Can SMBs Live Without Mobile Security?

As the business use of mobile devices such as laptops and smartphones proliferates, IT departments are scrambling to implement adequate security safeguards both inside and outside company walls.

The cost of implementing security measures is problematic for many small-to-medium-sized enterprises, but the alternative can be worse.

"The cost of not protecting company information technology resources is huge, especially for smaller-sized companies," said Mike Logan, president of Axis Technology.

"Mobile devices are pretty much mini data portfolios. If they're lost or stolen, they present many opportunities for people with malicious intentions," Logan told the E-Commerce Times. "It's like buying insurance. Many companies like to see if they can avoid spending the money -- but in the long run, if they're caught without it, the costs are tremendous."

In addition to becoming lost or stolen, a mobile device can be attacked or be the source of an attack, said Tom Cross, manager of IBM (NYSE: IBM) Internet security systems in Atlanta.

Tools can be run on or through mobile devices into internal corporate systems and networks, he told the E-Commerce Times. Mobile devices can then become gateways, bridging the Internet with the corporate network over high-performance wireless links.

Wake-Up Call Ahead?

"I believe that there will eventually be a watershed event that will dramatically change people's perceptions of the security risks" associated with mobile devices, Cross said, citing the Slammer worm as an example.

It caused millions of dollars worth of damage in 2003 when it infected computers all around the globe, changing perceptions about the vulnerability of corporate networks to Internet worms, Cross recalled.

A data breach can cost millions of dollars; a study conducted by the Ponemon Institute placed the a cost of a data breach at US$202 per compromised record, for an average of $6.6 million across a company. The price of lost business accounted for 69 percent of the data breach cost.

"This shows that the cost of purchasing and implementing a solution to prevent breaches is a fraction of the cost associated with the breach," Novell's (Nasdaq: NOVL) Grant Ho, senior product manager for end point management, told the E-Commerce Times. "Today's security threats are more focused on data theft and intended for profit. As people find that hacking can be profitable, the price tag for stolen data is rising."

Mobile devices were limited mostly to executive staff even as recently as a few years ago. However, company-wide distribution is becoming normal, even at smaller firms, said Doris Yang, product manager of mobile products at PGP.

"Additionally, mobile device hardware has advanced over the years, increasing in both storage and connectivity abilities," Yang told the E-Commerce Times. "Mobile smartphones today are undeniably valuable as productivity tools, allowing employees to access and store the same information on their mobile devices as their corporate-issued laptops."

Uniformity and Control

With the downturn in the economy increasing the number of possible security threats, SMBs might want to issue the portable devices to their mobile workers, said Kevin Prince, chief architect at Perimeter eSecurity.

The company can then dictate the security policy for the device, he said. This also allows the company to ensure the system stays up to date with the latest security software.

Mobile devices should be included in security policies, he suggested.

"You need to decide if you want people to be able to sync their iPods, smartphones and other mobile devices at work," Prince told the E-Commerce Times. "Policies first, enforcement second: Make it clear what is allowed, and then enforce it. Train employees on knowing what the risks are and why you are making the decisions that you are."

As mobile devices become "the way business is done," and the market for them grows, so will the market for security tools, said Al Subbloie, president and chief executive officer of software provider Tangoe.

"Enterprises need to be a little paranoid and treat every mobile device application or solution as an opportunity for attackers to access their corporate systems," Subbloie told the E-Commerce Times.

"Device manufacturers may market security as 'easy and ready to go,' but you are wise to challenge every aspect of that vulnerability," Subbloie said, adding that companies should plan ahead for the growth and utilization of mobile devices.

Can't Look the Other Way

The continuing expansion of access to social networks through mobile devices also opens up new challenges for security officers at companies, said Rene Poot, international systems engineer with NCP Engineering.

"The most common problems associated with the use of mobile devices by employees is managing them," he told the E-Commerce Times. "I believe that more and more folks want to use their devices they may have purchased themselves within the workplace."

SMBs can no longer afford to restrict or ignore mobile devices, said Andrew Storms, director of security operations at nCircle. "Companies that forbid mobile devices only incent their workers to break policy in order to get their jobs done," Storms told the E-Commerce Times.

Yet companies cannot afford to support mobile devices in an ad hoc manner, either. "Supporting them haphazardly without an organized approach dramatically increases the company's risk profile," Storms said.

"People will use mobile devices to get their work done," he concluded, and IT should be in the business of making sure mobile devices can help mobile workers get their work done in a secure manner.