IT security's scariest acronym: BYOD, bring your own device

The torrent of smartphones and tablets entering companies has created some interesting challenges for security managers. The new devices introduce new operating systems, new development environments and new security risks, but no new control. The scariest acronym in security might well be "BYOD," or "bring your own device." As companies develop security and mobility strategies to deal with these devices, it is worth bearing in mind the lessons learned from managing laptops. But it is also worth applying some of the new lessons from smartphones on the laptops, too!

To get a better understanding of the state of security in the mobile world, we (at Nemertes Research) asked IT executives to tell us about how they secure mobile devices and laptops. To make things interesting, we first asked about "mobile device" security and then followed up by asking about laptops. Now, you may be thinking that laptops are mobile devices and therefore we simply wasted a couple of questions asking the same thing again. Turns out that companies treat laptops very differently than the way they treat mobile devices (i.e. smartphones and tablets).

MORE ON SMARTPHONE SECURITY: Smartphone security follies: A brief history

Both types of devices have some common security controls, namely device encryption (HDD and media) and VPN capability. But from there, they diverge. Smartphones and tablets are mostly protected against theft. Companies apply security controls such as "wipe and lock," GPS tracking and GPS fencing to control the data and location of the device. On laptops, meanwhile, the top security controls were anti-malware and firewalls, protecting the devices from network and application attacks.

Why the discrepancy? Companies own the laptops but users own the phones and tablets, in general. But if you look carefully at the data, even those differences do not explain the disparity in security controls. Why are there so few network and application controls on mobile devices? Why are there so few anti-theft controls on laptops? Why no "wipe and lock," GPS tracking and fencing? More and more laptops ship with GPS and 3G/4G, and more and more attacks target networked smartphones and their applications.

It is very hard to argue that the new Droid 3 or Atrix, or the iPad 2, are not "laptops" in a sense. The new MacBook Air and Chromebook are less like laptops than tablets with keyboards. As these types of devices converge, these differences are going to fade and the security controls will be equalized. In the meantime, it would be a good idea to re-evaluate the difference between security controls on different types of end-user devices and ask, "Is this difference based on valid reasons or a result of legacy thinking?" At the very least, you can add some anti-theft controls on laptops and some network and application controls on smartphones and laptops. If you keep treating these devices as "different" you may find that you are still basing your decisions on differences that are disappearing or have already disappeared.

Read more about wide area network in Network World's Wide Area Network section.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags smartphonesmobile securitytabletswirelessNetworkinghardware systemsconsumer electronicsNemertes Research

More about LAN

Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by Andreas M. Antonopoulos

Latest Videos

More videos

Blog Posts