back to article Spoiling staff with toys could turn against your business

Many companies put staff engagement high on the agenda: they reason that if you keep staff happy they are likely to be productive and stick with you through difficult times as well as when it is all going swimmingly. It is a perfectly sensible thing to do – so long as you involve the IT department in the process. My first IT …

  1. gv

    Really?

    "it is hard to monitor users as they drag your corporate secrets to their laptops"

    Restricting network access or making the user jump through numerous VPN/login/RDP hoops isn't really going to prevent this. If your corporate "secrets" are worth protecting, then physical access control and body searches are the only solution.

  2. Greg D

    Disagree with blocking email on personal phones

    Clearly never heard of remote wipe on ActiveSync devices?

    Our ActiveSync policy allows users to sync to their personal mobes, But crucially the policy is set so that it forces the user to lock the device with a PIN (won't let them sync without this) and allows us to initiate a remote wipe from our Exchange console, should we need to (e.g. dispensing P45's for whatever reason).

    To say you can't do it, or shouldn't do it, is completely missing out an entire range of applications. You should know this at el Reg :)

    1. Anonymous Blowhard

      Re: Disagree with blocking email on personal phones

      I agree with Greg D, most corporate email systems support remote wiping; my company used to use Exchange/ActiveSync (you had to allow the ActiveSync permissions before you could use email) but now we've moved to Google Apps which also supports remote wiping:

      https://support.google.com/a/answer/173390?hl=en

      1. Anonymous Coward
        Anonymous Coward

        Re: Disagree with blocking email on personal phones

        If you use Google Apps and POP3/IMAP is enabled, then people can sync stuff to their local E-mail client, and it won't honour a remote wipe.

        If you don't, then at worst people can screen-scrape the web interface. I remember an old proxy for Yahoo! mail which used to do this, because Yahoo! didn't provide a POP3/IMAP interface at the time.

        If people actively want to steal company secrets, they can do so easily: for example they can just POST files to a HTTPS server they control outside. That's not counting the obvious things like carrying home USB sticks and printouts in your briefcase.

        Those things are all very difficult to avoid, and you can't avoid trusting your staff to some degree. What you can do however is use these mechanisms to minimise the impact of *accidental* data loss (e.g. stolen laptop); to *monitor* activity and look for suspicious patterns; and to have *accountability* and traceability.

    2. Velv
      FAIL

      Re: Disagree with blocking email on personal phones

      1. Go into your corporate mail in your Native device mailbox

      2. Look at confidential email

      3. Select option "Save to Dropbox" or one of many other native options

      Bye bye confidential data with no traceability whatsoever.

      If the mail isn't sandboxed you've just lost all semblance of data leakage prevention.

  3. Anonymous Coward
    Anonymous Coward

    "Define a standard, evolve it as infrequently as you can, and enforce it. At the very most have a basic laptop, a power-user laptop and a standard desktop. There is no conceivable need to let users have the machines of their choice."

    All when an good except for the exec team who will always go any buy shiny, it used to be Sony Vaio's now its Apple laptops, they often come back from trips abroad with something they have picked up 'cos the old (6 month old) laptop was broken'

    So no UK warranty, probably no chance of nicely upgrading the tiny default SSD without a lot of hasle (Sony I am looking at you). It will have no AV on it yet they will have plugged it into every hotel, airport and company that they have visited

    Plus you are never allowed to gainsay the execs, just have to clean up the disasters they cause

    :(

    1. Yugguy

      Execs and fecking NONE-EXECUTIVE DIRECTORS who seem to think the entirity of the company's IT staff exist purely to fix their shit at the drop of a hat.

  4. 27escape
    FAIL

    Linux root user

    Most current linux distros request to create a normal user during boot, you do not get to set a root password, but your normal user gets sudo rights, so you can change the root password for console logins

    Oh and ssh access by root is also normally disabled

    1. Tom Chiverton 1

      Re: Linux root user

      Exactly. Maybe the author hasn't used a Linux install from the last ten years or so ?

      1. K

        Re: Linux root user

        2-3 years ago we swapped to Ubuntu for this very reason, but at the time most RPM based distro's asked for a root password to be set - yes it allowed an normal user to be configured, but I still see this as encouraging usage of root. Not sure if this has changed as I've pretty much stuck with Ubuntu and Debian.

  5. Buzzword

    What are we trying to prevent?

    I'd like to see some real-world cases where an ex-employee used old company emails stored on his personal phone / laptop / Hotmail account to somehow gain an unfair advantage which he couldn't have gained if the article's guidelines had been followed.

