In large-scale organisations, implementing mobile device management (MDM) is typically given. After all, with so many employees using mobile devices that either contain or connect to sources of sensitive information, there needs to be some way to keep everything in check.
But what about those companies that aren't big enough to be able to afford an MDM implementation and a full-sized IT department to manage it? Without a means to centralise the control of mobile devices, how can these smaller companies protect their data?
Some SMEs have found ways to help mitigate risk without traditional MDM, but it isn't always easy. Right off the bat, things are tricky given that smaller companies often implement BYOD since they can't afford to provide employees with devices.
"In some ways, it changes the landscape a little bit, because users may be hesitant to allow corporate control of their devices," says Tyler Shields, lead mobile analyst for Forrester. "But if you propose the trade off as, 'If you want access to sensitive material, you have to have MDM,' the user will almost always accept MDM on there for the convenience."
With BYOD in place, SMEs either opt for endpoint security or simply ask that employees have "something on their devices, some sort of security," adds Shields.
David Lingenfelter, an information security officer at Fiberlink, agrees that BYOD is the norm for SMEs, saying, "They're not buying devices and handing them out. So they want to get some level of control around [employees' devices], whether it's limiting them to specific kinds of devices or a certain OS version."
That said, Lingenfelter adds that regardless of what kind of policies they may have in place, SMEs often don't think about what happens to BYOD devices when employees want to get a new one. "They need to ensure that corporate data is not on the old device," he says. "Usually when I'm done with these devices, I give them to my kids. I have enough common sense to wipe them before I do, though. Are you sure your employees are doing that?"
Taking a gamble
Knowing that they don't have a means of centralising control over their mobile devices (and that their employees devices are typically also their personal ones) what are the options for SMEs? In some cases, smaller businesses opt for forgoing MDM entirely, and this obviously creates a substantial attack surface. Whether or not such small companies are even on attackers' radars, however, is precisely why they're willing to take the risk. Most assume that as a small company -- that is therefore worth relatively little and isn't in possession of a wealth of valuable data -- the odds aren't high that they will be the target of an attack, and they take the gamble.
"Absolutely, there are some that say, 'The [low] risk isn't worth the investment today for us,'" says Shields. This anything-goes-type approach is what the bulk of small businesses do these days, and he said that in most cases, the company either provides a device or allows BYOD, pays the bill, and lets users go on their way.
In some cases, however, the approach of completely passing on an MDM solution isn't always acceptable to the companies' partners. Lingenfelter also says that he's heard of small companies that have opted to go with no solution at all, usually because they don't have any IT within the company and they subsequently have no infrastructure or centralised email systems. In those cases, the extremely small companies typically trust their employees equally and expect them to "do the right thing," but that sometimes isn't enough for the other companies they work with.
"We've seen some small companies come to us and say that they've gone that route [of not implementing anything]," Lingenfelter says. "But because of their partners, mainly in pharmaceuticals, they're being asked to put something in place because of the nature of the business."
That very sentiment from those outside partners -- that using absolutely no kind of solution is not acceptable -- is one that Lingenfelter also agrees with.
"If you're not doing any management, you're exposed, whether it's an attack vector or an info leak vector," he says. "For those that are concerned about the latter...they're not going to be a target. But there is plenty of software out there that the end user can install and then will leak data out." There are other concerns too, he adds, like lost devices.
""If you don't have any management over that device, how are you going to wipe it?" Lingenfelter asks. "There are options with Apple and Google to do remote wipes, but did the user set it up? If they didn't, you're out of luck."
Without any sort of management, there is also the risk of the comingling of corporate and personal data. If a device has both a user's personal and business email accounts, it's entirely possible that they may get mixed up and do something like send a business attachment from a personal email address. Regardless of the scenario, though, Lingenfelter insists that risks abound without some sort of solution.
Shields, however, doesn't believe that an MDM-less scenario is quite so doom and gloom. While he admits that there are certainly some risks, he says it often just isn't worth it to smaller companies to make the investment.
"MDM doesn't provide that much security to begin with. It's a management tool," he says. "It does give you wipe and find device features, but it's not a security technology at its core."
Like Lingenfelter, Shields concedes that malware and loss can be a concern. Likewise, he says that sensitive areas like email are at risk of being compromised without a management solution. That does not, however, spell out absolute necessity for smaller companies to implement something.
"Many of the smaller companies have to weigh those risks against getting the job done," he says. "In many cases, it's just not worth it."
Turning to alternative solutions
In the event that smaller businesses decide that they do, in fact, need some sort of solution but don't have the means to implement a traditional MDM set up, there are some alternative solutions to which they can turn. Lingenfelter says there is no shortage of small companies out there that implement some of these solutions, but they're not always satisfied.
"What we're seeing is two types of customers," says Lingenfelter. "There are the ones that have tried to do it on their own without a real managed solution --whether it's through their mail system like ActiveSync or freeware apps -- and the others are the ones that simply say, 'This mobile space is really taking off and I have no idea what I'm doing. I have no budget and no IT team.'"
But regardless of their current state, Lingenfelter explains, the common need is that they want to have some level of control and make sure that their users are handling company data responsibly like the big organisations, but on a much simpler scale.
"This is something they want to be able to set up easily and be able to add and remove devices, check log history, etc. It's, 'Let's get it set up and we don't want to have to manage it or massage it a lot,'" says Lingenfelter. "These companies have either tried it on their own or don't have the time or the resources to understand the technology.
So what are some of the alternative solutions? As Shield points out, a number of MDM vendors support cloud versions of their solutions and have SME packages with support for as many as 20 devices. "That's what I see a lot of SMEs doing today, going with their cloud version rather than trying to bring the heavy hitters in house," he says.
In other cases though, organisations jettison the concept of MDM all together and opt for using endpoint security suites from companies like Symantec or Norton. It's typically the slightly larger, mid-sized companies that tend to use secure network gateways and application reputation systems, according to Shields. The problem with this option, however, is that they don't have as strong of a user experience.
"So the users don't tend to like them as much and they bog down the system more," says Shields. "They would rather just get security on their devices."
Lingenfelter again touched on the idea of smaller organisations tying their management into an email solution like ActiveSync or Office 365 and using the MDM built into that software. But those solutions are not ideal, he says.
"It can be very complex to manage devices using ActiveSync and locking it down," says Lingenfelter.
Lingenfelter mentioned other imperfect alternative solutions, like free MDM products or only allowing employees to use Apple devices. Freeware comes up short when a company has an issue or needs to add more devices and can't get support since it's all self-service. As such, users end up having to figure things out for themselves, and that ends up being time consuming. Insisting on one type of device across the board, meanwhile, isn't preferable to some SMEs, he says, simply because the company doesn't want to force anything on to its employees.
"Even though they would like to be homogenous and single threaded because Apple has stronger security, they don't feel that they can lock their employees in," he says. "It's an option, but there are costs involved on the management side. If the company wants, they can get an Apple server to manage them, but there's a cost in overhead for that as well."
Whatever their approach may be, however, Lingenfelter insists that all companies, no matter how small, should have some sort of solution in place.
"If you're not doing anything in the MDM space, you're not secure," he says.