IT security's scariest acronym: BYOD, bring your own device

The torrent of smartphones and tablets entering companies has created some interesting challenges for security managers. The new devices introduce new operating systems, new development environments and new security risks, but no new control. The scariest acronym in security might well be "BYOD," or "bring your own device." As companies develop security and mobility strategies to deal with these devices, it is worth bearing in mind the lessons learned from managing laptops. But it is also worth applying some of the new lessons from smartphones on the laptops, too!

To get a better understanding of the state of security in the mobile world, we (at Nemertes Research) asked IT executives to tell us about how they secure mobile devices and laptops. To make things interesting, we first asked about "mobile device" security and then followed up by asking about laptops. Now, you may be thinking that laptops are mobile devices and therefore we simply wasted a couple of questions asking the same thing again. Turns out that companies treat laptops very differently than the way they treat mobile devices (i.e. smartphones and tablets).

MORE ON SMARTPHONE SECURITY: Smartphone security follies: A brief history

Both types of devices have some common security controls, namely device encryption (HDD and media) and VPN capability. But from there, they diverge. Smartphones and tablets are mostly protected against theft. Companies apply security controls such as "wipe and lock," GPS tracking and GPS fencing to control the data and location of the device. On laptops, meanwhile, the top security controls were anti-malware and firewalls, protecting the devices from network and application attacks.

Why the discrepancy? Companies own the laptops but users own the phones and tablets, in general. But if you look carefully at the data, even those differences do not explain the disparity in security controls. Why are there so few network and application controls on mobile devices? Why are there so few anti-theft controls on laptops? Why no "wipe and lock," GPS tracking and fencing? More and more laptops ship with GPS and 3G/4G, and more and more attacks target networked smartphones and their applications.

It is very hard to argue that the new Droid 3 or Atrix, or the iPad 2, are not "laptops" in a sense. The new MacBook Air and Chromebook are less like laptops than tablets with keyboards. As these types of devices converge, these differences are going to fade and the security controls will be equalized. In the meantime, it would be a good idea to re-evaluate the difference between security controls on different types of end-user devices and ask, "Is this difference based on valid reasons or a result of legacy thinking?" At the very least, you can add some anti-theft controls on laptops and some network and application controls on smartphones and laptops. If you keep treating these devices as "different" you may find that you are still basing your decisions on differences that are disappearing or have already disappeared.

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags consumer electronicsNetworkingsecuritymobile securitywirelesssmartphoneshardware systemsNemertes Researchtablets

More about LAN

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Andreas M. Antonopoulos

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts