The bring-your-own-device (BYOD) trend provides both good and bad news for small business. Allowing employees to work using their own mobile devices saves small businesses a ton of money in device and carrier plan costs. However, personal mobile devices rank among the greatest security threats your company faces. Obviously, you need to reconcile these two extremes. More good news: you can do that affordably.
Before you begin constructing your mobile device management (MDM) strategy, keep in mind that security threats aren’t limited to external hackers. Your own employees can also pose a threat—intentional or inadvertent—to your company. Several studies show that data breeches come more commonly from internal sources, e.g., your employees, than from outside sources.
"Not a day goes by that my CTO doesn't remind me that he's up all night worrying about data security," says Joshua Weiss, CEO of TeliApp, a mobile application development firm. "Our primary data access is through a cloud, and we constantly backup our data locally and to a remote server. Still, an employee with access could potentially inflict significant damage if he or she truly wanted to do so."
Weiss says that the risks still exist, even though his company enjoys great relationships with its employees. "I take them because I have no choice. I suppose that I wouldn't be an entrepreneur if I wasn't willing to put myself out there and take a risk or two," he says.
Improving BYOD Mobile Security
While taking risks is a fact of life for entrepreneurs of all stripes, failing to contain them as best you can is an even bigger risk and an all-around bad idea.
In the case of addressing security risks on personal mobile devices, you can do quite a bit to curtail employee access to information and to thwart outside attackers. These seven mobile security best practices can help small businesses manage the personally owned devices in their company.
1. Make a policy and stick to it
Write an official company policy that spells out exactly what you expect employees to do—and not to do—on and with their mobile devices.
"As with any IT management process, a technological solution is only half of the equation," says Timothy J. LaFleur, mobility and global events manager at the International Association of IT Asset Managers (IAITAM). "Having solid procedures in place to manage the people using the device is equally important."
This is especially true with mobile assets LaFleur points out because, more often than not, the installing, moving, adding, and changing process will fall to the mobile device owner rather than to an IT service manager.
"Any policy should include real-time communication and education channels to distribute information to mobile users," says LaFleur. Typically the information pertains to "hardware and software opportunities or issues that might occur due to an update or versioning that is out of the control of the company's IT service management department."
One word of warning: don’t make exceptions to your policy—not even for yourself or for key employees. You must set the example or everyone will ignore your policy. Oh, and you expose company data to outside threats if you and your top employees don’t follow security protocols, too.
2. Disconnect employees immediately when they leave your employ
Make sure you control how much data and exactly what data any given employee can access. Employees should never have access to more data than they need to get the job done. Also, be sure you have the means to disconnect or wipe company data from personal devices when an employee leaves the company—voluntarily or otherwise.
3. Don’t forget security basics
Be sure to deploy antivirus and malware solutions across all mobile devices. Rather than expect your busy staff (or your busy self) to maintain and upgrade the software as necessary, automate the process so that you know security software is in place and current on every device.