A cellphone with an illustrated lock over it

Consumerism in technology has changed the landscape of society and business dramatically. Decades ago, consumers could not afford computer systems and the only exposure to these systems was within the work environment. As technology grew, opportunities evolved to telecommute and access work systems remotely. At this point, mobile computing was born and many employees were issued company-owned laptops. Today, most consumers own two or three computer systems, including a laptop, tablet and smartphone. Employees are more likely to work into their work environment with a personally-owned computer system.

Small and medium businesses have a greater challenge facing them in securing their information assets. Generally, they do not have the IT skills required to do fulfill essential requirements in the business environment. While SMBs are consistently more agile and responsive to customer demands, they have limited financial resources to carry out comprehensive programs, so many initiatives are developing as they are deployed. Mobility and Bring-your-own-device (BYOD) initiatives bring opportunities and risks.

Bart Simpson writing "I will adopt Best Practices" on a blackboard

Mobile Device Policy

Companies may not have a fully developed mobile device policy with rules for authentication and restrictions on personally identifiable information (PII) when using the device or communication software on the device. Many mobile devices do not have a password and, when they do, they are not compliant with two-step authentication followed on most company-owned assets. A mobile device policy can align with the information security policy and define the rules for creating strong passwords across multiple mobile platforms. The policy can define limits and restrictions for accessing and using company resources. A mobile device policy is also the entry point for all mobile device security training organizations develop.

Multilayered Approach to Security

Staffing shortages require SMBs to handle complex security concerns using general skills that any IT technician can use to be network administrator, wireless device administrator and security administrator. Traditional security approaches in establishing a strong perimeter cannot sufficiently handle the pervasiveness of wireless communications and the diversity of mobile devices, particularly BYOD. Security needs to be built from the ground up, starting with employee training on general principles of security to what actions should and should not be performed on their mobile device. Each aspect of the network must be secured from individual assets to devices, to the information found on the network.

The acceptance of end-user devices must be controlled into the network. Certain devices or device types may be restricted to the network, while others will be based on user authentication. One access is granted, multiple authentication through processes should be eliminated to prevent delays in productivity. As users navigate the network and access different resources, identification protocols must continually track pathways and usage to identify any anomalies. Unknown access requests to resources must be identified, quarantined and investigated.

Mobile phone with a physical lock on it

Visibility and Protection

SMBs may suffer from a fragmented set of management tools which slows responsiveness and prevents any number of deployment and monitoring problems. A comprehensive and unified view for network management is needed within an integrated network security architecture. VLANs, ACLs, and IEEE 802.1x provide methods for embedding security capabilities into each network device, including mobile end points. These features can be added to existing devices and new devices should be evaluated for these features. Management of network devices and the underlying infrastructure can be centralized through an integrated management consoles. Some routine security tasks can be self-service to users, including registering BYOD devices.

Compliance to Standards and Processes

The myriad of mobile devices in the marketplace provides a large number of configurations. Best practices require all device types be treated consistently which is only possible through standard processes and conforming to industry standard. Security tools must be intuitive to end-users and easy to use. User familiarity with processes and tools is essential to success. Security initiatives must be complete to ensure no neglect in any aspect of the security infrastructure.

Real-time Threat Protection

Attackers use a variety of methods to attack companies and they will vary their attacks according to each layer of defense they encounter. Threat detection systems relying on information from past exploit signatures are lacking in providing real-time protection from the latest exploits. Unfortunately, staffing concerns prevalent in SMB make it difficult for IT administrators to devote the necessary time to stay abreast of current security details. Enforcement of network and application security must be driven by an automated infrastructure to overcome any staffing deficiencies.

In short, SMBs benefit from a comprehensive mobile security program driven by a well stated mobile device policy and employee training. The network must be secure with appropriate identity management for both device and user, multi-factor authentication and VLANs. Redundancy and continuity planning can ensure continuous availability in the event of network disruption. Scalability of the network, server and storage infrastructure can control resource allocation and aid quarantines. Security is not limited to the network: Data residing on and used in all applications and devices need to be sufficiently protected no matter where in the world the device is located.