Having some way to manage the security of mobile devices is crucial for Enterprise environments. If mobile phone and tablets are provided by the organization, having a tool to manage this ‘fleet’ is just as important as the tools you use to manage your desktops.
After starting out with application provisioning and enforcing PIN numbers, mobile technology has improved to now allow us to find a device’s location or even remotely wipe it. Also these days; with the work day creeping outside of Monday to Friday 9am to 5pm, there is an increased risk that a mobile device with access to your corporate information has just gone to a movie cinema, theme park or crowded restaurant – all places where it could be easily left behind.
The Enterprise’s next challenge was BYOD. If a new employee already had their own device (now often better than the company-issued one), they weren’t going to be happy about having to carry two phones or rely solely on the ancient company phone. The tools stepped up to this challenge and BYOD support was introduced, allowing some corporate control over non-corporate devices, without wiping your personal camera roll.
If it feels like I’ve just pointed out the obvious it’s because I wanted to bring you into the world of the small business.
The smaller the organization, the greater that chance that ‘bring your own’ devices are being used to access corporate data.
The smaller the organization, the greater the chance that there is no mobile device management in place on any mobile device.
I’m not a great fan of quoting surveys but the numbers I’m finding that there are something like 80%+ SMBs using mobiles devices, and somewhere between 37% – 49% having MDM in place. I’d say those numbers are generous – a quick chat with my peers would suggest the first number is much higher and the second number is much much lower. So for SMBs, MDM is not such an obvious, critical thing, even with such easy access to corporate data and apps (often enabled by The Cloud).
So what gets in the way?
Licensing Costs – In the Enterprise, MDM can be an add-on capability provided by an existing toolset. When you are talking thousands of devices, the per device price is very competitive. The IT department often doesn’t even see these licensing cost conversations, as they are bundled into Enterprise agreements or signed off between the procurement department, the CFO and the CIO. This all changes in the small business, because the CEO/Owner knows their cash flow, gross income, and expenditure intimately. For every dollar that IT wants to spend, they have to convince the CEO that it’s worth it, and the CEO has a lot of competing priorities for every dollar earnt. Add to that the difficulty in finding SMB friendly pricing structures for say anything under 250 or even 100 seats. While MDM solutions are quick to break down a ‘per device per month’ price, they often haven’t embraced a subscription model, so you can still take a cash flow hit of paying the annual cost for all of your devices up front.
Operational Costs – SMBs often sacrifice IT support capabilities because of the cost of hiring and retaining IT staff. Introducing MDM means upskilling IT employees, adding more support calls to their queue and introducing another toolset that has to be managed. When you are already running lean, it might seem like just another thing to do, when your organization has happily existed without it in the past. And if you outsource your IT support, who wants to add more work for their consultants to charge for?
Lack of comprehensive security strategy – Putting aside the cost argument, this is really what it comes down to. Any security consultant will successfully argue that a proactive MDM strategy is more cost effective than a reactive data breach clean-up. But small businesses tend to overly trust their employees and view extra security measures as unnecessary and intrusive. How many shared passwords and generic user accounts exist in SMB land? Complex passwords and 30 day change periods are just a hassle. They also underestimate themselves as a target. Why would someone be interested in the customer details of a family-owned widget business? Without a security-conscious CEO, most SMBs lack a comprehensive IT security strategy that analyses and mitigates risk across their technology footprint.
What should the SMB do?
If you provide MDM solutions, addressing the cost concerns will go a long way to gaining you favour in the SMB market. Easing the pain of adoption and ongoing system management will win you votes from the already-stressed IT team. But convincing the CEO that the cost benefit analysis does stack up? That’s a bigger challenge. Right now most security providers address that objection with real-world horror stories and statistics and they still don’t always win.
The sad truth is, for a large percentage of the SMB market, adoption of an MDM solution will continue to be a reactive action after a data breach. It’s a tough culture to change, especially if you come from a world where you wouldn’t think twice about securing employee mobile devices.