In large-scale organizations, implementing mobile device management (MDM) is typically given. After all, with so many employees using mobile devices that either contain or connect to sources of sensitive information, there needs to be some way to keep everything in check. But what about those companies that aren't big enough to be able to afford an MDM implementation and a full-sized IT department to manage it? Without a means to centralize the control of mobile devices, how can these smaller companies protect their data?
Some SMBs have found ways to help mitigate risk without traditional MDM, but it isn't always easy. Right off the bat, things are tricky given that smaller companies often implement BYOD since they can't afford to provide employees with devices.
"In some ways, it changes the landscape a little bit, because users may be hesitant to allow corporate control of their devices," says Tyler Shields, lead mobile analyst for Forrester. "But if you propose the trade off as, 'If you want access to sensitive material, you have to have MDM,' the user will almost always accept MDM on there for the convenience."
With BYOD in place, SMBs either opt for endpoint security or simply ask that employees have "something on their devices, some sort of security," adds Shields.
David Lingenfelter, an information security officer at Fiberlink, agrees that BYOD is the norm for SMBs, saying, "They're not buying devices and handing them out. So they want to get some level of control around [employees' devices], whether it's limiting them to specific kinds of devices or a certain OS version."
That said, Lingenfelter adds that regardless of what kind of policies they may have in place, SMBs often don't think about what happens to BYOD devices when employees want to get a new one. "They need to ensure that corporate data is not on the old device," he says. "Usually when I'm done with these devices, I give them to my kids. I have enough common sense to wipe them before I do, though. Are you sure your employees are doing that?"
Taking a gamble
Knowing that they don't have a means of centralizing control over their mobile devices (and that their employees devices are typically also their personal ones) what are the options for SMBs? In some cases, smaller businesses opt for forgoing MDM entirely, and this obviously creates a substantial attack surface. Whether or not such small companies are even on attackers' radars, however, is precisely why they're willing to take the risk. Most assume that as a small company — that is therefore worth relatively little and isn't in possession of a wealth of valuable data — the odds aren't high that they will be the target of an attack, and they take the gamble.
Sign up for CIO Asia eNewsletters.