It is in that vein that Scott Ashdown, director of products and solutions, Imation Mobile Security, shared five assumptions that SMB IT departments should keep in mind when it comes to BYOD. I highlight them below.
Assume the worst.
"75 percent of organizations have suffered data loss from negligent or malicious insiders," says Ashdown. With this in mind, small and mid-sized businesses may do well to spare themselves the cost of hiring a penetration tester, and deploy their defenses by assuming the worst — that the bad guys will eventually get in.
Assume that employees will use their personal devices on the corporate network, even if told not to.
More than 50 percent of employees use portable devices to take confidential data out of their companies every day, says Ashdown. "Before you end up with a problem on your hands, use products, available today, to block the ones you're not willing to have around," cautioned Ashdown. He also added that SMBs should encrypt and audit the movement of devices carrying critical data.
Assume employees value convenience more than security.
Employees will find a way around cumbersome or inconvenient security policies. On this front, Ashdown warns that businesses should not underestimate the ingenuity of employees looking to circumvent procedures that "slow them down," which may include workarounds like using their smartphones to take pictures of documents in order to work from home. This makes an outright ban or draconian rules on BYOD a futile attempt that can actually create bigger problems.
Assume that flash drives will be lost and IT will never know.
Citing a Ponemon Institute National Study of data loss breaches in 2010 that found missing devices causes 42 percent of security breaches, Ashdown opines that "losing a $10 flash drive can be even worse than losing a laptop." The reason is that compared to the latter, he elaborated, cheap flash drives are quietly replaced without being reported. The solution is to use an encrypted flash drive, for which I personally recommend a hardware solution such as the .
Assume that an organization's first and last defense against a security breach is its own employees.
offers the "most bang for the buck," says Ashdown. As such, SMBs should train employees to spot phishing attacks and fake antivirus software advertisements, as well as to use strong passwords. Indeed, I've often written about how training is important for SMBs, and have even put together a that you may want to check out.
Ashdown noted that SMBs need to implement policies for BYOD, as well as "provide secure devices and management solutions that make the easy path the secure path." In closing, Ashdown said: "Taking advantage of the brave new world of user mobility doesn't have to mean losing control."