SMB Extra recently asked Adam Hils, principal analyst, SMB security, at Gartner about the challenges SMBs are facing around mobile security. We also asked him what security strategies exist to deal with employees who work at home or on the road.
SMB Extra: Are SMBs ready to face the latest wireless and mobile security challenges?
Adam Hils: Back when mobile security was all about the networks and wireless intrusion protection, these guys didn’t invest in it. It was pretty much a non-issue. Now issues around data leakage and network access control (NAC) – and global workers and global partners – are really driving it.
SMBE: Why have wireless and mobile security issues become more prevalent?
AH: We’re seeing something like 90 per cent of these SMBs with employees that use laptops or other mobile computing devices. Seventy per cent have company-issued cell phones and just about 100 per cent have employees with cell phones who connect to the network. So you have a lot of different devices coming in… who should have access to what?
SMBE: What kinds of things can go wrong when it comes to mobile workers?
AH: Well, I’m working from a laptop at home and I have a lot of sensitive data on it, and if it fell into the wrong hands and I didn’t have the data encrypted and my USB port protected, for example, all the data would be exposed. Some of Gartner’s intellectual property could be exposed.
SMBE: Are there other security pitfalls?
AH: You know, when I was at a symposium last week I spoke to a larger-than-SMB, a multi-billion-dollar business services firm with a thin margin business, and they only have 1.6 per cent of their staff dedicated to IT and just a five-man security shop supporting 10,000 employees. They are having some of the same problems that mid-sized businesses have in that they have sales people calling up and saying ‘I’m at a customer site and after 15 minutes my screensaver comes on and it’s kind of embarrassing,’ and so they deactivate the passwords. You’re seeing stuff like that in mid-sized businesses as well, where it’s kind of a Wild West atmosphere and all of a sudden not even passwords are being used. A lot of these problems are policy oriented as well as security product oriented. If you’re a small guy, a $50-million company, and your salesperson is going after a $500,000 deal you may make an exception, but when you make exceptions all of a sudden you become very exposed.
SMBE: How quickly are SMBs reacting to such threats today?
AH: These guys have to compete harder than their large enterprise competitors in many ways, so they have a higher percentage of employees connecting remotely. We found that consistently in our recent polling data. So more guys are on the road and more guys are working from home, and all of a sudden the network security guys are saying, ‘How are we going to control this? Are we going to do some kind of basic NAC? Probably not, that’s expensive. Are we going to do data leakage protection, like encryption, to make sure people aren’t sending intellectual property away and that it isn’t being extracted? Are we going to [set down] a lot policy-based measures?’
SMBE: Is the focus somewhat off the network?
AH: They’re not employing these things as often on the network. They’re figuring out what to do at the end point. They can check the patch status of their own users as they’re coming onto the network from the end point, or they can make sure important customer data is not going out. Whereas a larger company might put some devices on the network to stop stuff before it gets to the end point, that’s not a luxury many SMBs have.
SMBE: Is there advice you’d offer to SMBs worried about their mobile security?
AH: I’d tell them that security policies are close to free. But, they do take time. There’s learning involved and there are ways around them but they are definitely a place to start. Once you put down a simple, clear, short policy statement – it doesn’t have to be the 500-word policy manual that is so famous these days – but simple clear guidelines, all of a sudden you have a structure upon which to hang the technology. Decide what you’re going to do about protecting your data and about protecting your networks against remote users who have been traversing dirty networks and/or who may not be patched correctly. Decide what you’re going to do about partners who come in and connect to certain parts of your network. Then decide what security choices you are going to make.The SMBs who invest in leading edge technology without thinking that through first are almost universally disappointed in their investments.
SMBE: Any final thoughts on the subject?
AH: I want to make sure that you don’t write that there should be a policy for every single contingency, because as soon as you get over a few pages, the policies are meaningless and become paperweights. And you might do some training around the policies, but again, security posters, policy manuals and training only have a certain amount of influence. At least the policies give you some sort of investment so you don’t just rush willy-nilly into a full data leakage or NAC implementation that takes a year to implement and costs several hundred thousand dollars.