supports multiple platforms, i.e. Android, Blackberry, iOS, Windows," says Sarah Bergeron, corporate communications specialist at Kaspersky Lab. "That will take the pain out of managing multiple systems."

Look for a system that offers one management console. This lets you manage all of your various mobile devices from one point. "Small businesses can then control their mobile devices along with all their other end points, including desktops and virtual servers," says Bergeron. "This lets them apply policies more consistently and uniformly, reducing the risk that they'll overlook something critical."

But what features should you expect or look for in an MDM solution beyond these basics?

"Many MDM solutions offer optional application management and content management feature sets," explains Andrea Bradshaw, CDW’s general manager of mobility solutions. "These powerful tools protect the organization’s data and provide users with secure access to the applications and data they need to be productive."

6. Protect your data, not your devices

"Opt for solutions that focus on data access controls and that can keep the device stateless [with no data stored on them]," says Ramesh Rajagopal, president at Authentic8, the makers of a security browser app.

"MDM software that tries to put walls around business content versus personal content are a half-step," he added.  "You probably can't install the [MDM] software in all the places you need it. And, as with toothpaste out of the tube, once your data is delivered to the device you can't suck it back in."

7. Pay close attention to the network

"To maintain the security of corporate networks, businesses should take an integrated network protection approach by, at the very least, using a managed VPN with a dynamic and managed firewall," says Patrick Oliver Graf, general manager at Americas of NCP engineering.

"A VPN encrypts all network communications, thus protecting a small business's data from being intercepted in transit. It's important to look for a VPN that works on a wide range of mobile devices, to ensure that every device accessing a network is protected," says Graf.

While a VPN provides secure remote network connections, Graf recommends adding access control mechanisms to guarantee that network access is possible only under safe conditions. You don’t want a compromised mobile device accessing your network, which is why Graf also recommends automated endpoint checking to keep mobile devices healthy. Finally, be sure that you have "device locking, disk encryption and remote wipe functionality should be put in place."

Bonus Tip: Cover BYOA

Now that you've wrapped your head around BYOD, it's time to consider BYOA—bring your own app.

"Just as MDM addresses BYOD, Mobile Application Management (MAM) addresses bring your own app," says Steven Ostrowski, director of corporate communications at CompTIA, a non-profit association for the information technology (IT) industry.  "In some cases, this may be a separate application; in other cases an MDM solution may expand to include MAM capability. Ultimately, the goal is to manage the entire suite of mobile solutions."

Pam Baker has written for numerous leading publications including, Institutional Investor magazine, CIO.com, NetworkWorld, ComputerWorld, IT World, Linux World, Internet News, E-Commerce Times, LinuxInsider, CIO Today Magazine, NPTech News (nonprofits), MedTech Journal, I Six Sigma magazine, Computer Sweden, the NY Times, and Knight-Ridder/McClatchy newspapers.

Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today!
This article was originally published on Wednesday Jul 24th 2013
Mobile Site | Full Site