    1. Greg D

      Re: What are we trying to prevent?

      Another very good point. If you have put enough trust in a person to employ them, then what exactly are you preventing by making data hard to take off site, or transfer to non-company equipment?

      There are obvious use cases where that will be a requirement, like GCHQ, or the FBI. Even the Police force need to be very careful.

      But for us day to day enterprise level peons, the risk simply doesn't exist. You don't need military grade IT security policies to run, say, a construction firm.

      In any case, I don't even think it's possible to truly prevent if someone really wanted to do it. You can put deterrents in, but that aint gonna stop someone on a mission.

      From experience, BYOD generally provides most (if not all) headaches in the form of hardware and software compatibility with existing enterprise systems, and of course. the well known woeful reliability and build quality on consumer grade tat.

      1. Mark 85

        Re: What are we trying to prevent?

        Exactly. If they want it bad enough, they will take it. If not on some phone/laptop, email forwarding, etc. then the old-fashioned way... print it out and tuck it in the briefcase.

        I worked at one place that checked briefcases at the door. One enterprising lad, stuff envelopes with what he wanted and addressed them to a PO Box. He then dropped them into the corporate mail system. Sometimes he put the postage, other times, the company automatically did. He was caught when an envelope accidentally came open in the mailroom.

      2. Triggerfish

        Re: What are we trying to prevent?

        Sales staff with customer contacts/ sales info seems to be a big worry in some places I have worked.

        One job I started at after working for a business rival a few years earlier I was asked by the CEO if I had access to their sales/ accounts database, or if i could hack into it.

        1. Greg D

          Re: What are we trying to prevent?

          That whole attitude with customer contacts is utterly flawed. It's ludicrous to think sales staff won't have a copy of at least some of their contacts in that classic storage medium - the brain.

          Sales team boss: "Oh I see you've handed in your notice. Could you pop by the neuraliser on your way out so you forget everything you did here? Thanks"

          1. Triggerfish

            Re: What are we trying to prevent?

            I know, Sales info, pen, paper job done.

            I think some bosses genuinely think because they say its a paperless offce it actually is one. I worked in a place were they refused to buy post it notes because of this, everyone just bought their own.

  6. K

    Agreed the articles has some holes...

    But overall, its nice to see an article without the pandering to the BYoD crowd..

    Power to the BoFH's!!

  7. Anonymous Coward
    Anonymous Coward

    If you dislike change, you're going to dislike irrelevance even more

    Like it or not, traditional IT is under existential threat. Some won't manage the change to a service provider model and then wonder why their functions get outsourced.

    Yes there are realms of stories of end users screwing things up and IT having to clean up. I've dealt with more than a few over the years. That isn't a guarantee of job security nor a good reason for IT existing.

    IT serves the business as much as any other function, end users will always make poor choices, but ultimately they are the business, they understand their needs to work effectively and IT should facilitate those needs, not dictate a model that suits it.

    Getting data in to your company is the growing problem.

    End users increasingly have a choice of alternative service providers and shadow IT is growing. Perhaps things will swing back in house over time, but right now things are going the other way.

    1. Peter Gathercole Silver badge

      Re: If you dislike change, you're going to dislike irrelevance even more @AC

      That's all well and good until one of the "poor choices" land the company with some regulatory failure, loss of data, successful hacking event or in extreme cases, inability to function after an unforeseen event (like a disaster).

      Even if a company goes down the route of alternative service provider, it is essential that they keep some IT expertise, even if it is only at an architectural level, otherwise the remaining managers who get to chose whether to switch to another alternative supplier (in the case of dissatisfaction with the first one they choose) either run the risk of being bamboozled by whatever marketeers they speak with, or end up having to pay for external consultants, who may (because of self interest) not recommend what the company actually needs!

      I agree that IT departments are an endangered species, and not because they do anything wrong, but because they're not saying what the non-technical managers think they should be hearing. Too often, influential managers in companies are more prepared to listen to the salespeople trying to sell snake-oil rather than their own IT people.

      It's worrying.

      1. gv

        Re: If you dislike change, you're going to dislike irrelevance even more @AC

        "That's all well and good until one of the "poor choices" land the company with some regulatory failure, loss of data, successful hacking event or in extreme cases, inability to function after an unforeseen event (like a disaster)."

        There's no guarantee that having all those stringent procedures, policies and equipment in place will prevent any of those things happening. In fact, if you have one of these mandated IT monocultures, one rogue virus may tick all of those boxes.

