Techaisle Blog

Techaisle’s recently completely study US SMB Mobility Solutions Adoption Trends shows that SMBs are more optimistic than they ought to be about their current mobility security profiles, but even so, less than 20% of US SMBs believe that they are “fully prepared” today. Like manageability, security is an important constraint on mobility adoption within the SMB market. Suppliers need to help SMB clients to establish frameworks that protect against both external and employee threats to information security.

In many ways, it is difficult or impossible to isolate security as an issue in mobility. Security is intrinsic to the devices, applications and solutions used by SMB firms that have adopted mobility, and security is an essential factor in supporting the mobile workforce. Techaisle wants to highlight two findings from the US SMB 2015 mobility survey that are specific to security, and which are important to understanding and supporting the SMB mobility market.

Current mobility security posture within SMBs
The first of these data points concerns the current mobility security posture within US SMBs. As the data shows, SMBs are cognizant of the challenges associated with securing mobility-dependent workspaces and work patterns. Fully 45% believe that they are “as prepared as we can be,” but acknowledge that “requirements will change.” Nearly 20% state that they are “partially prepared” but have “known gaps and shortfalls,” and other 5% confess to being “not very well prepared.” In reality, it is likely that “partially prepared” describes a much greater swath of the SMB market than these figures suggest: requirements do indeed change continuously, and even firms that are confident that they are “fully prepared” (19%) may find that the threat landscape is more extensive and pernicious than they had imagined. Techaisle is aware that it is hard for suppliers to persuade potential customers that they “ought to want to” be more proactive with security – but with increasing frequency and severity of breaches and attacks, and the exposure that mobility’s flexible perimeter incurs, it is important for suppliers to position their solutions against the reality of the threat landscape rather than the SMB perception of exposure and preparedness.

SMB perception of mobile threat sources: the enemy is inside the tent
Second data point has to do with mobile threat sources. Techaisle survey data shows that the enemy is inside the tent. During the course of the Techaisle SMB 2015 survey, respondents were asked “When it comes to security risk in the mobile computing context, which of the following represents a source of exposure or uncertainty within your organization?” To a (surprisingly) high degree, SMB concerns with mobility security revolve around users. SMB IT respondents ranked three user-attributable issues – user neglect/irresponsibility, lack of user knowledge and awareness, and user mishap/thoughtlessness – amongst their top four concerns, trailing only “general malware infection” as a mobility security threat.

Techaisle’s recently completed study on SMB IT Decision Making Authority: ITDM vs. BDM, examining the balance in SMB IT decision making authority between IT decision makers (ITDMs) and business decision makers (BDMs)  shows that BDMs are becoming increasingly involved in SMB cloud and security management processes. In 76 percent of SMBs BDMs have active roles in cloud security and in a whopping 87 percent of SMBs they are active in mobility security management.

Techaisle’s SMB IT Decision Making Authority: ITDM vs. BDM report provides data to substantiate a common theme: business management is taking a more active role in IT acquisition, deployment and management. This is especially true in cloud and mobility as BDMs are able to directly procure systems that support their business needs (such as CRM systems used by sales management) – avoiding IT’s processes and timeframe for deployment, and in some cases, avoiding input from IT altogether.

When we speak to ITDMs or IT suppliers who work with IT managers we are often exposed to the counter-argument against this newfound BDM freedom: that without effective IT oversight, cloud systems can become disconnected from the corporate IT infrastructure, creating silos of data, and potentially, security, audit, compliance and privacy risks.

To obtain insight into this issue, Techaisle asked survey respondents to identify who (by area of responsibility) has primary responsibility in each of 10 cloud security areas and 12 mobility security areas. Looking across both groups, we see at a glance that in both the small and mid-sized businesses business management is viewed as a source of access policy but the management of the security process is largely the preserve of IT.

