Compared to sizable companies, small to medium sized businesses (SMB) seem to be less concerned with mobile security because they feel too “unimportant” to be attacked. This, of course, is not true.
In the first half of 2012, small businesses accounted for 36 percent of all targeted cyber attacks, up from 18 percent at the end of 2011, according to Symantec data. These SMBs are becoming more frequent victims of mobile cyber attacks due to their lack of device defenses and their position as “gateways” to larger firms’ or consumer data.
And while many SMBs deem security a major priority, most aren’t taking the proper precautions. Fifty-five percent of small businesses classify security as a major mobile risk, but only 16 percent have a mobility policy in place, according to CompTIA’s Second Annual Trends in Enterprise Mobility report published in April.
Many have mobility policies that don’t cover critical security areas like personal device use, transmission and storage of data, and public Wi-Fi accessibility. Even more disconcerting: 37 percent of policies don’t include a protocol for lost devices, even though almost half of businesses identified device loss as their most common mobile security incident.
Security breaches can cost thousands or millions of dollars in damage and put a business down for months at a time, but many SMB cyber-crimes are preventable. The IT channel is full of firms that offer ways to create or strengthen preventative and disaster recovery plans for businesses of all sizes.
Whether your enterprise mobility policy and solutions are outsourced or managed internally, there are passcode and encryption strategies, software, and monitoring tools that can help prevent damaging data breaches from happening, or lessen the blow of those that do.
Here are a few tips for developing a more effective SMB mobility policy:
- Leave room to grow: For organizations writing their inaugural mobility policy, it’s OK to start small. Include even the most basic protocol for setting device passcodes and downloading third-party apps, but understand that these areas are subject to change and will evolve over time. At first, your policy might mandate all app downloads be approved by an IT manager, but if you build an internal app store in a year or two, that process will need modification.
- Security and data deserve their own treatment: When writing a mobility policy, it’s easy to use “security” as an umbrella term to include both physical device threats like jailbreaking and data vulnerabilities. Data, however, can be a beast of its own and should be treated as such in a company policy. Data spans across mobile devices, desktops, office networks, and personal networks. To keep information safe outside of a business’s walls, it demands constant monitoring (either internal or outsourced), a Data Loss Prevention platform, and end-user awareness of data safety best practices.
- Engage your business leaders (not just IT): At smaller firms especially, where IT staff may be limited, it is important to get mobility policy buy-in and guidance from the management team. Understanding that mobile security is a strategic business issue, not just a technology problem, builds the right foundation for a more sound, comprehensive policy.
- Designate control: One of the biggest decisions for SMBs is whether or not to outsource the mobile management process. Regardless of who holds the keys to device and data maintenance, make sure that they have access to all necessary information and the ability to make updates or quick fixes without disturbing staff productivity. If the proposed security measures can’t coexist seamlessly with your day-to-day operations, then your strategy may need tweaking.
As mobile technology continues to evolve, SMBs must be proactive in implementing cohesive processes to combat imminent threats. Prioritizing security and letting go of the misconception that SMBs are immune takes time and effort, but it can help keep an organization from a world of unwelcome chaos.
Todd Thibodeaux is the president and chief executive officer of CompTIA, the leading trade association representing the business interests of the global information technology (IT) industry. He is responsible for leading strategy, development and growth efforts for the association.