Marketing Agency of the Month—Read, understand, advise—Ten Eyck Group brings policy expertise to its clients 12/13


Table of Contents


Every business needs multiple layers of security to prevent data theft and keep intruders off their networks

Managing Mobility

Building security around BYOD

Three steps agencies should take to protect data

By Jim Rhodes

Nowadays, hiring new employees often means "hiring" their mobile device as well. Smartphones are becoming increasingly popular and most companies—especially small and mid-sized businesses—find it easier to simply allow employees to use their own device rather than provide one from the company.

As I pointed out in my April 2013 column, this situation is rife with potential problems that all come under the general heading of "security." There is the risk that a privately owned phone could be lost, stolen or hacked, exposing sensitive company data. In fact, AppRiver recently sponsored a survey of 1,000 employed adults in the U.K. that discovered only about half of them protected their phones with a password. And only 23% would be able to remotely "wipe" their data should the phone be stolen.

Our experience with companies in the U.S. suggests that those numbers hold true here as well.

The reality is that every business needs multiple layers of security to prevent data theft and keep intruders off their networks. But for those who allow employee-owned devices, the need is even greater because they don't have full control over what apps or programs their employees are using—and because workers don't have to turn the device back over to the company should employment be terminated.

That's why it's incredibly important for companies to educate their staff, develop effective security policies and, to the degree possible, enforce those policies automatically. The good news is that for the latter at least, there are some effective software programs around that can make the task much simpler.

I don't want to get into the business of endorsing one product over another (except for AppRiver's of course). Instead, let's talk about the capabilities of different types of software and apps available to help businesses—especially smaller ones—safeguard their networks.

E-mail filtering: Nearly all companies now use some form of spam and virus filtering for their e-mail, and since most smartphones simply sync to the company's e-mail servers, malicious messages should be blocked before they reach an end user or a mobile device. Even most of the popular consumer e-mail programs, often running side-by-side with business e-mail, incorporate spam and virus filtering. But no service claims to catch everything, which makes the education component so important. Just as with e-mail on their computer, employees need to know not to open any message or attachment from a source they don't trust.

Endpoint security: In 2010, the first instance of weaponized malware was recorded when the Stuxnet worm wreaked havoc on Iran's nuclear program. But the payload wasn't delivered by e-mail or over the Web. Instead, it was uploaded to a computer using a jump drive. Fast forward just three years. According to an August 2, 2013, article on businessinsider.com, researchers at Georgia Tech have developed an iPhone charger that exploits its lack of security and could be used to deliver malware. Fortunately, the university publicized its findings in hopes that the smartphone manufacturers will close these dangerous security gaps. In the interim, it's smart to equip devices with software that can scan for locally delivered malware.

Data containerization/segregation: Despite the many and varied threats out there, the most common issue I deal with on a day-to-day basis is a small business owner who needs to dismiss an employee who has company information (usually e-mail) stored on his or her personal smartphone. It usually begins with a request to remotely wipe the phone. But when I point out that doing so will delete all of the phone owner's personal information (including photographs), there's often a long pause. In most cases, the company doesn't have any official policies in place and there is no practical way to ensure that the business data is deleted without the employee physically turning over his or her device.

Hindsight is a great tool for improving foresight, so most of the companies I've helped immediately implement policies to keep them from making the same mistake in the future. Some simply forbid employees to keep company data on their personal devices, but that means the company must then pay for their workers' smartphones and data plans or not require them. Others rely on written policies in an employment agreement. However, there are solutions that aren't as expensive as the former and are more effective than the latter alone.

One way is to segregate business and personal data on the phone itself. There are programs that divide the phone into what amounts to a business side and a personal side. If the employee quits or is fired, the employer can then wipe all the company information without affecting the personal data. This solution is particularly useful when the employee has company-owned proprietary apps on his or her mobile device.

If it's only company e-mail on the device, there are several programs available that can keep the messages and folders in separate "containers" so that business information can be removed easily.

It's important to point out that none of these solutions prevents employees from copying business data to their personal computers or other devices. These solutions can, however, give you peace of mind knowing that you've taken one more precaution to protect your important business data.

The bring-your-own-device trend is on the upswing as more and more people are using smartphones. At the same time, hackers and data thieves are using increasingly sophisticated tools and methods to take your money. It's more important than ever that businesses—especially small and mid-sized companies—get serious about security.

At AppRiver, we tell our customers that there is no "silver bullet" when it comes to protecting your data. The most effective defense is achieved by putting layers of security between you and the people who want your information. E-mail filtering, endpoint security and data segregation are three steps all businesses should consider at a minimum.

The author

Jim Rhodes is the supervisor of the mobile solutions team at AppRiver. The team specializes in providing ActiveSync and BlackBerry device support to a growing global-hosted Exchange customer base. He has more than 12 years of experience in the IT industry, serves on the board of directors for IT Gulf Coast, and is a regular contributor to AppRiver's company blog.

©The Rough Notes Company. No part of this publication may be reproduced, translated, stored in a database or retrieval system, or transmitted in any form by electronic, mechanical, photocopying, recording, or by other means, except as expressly permitted by the publisher. For permission contact Samuel W. Berman.