Comparing Cloud and Mobility Security Management

The study shows that there are three key players in managing cloud and mobility security within SMB organizations – Business Management, IT Management and Service Providers. Business management involvement is higher than IT management in mobility security, 87 percent vs. 68 percent. Drilling down into the data we find that SMB BDMs take an active role in five out of twelve mobility security areas and have primary responsibility in seven security areas.

On the other hand, SMB BDM involvement in cloud security management is 76 percent which is almost same as ITDM at 78 percent. But unlike mobility security management, BDMs are actively involved in three cloud security areas and have primary responsibility in only one security area.

Within the mid-market businesses, IT management has a higher percent of involvement than business management for both mobility and cloud security administration. ITDMs actively participate in five of twelve mobility security areas and five of ten cloud security areas.

The above data does not imply that BDMs and ITDMs are not involved in all security management areas; in fact, they are but the roles and responsibilities shuttle between the two principle SMB custodians.

Comparing Small and Mid-market Businesses for Cloud security management

Drilling down into the cloud security management process only, the data reveals that BDMs are responsible for setting access policy in over 60 percent of cases – but all other steps in the process are primarily the responsibility of IT but with involvement from BDMs, from user authentication to ensuring consistency with audit, regulatory and compliance requirements and to ensuring that backup is regular, effective and testing.

When we turn our attention to the mid-market businesses, the first finding that leaps out at us is the more prominent role played by business management. In nine of the ten cloud security activities covered in the survey, medium business respondents report more non-IT management involvement than their small business peers – and in one step in the cloud security process (ensuring consistency with audit, regulatory and compliance requirements) medium business BDMs have similar level of responsibility as ITDMs.

Role of Service Provider in Securing SMB Cloud and Mobility solution deployments

Survey data presents a very interesting dichotomy about the role of service providers in securing SMB cloud and mobility solution deployments. Service providers are involved in 47 percent of SMBs for cloud security which is 35 percent higher than their involvement in mobility security. But for mid-market businesses they are 50 percent more involved in mobility security than cloud security. Out of the twelve areas, key roles played by service providers for mobility security are “Authenticating user identities” and “Deploying and updating malware and other security technologies on corporate-owned endpoint devices”. Within the ten different cloud security areas, service providers are most involved in “Safeguarding against unauthorized access” and “Authenticating user identities”.

It is interesting to note that both small and mid-sized businesses rely on cloud suppliers through the security process – interesting primarily because (as the saying goes) “you can’t outsource responsibility”. SMBs are free to rely on cloud suppliers for assistance through the cloud security process, but if/where there are breaches or other issues, the responsibility still rests with the business, not with the supplier. Techaisle believes that the proportion of SMBs –both small and medium businesses – who report that their cloud suppliers have responsibility for one or more cloud security activities should take a closer look at whether and how they might separate responsibility (which is a management requirement) from delivery (which may well be best outsourced to a cloud vendor). Here again, SMBs require guidance from security specialists to align practices with requirements.

Details about the report can be found here

Related research:

2014 SMB & Mid-Market Cloud Computing Adoption Trends

2014 SMB & Mid-Market Mobility Solutions Adoption & Trends

A common SMB usage scenario

An IT administrator of a small business gets a call from an employee saying that he lost his iPad with customer billing info, specs of recent architecture drawing; corporate emails and he did not even have a lock in the iPad. What can the IT Administrator do? This is where Codeproof comes into picture. With Codeproof, the IT Administrator could have remotely located the iPad, locked it and even remotely erased the iPad thereby preventing any data-theft.

A common barrier to Mobility Adoption within SMBs

The need for device and data security for mobile devices is an important deterrent in mobility adoption, especially as consumer and business apps converge onto the same devices. Nevertheless mobility is here to stay but going down the route of mobility is also fraught with unexpected surprises – most important being accidental loss of device with company data, employee walking off with device or malware creating havoc with the device.  Many surveys conducted by Techaisle reveal that SMBs worry about these issues a lot but fail to protect themselves adequately. For example, 69 percent of SMB IT Decision makers in the US are concerned about accidental loss of devices containing sensitive data. And nearly 1/3rd of these decision makers are also concerned about inability to manage device configurations so that they comply with company policies. To top it all, there is the issue of managing employee devices that businesses did not buy.

