In "Is It Time for SMBs to Implement Policies for BYOD?" I wrote about how the increasing usage of tablets and smartphones by SMBs has put them into the forefront of the BYOD trend. Unfortunately, a large proportion of IT departments are uncertain of what to make of these devices, much less worry about the security implications that these devices may represent.
As I highlighted then, even enterprise firms like IBM have found it necessary to implement measures to defend against potential data leakages that may arise from BYOD. Taking a page from their book, I've outlined a trio of areas around which small and mid-sized businesses may want to implement BYOD-related policies.
I've always advocated the implementation of data encryption for laptops, be it using self-encrypting drives or robust software options such as Microsoft's BitLocker full disk encryption. Similarly, the first policy that SMBs should implement prior to allowing mobile devices and other gadgets onto their network would be the enforcing of device encryption. Not only will this go a long way to protect against inadvertent data leakage due to stolen or lost devices, but the use of encryption will also defend against opportunists who may find themselves with temporary possession of a smartphone or tablet. Obviously, the use of encryption is only good if the device is set to automatically key lock upon a specified amount of time and is protected with a good password.
Another policy that SMBs may want to adopt is to create a list of apps that are not recommended for use. The reason is because most employees have little idea about the security risks inherent to various applications on mobile devices. While telling them to avoid software that stores data in the cloud may be helpful to the technically inclined, it will likely be completely lost upon almost everyone else. Together with a recommended list of apps to use, this helps to eliminate the complexity for employees even as it serves as an invaluable reference for apps that may pose a risk to security.
Finally, a policy should be implemented in which lost or misplaced BYOD devices have to be reported within a stipulated timeframe. Where possible, a remote wipe should also be triggered. According to a study conducted earlier this year by McAfee and Ponemon Institute, a staggering five percent of smartphones are lost every year. This works out to five smartphones even for a small business of 100 employees - and will likely rise once you include tablets into the count.
If you're still not convinced about the need to enact policies to manage BYOD in your SMB, Spencer Parkinson, public relations manager at Symantec, recently left a comment with my "<strong>The Dangers of BYOD in Small Businesses</strong>" post where he pointed to The Symantec Smartphone Honey Stick Project (pdf). In a nutshell, Symantec conducted an experiment in which 50 smartphones with fake data and tracking software were "lost." Well, 89 percent of devices were accessed for personal apps and information; 83 percent were accessed for corporate-related stuff.
Does your SMB implement any policy to better protect itself? Feel free to share your experiences in the comments section below.