The full impact of BYOD has not really affected many security professionals but it will eventually impact all of us.
For those who still believe that personal devices will never be a part of your network, remember, never say never. Regardless if the influx of non-corporate devices have accessed the interior of your network or not, the first step is a AUP, acceptable use policy.
BYOD is a new phenomenon that should make the security society very nervous. Consider the full scope of this intrusion into our networks, BYOPMD, Bring Your Own Personal Mobile Device.
Each of these words has a significant impact on security. Start with "Your Own Personal". It's not a corporate device, the company does not own it, and more than likely its shared.
The next word, "Mobile". The industry is just becoming comfortable with securing mobile devices that are confined to the enterprise, such as scanners. As for company laptops that have access to the wild, we at least have a strategy because we can control the AV/malware, applications, and OS. That's all gone with a personal mobile device.
Lastly, "Device". The device could be a smart phone, an iPad, a Mac Book, or any number of laptops with a variety of operating systems.
If that's not enough consider this. I was reviewing a contract job when I spotted this at the very bottom of the requirements list, "Personal device required - Yes".
So now you may have a contractor or out-sourced associate doing work within your network using their own mobile device, that may or may not be managed by the security policy of the company they were hired by.
Security professionals and Security solutions are clamoring to establish some form of best practice and the subsequent enforcement of that practice, but there is no way any of us can establish a security posture if there is not a policy to follow.
The policy must include required security software, type of device supported/allowed, corporate data integrity, and consequences, and it must be supported by all levels of management. Details to come.
