3 Bring Your Own Device Risks For SMBs

Small and midsize businesses can reap real rewards from letting employees bring their own devices to work, but must also manage the dangers.
10 iPad Annoyances, Solved
10 iPad Annoyances, Solved
(click image for larger view and for slideshow)
The bring-your-own-device (BYOD) approach can work wonders for bootstrapped businesses looking to make the most of mobility. But failing to properly recognize the corresponding risks can quickly wipe out potential gains.

The latest data highlighting the multitude of mobile devices IT pros at small and midsize business (SMB) must manage in a BYOD environment comes from startup Mobilisafe. The company's beta program mapped some 45 million mobile connections to SMB networks during a three-month period. Not surprisingly, some 80% of SMB staffers are using a smartphone or tablet. Perhaps more telling for IT: A new device model connects to the corporate network, on average, for every 6.6 employees.

"Embracing BYOD is one of the key initiatives that can really drive employee productivity and happiness, and the trend is past the point of fighting it," said Mobilisafe CEO Giri Sreenivas. "Focusing on discovering and defining remediation to its corresponding risks to corporate data and resources will help SMBs achieve the right balance for their organization between employee choice and corporate data protection."

In a combination of phone and email interviews, Sreenivas talked through three key risks SMBs need to recognize if they embrace BYOD: Device diversity, outdated firmware, and leaky network authentication and data. Device diversity is just that: The constantly morphing menu of operating systems and even larger array of hardware means IT can't focus on securing a single platform. Meanwhile, Mobilisafe's data showed that employees aren't good about keeping current on their own: 56% of Apple iOS users were running out-of-date firmware. Finally, and perhaps most frightening from a security standpoint, well over a third of the devices with network access and/or corporate data went inactive for more than a month. That means personal devices that are later lost or upgraded, for example, retain potentially sensitive data long after they should.

While Sreenivas ultimately advocates BYOD shops invest in one of the growing number of mobile security platforms like Mobilisafe's--doing so in his job description, after all--he notes that any SMB can begin to reduce risks simply through education and prioritization.

InformationWeek: What's the best way to deal with device diversity in a BYOD office?

Sreenivas: The first step is to acknowledge that it's happening and understand the scope of it. From there, it's important to distill what you care about most when it comes to protecting your data and resources with personal devices. You can't focus too much on what extra things you can do on a few select devices, but instead what you can do across the board so your message and remediation steps are consistent with all your employees and their devices.

IW: You mentioned that the telecom carriers and device manufacturers aren't particularly great at messaging firmware and security updates. What can SMBs do about that?

Communicating to employees the importance of keeping their devices up to date by explaining risks to personal and corporate data is a good first step. Employees have to feel invested for BYOD to work in SMBs. This can improve employee vigilance about paying attention to any communication they may receive about updates. SMBs [need] visibility into firmware versions and available updates, and [to message] their employees on how to update their devices [accordingly].

IW:You found 39% of authenticated devices were inactive for at least 30 days. What do SMBs need to understand about this, and how can they prevent leaking data?

Such a high percentage of stale devices means that SMBs are unaware of devices that could leak corporate data and user credentials. These devices could have been re-sold, lost, or stolen. SMBs should stay on top of this by deploying a solution that provides visibility into devices that no longer sync with company resources to ensure they are appropriately wiped of company data and credentials. They should also ensure and that these devices' associations with enterprise resources like Exchange are removed on the back end.

Heightened concern that users could inadvertently expose or leak--or purposely steal--an organization's sensitive data has spurred debate over the proper technology and training to protect the crown jewels. An Insider Threat Reality Check, a special retrospective of recent news coverage, takes a look at how organizations are handling the threat--and what users are really up to. (Free registration required.)