People blend their business and personal lives in these handheld gadgets, letting their guard down when they shift from working to searching for Facebook updates or nearby burger joints. They may click on infected websites, write passwords inside smartphone covers, and use the same password for the company network and their YouTube accounts.
Employee training can reduce such errors. But technology also offers remedies in three core areas: mobile device management; network access control; and an emerging tactic, mobile application management. Often, several services are blended together as security firms form partnerships to offer comprehensive coverage.
Companies should register all permitted mobile devices and install antivirus programs, said Murphy of Bradford Networks. But cybercriminals are outpacing antivirus updates.
“You must assume, as a security professional, that every device is compromised,’’ he said.
The next defense is network access control (NAC). Sensitive information, such as budgets and intellectual property, should be roped off in network regions inaccessible to most workers, Murphy said. Through passwords and other means, users should be confined to the data they need to do their jobs.
Other measures are needed because lightweight mobile devices are often lost or stolen. Workers not only store company information there, but may also create original documents. Automatic backups can recover the data, and a well-prepared company can also remotely erase the entire contents of a lost gadget to deprive thieves of access. The boss clearly has authority to remote-wipe a company-issued smartphone. But what about a personal iPad loaded with family snapshots and addresses?
Companies that permit BYOD can require employees to agree in advance that a lost device must be reported immediately, and that its contents may be partially or completely wiped. Firms may also insist that staffers leaving the firm will temporarily surrender their devices while company data is removed, said PlumChoice founder Ted Werth.
Beyond that, encryption can protect data sent from company networks to devices, so that a casual thief can’t read files on the device.
And then there are apps. Some employees share information on free consumer cloud applications, such as Dropbox. This is another example of the security challenges posed by the “consumerization of IT,’’ which allows individuals to find their own workarounds to get things done easily.
Box offers cloud-based data storage that is guarded by mobile access controls — an attempt to satisfy mobile file-sharers while preventing IT nightmares. Box customer Atri Chatterjee, CMO of Act-On Software, said employees are also less likely to download files to their many devices if they know they can always find them in the Box cloud. “I’ve got one place I really have to fortify and protect; I don’t have a thousand places,’’ Chatterjee said.
Protiviti’s Slemp said each company must choose its own best policies on mobile access, depending on the sensitivity of data the company handles. “If we start with that, we can understand the risk and make appropriate choices.’’
Email us at SmallBiz@cnbc.com and follow us on Twitter@SmallBizCNBC.