5 real‐world mobile device security practices for SMBs
By Chris Pyle
Mobile technology is continuing to transform the way people work, helping employees be more efficient and productive. A vast majority of employees today work from mobile devices, but managing mobile devices – both company and employee owned – is a universal challenge.
This challenge is equally as pressing for small- to medium-sized businesses as it is for large enterprises. Jeremy Grant, an adviser at the Department of Commerce's National Institute of Standards and Technology, said there has been "a relatively sharp increase in hackers and adversaries targeting small businesses" over the past few years, and Symantec has reported triple-digit increases in cyberattacks on small businesses. SMBs tend to have weaker digital security and this makes them more appealing targets for hackers.
Allowing a growing number of devices access to sensitive company data and networks requires putting well-defined policies and safeguards in place, no matter the size of the business. Mobile security best practices hold true whether you have five employees (and devices) or 5,000. Understanding what businesses are doing to secure mobile access to company systems, particularly those related to password management and mobile‐device policy enforcement, is essential to crafting a strong BYOD policy.
Champion Solutions Group and MessageOps recently polled 447 IT decision‐makers across a spectrum of business sizes and industries in the first annual survey of mobile device security policies. A full 272 of the companies surveyed are SMBs that manage 250 or fewer devices. The survey provides a baseline that enables SMBs to compare their policies to peer organizations and identify ways to improve their mobile security posture through five key recommendations.
1. Have a formal BYOD policy
Based on the survey's findings, only 40 percent of the organizations with the smallest mobile fleets (250 or less) have implemented a BYOD plan, with variations based on the vertical. For example, strict privacy regulations around education, financial services and healthcare mean businesses in these sectors are more likely to prioritize mobile security. Meanwhile, 88 percent of SMBs do not support jailbroken or unlocked mobile devices on their networks, which is in keeping with established industry advice and best practices.
2. Require passwords for mobile access
Passwords represent the front‐line defense in mobility security. However, businesses only heed the basic best practice of requiring passwords for mobile access about one‐third of the time. The good news is that more than 92 percent of SMBs polled say that they employ passwords to control access to corporate networks from mobile devices and the vast majority of those polled have provisions in place for expiring passwords and prohibiting the reuse of old passwords.
However, multifactor authentication (MFA) – generally defined as a login system that requires more than one method of authentication from separate categories of credentials to verify a user's identity – is not being widely used, with 80 percent of SMB respondents indicating that they don't take advantage of the additional layers of protection afforded by MFA.
3. Make password requirements strong
Alphanumeric password requirements have become table stakes in network security best practices, as evidenced by the 72 percent of SMB respondents who now require them for access to company data and applications through mobile devices. However, SMBs are being smart and going beyond this standard. Of those that require alphanumeric passwords, more than half must have at least three special character sets: uppercase, lowercase, digits or non-numeric characters. Eighty-two percent require a minimum password length, and 80 percent of those use passwords that are six to 10 characters in length.
4. Institute access controls based on login attempts and inactivity
Multiple unsuccessful login attempts are often the first sign that a mobile device with authorized network access has been lost or stolen. It's therefore vital to establish a policy for prohibiting network access to devices that demonstrate such behavior. The survey found that 76 percent of SMBs have policies to lock out devices after multiple failed login attempts – usually between three and five failed tries.
Similarly, long periods of inactivity can also indicate a device has been misplaced or stolen, which is why around 71 percent of SMBs require re‐authentication of mobile devices after periods of inactivity, with most opting for lockout after five to 15 minutes.
5. Require password changes and restrict reuse
Another key to security in the mobile and BYOD environments is requiring employees to change their passwords at regular intervals. Over time, passwords can be compromised in a number of ways. Users may share passwords with friends or coworkers or write them down in places where they can be compromised. Phishing and social engineering attempts can expose passwords to unauthorized persons who contact users or help‐desk representatives, and passwords can be compromised through data breaches or brute‐force attacks.
Fortunately, 69 percent of SMBs are actively safeguarding their networks and data through the use of password expiration. Expiration periods vary from monthly to annually, but by far the most common password expiration interval is 90 days, as employed by nearly half of those surveyed. Once those passwords expire, 75 percent of SMBs restrict password reuse, and the majority of organizations require users to have four new, unique passwords every 12 months.
Smart SMBs today know the high stakes involved in shortchanging mobile security. Employees are relying on their mobile devices more than ever before, and without instituting the five best practices outlined above, SMBs are vulnerable to attack. For SMBs, the consequences of an attack can be catastrophic. Prioritize mobile security now so you don't regret it tomorrow.
Chris Pyle is president and CEO of Champion Solutions Group, a provider of virtualization, cloud, and data management solutions to enterprises. MessageOps is a Microsoft Cloud business unit of Champion.