Techaisle survey of 9,500 SMBs across different geographies show that accidental loss of device followed by imminent danger of mobile viruses are the top concerns of SMBs while using mobile applications. This also clearly demonstrates the need for remote mobile device management, authentication, and remote erasure of data.

 

The above data clearly demonstrates the need for remote management, authentication, and remote erasure of data on mobile devices. Data no longer resides on tethered devices such as desktops but is spread across multiple devices that “move”. SMBs need to plan for it to make mobility an enjoyable and productive experience.

Codeproof is a simple to use, Cloud-based, SaaS, Freemium model MDM

In four easy steps Codeproof MDM is up and running on iOS and Android devices. A Seattle-based company, Codeproof offers an integrated BYOD security and mobile device management platform specially targeted at small and medium businesses. Some of its main mobile security features are App-white listing, Malware protection and Mobile policy management. It is built on Amazon EC2 elastic cloud for scalability, anytime, anywhere access.

An admin can enroll all mobile devices to Codeproof by installing and enrolling Codeproof App on the device. As the devices get enrolled via the mobile Copdeproof app, the devices automatically appear in Codeproof Cloud console tree. The admin can now remotely manage all devices from Cloud console. When an employee leaves the company, the admin just deletes the corresponding employee MDM profiles (WiFi profiles, Email Profiles, etc.) thus disabling the devices from accessing any type of corporate data.

Codeproof is free for 2 devices and is priced at only 29.99$ per device per year. It is worth a try.

Symnatec just announced its Endpoint Protection Small Business Edition 2013 which effectively moves Symantec's flagship security solution for SMBs to the cloud. The solution has an on-premise solution as well giving SMBs the flexibility to start with an on-premise solution or use directly a cloud-based solution with no additional hardware requirements and no special IT staff or training needed.

Techaisle Take
In the SMB space, the trend is definitely moving to the cloud, with SMBs reporting growth in the average number of cloud applications rising from 2 in 2010, to 4.3 last year and expected to hit over 7 this year. Symantec has seen flat revenue in a growing market and needs to take advantage of this trend in cloud services. Security is among the most widely deployed cloud application (~60% of Cloud Users).  Symantec has a very broad portfolio of products and despite a management shakeup and unwanted attention from hactivists; they have been able to maintain stability over the past few years. Having said that, there is always some uncertainty when migrating from one architecture to the next; it will be very important to maintain a solid opportunity for channel partners and they will have to execute well as they make this move.

Symantec needs to ensure that their channel partners are well trained in the difference between between the 2013 cloud edition and the 12.1 on-premise version to avoid any SMB marketplace confusion. Symantec also needs to make sure that their marketing campaigns present the choice of offers as a benefit rather than a hard decision; there are benefits to both cloud and on-premises versions depending on the SMB customer need. We have found that there is a gap in demand from channel partners for cloud security services based on what they are hearing from their SMB customers – Vertical Applications, Security and Storage and Backup solutions top the list of requested applications.

All software companies are wrestling with or implementing cloud services strategies. After Cloud Security, which is a strategic imperative for Symantec, the largest opportunities within Cloud Infrastructure are in Remote Storage & Backup services, unless they step far outside their core business. SMBs recently reported that although their business priorities have remained fairly constant, 77% want vendors to reduce complexity in IT so they can focus on business and customers. It seems Symantec wants to enable that by offering both (all) their services through a common interface which is delivered through the channel and allows remote management of both On-Premises installed base and Cloud versions. If they can do this successfully, it should be a win for both small businesses and channel partners.  Even so, the devil is in the detail, and if they fail to bring both of these to the market successfully they risk losing credibility in their core security market.

Anurag Agrawal