The torrent of smartphones and tablets entering companies has created some interesting challenges for security managers. The new devices introduce new operating systems, new development environments and new security risks, but no new control. The scariest acronym in security might well be “BYOD,” or “bring your own device.” As companies develop security and mobility strategies to deal with these devices, it is worth bearing in mind the lessons learned from managing laptops. But it is also worth applying some of the new lessons from smartphones on the laptops, too!
To get a better understanding of the state of security in the mobile world, we (at Nemertes Research) asked IT executives to tell us about how they secure mobile devices and laptops. To make things interesting, we first asked about “mobile device” security and then followed up by asking about laptops. Now, you may be thinking that laptops are mobile devices and therefore we simply wasted a couple of questions asking the same thing again. Turns out that companies treat laptops very differently than the way they treat mobile devices (i.e. smartphones and tablets).
Both types of devices have some common security controls, namely device encryption (HDD and media) and VPN capability. But from there, they diverge. Smartphones and tablets are mostly protected against theft. Companies apply security controls such as “wipe and lock,” GPS tracking and GPS fencing to control the data and location of the device. On laptops, meanwhile, the top security controls were anti-malware and firewalls, protecting the devices from network and application attacks.
Why the discrepancy? Companies own the laptops but users own the phones and tablets, in general. But if you look carefully at the data, even those differences do not explain the disparity in security controls. Why are there so few network and application controls on mobile devices? Why are there so few anti-theft controls on laptops? Why no “wipe and lock,” GPS tracking and fencing? More and more laptops ship with GPS and 3G/4G, and more and more attacks target networked smartphones and their applications.
It is very hard to argue that the new Droid 3 or Atrix, or the iPad 2, are not “laptops” in a sense. The new MacBook Air and Chromebook are less like laptops than tablets with keyboards. As these types of devices converge, these differences are going to fade and the security controls will be equalized. In the meantime, it would be a good idea to re-evaluate the difference between security controls on different types of end-user devices and ask, “Is this difference based on valid reasons or a result of legacy thinking?” At the very least, you can add some anti-theft controls on laptops and some network and application controls on smartphones and laptops. If you keep treating these devices as “different” you may find that you are still basing your decisions on differences that are disappearing or have already disappeared.