        1. Peter Gathercole Silver badge

          Re: If you dislike change, you're going to dislike irrelevance even more @gv

          That's true, policies do not protect you from these things by themselves. Good people who you know and trust who apply sane access control policies can.

          But if things go wrong, at least you can knock heads together, and if necessary sack people if you employ them, rather than having to have to claim against a contract that will probably end up in an expensive court case before it offers any redress.

          If you go down a managed service route, then your protection is only as good as the people who your service provider employ, and you have no control over that.

      2. James 100

        Re: If you dislike change, you're going to dislike irrelevance even more @AC

        "if a company goes down the route of alternative service provider, it is essential that they keep some IT expertise"

        Yes, that's vital and easy to miss - of course, those experts need to be able to communicate the issues properly, and meet the users' needs rather than their own. Consultants/salesdrones can easily push a solution that meets their own needs rather than the users' - whether they're external suppliers pushing a product, or internal ones with an agenda.

        Do those "standard laptops" actually do the job adequately? Especially when they're a year or two old, but being pushed by the IT management because they're less effort to support than more modern kit? Does that configuration actually suit the sales reps, the graphics people and the software developers? When the users have different needs, you need to accept that a single answer probably won't fit: either you're short-changing the developers with some ultra-portable that can only handle email and PowerPoint, or wasting money and weighing the salesdrones down with overpowered machines for their needs.

        "I agree that IT departments are an endangered species, and not because they do anything wrong, but because they're not saying what the non-technical managers think they should be hearing. Too often, influential managers in companies are more prepared to listen to the salespeople trying to sell snake-oil rather than their own IT people."

        Agreed, in part - but perhaps it's not just because those managers want to hear the wrong thing. Look at this article: full of what the author wants and what suits his needs. Yes, giving everyone the same laptop makes his life easier - but does it suit the users? Maybe their needs would actually be better met by greater flexibility. (Particularly in a software company, of course: there are quite a few obscure bugs I've been able to investigate much more easily by having varied hardware and platforms. Yes, it makes support very slightly harder - but of course we need to support external users on different configurations anyway!)

        Remote-wipe can be handy too, when a device or its user goes AWOL - but what happens when your Exchange admin goes rogue or gets fired, or the server itself gets compromised? A whole lot of extra collateral damage that way. Has the author never had a server compromised, or a sysadmin go rogue to some extent? (10 years on, do you *really* know who all those Domain Admin members are and why they're there? All those privileged scripts doing who-knows-what? A colleague's been looking at all that lately ... it really isn't simple, in a large setup.)

        1. K

          Re: If you dislike change, you're going to dislike irrelevance even more @AC

          @James

          Companies end up in this situation not because its what the IT team, but because the company will not cover the cost to manage all the various equipment. Its easy to bash the the IT team and lay blame at their door, but they have to work with the tools they are given.

          Likewise, IT teams should deliver what the business needs, not what what the Users deem they need.

          For example, I currently have 2 users screaming they want Mac's. I'd personally love to provide them some, but every tool they need is available on Windows which the company is already licensed for, additionally Mac's introduce new complexities for support, security and licensing all which come at a cost - so this is a business decision.

    2. Greg D

      Re: If you dislike change, you're going to dislike irrelevance even more

      This entire point is a pipe dream that the BYOD pushers want you to buy into.

      Fact is, work is HELL in a BYOD environment. Ok I agree with some of your points - e.g. the employees effectively make the money, but you can't pander to all their whims. Most of the time, they are bollocks anyway. Companies need a stable and common infrastructure to allow efficient support and day-to-day running.

      If some employees can't work with that, they need to adjust, rather than push for filling up the entire fleet with home bought crap.

      1. gv

        Re: If you dislike change, you're going to dislike irrelevance even more

        Having a stable and common infrastructure is exactly what leads to Windows XP and IE6 still being widely used for a long time after they should have been buried.

        Using open standards for data formats and exchange would be a better goal.

        1. sabroni Silver badge

          Re: Having a stable and common infrastructure is exactly what leads to Windows XP and IE6 ...

          ...still being widely used for a long time after they should have been buried.

          I disagree. There's plenty of Windows XP and IE6 installs that are nothing to do with a stable and common infrastructure. Laziness, penny pinching and a disregard for the value of IT (and the opinions of IT professionals) are much more common reasons.

          I'd say that "a stable and common infrastructure" and "open standards for data formats and exchange" go very well together.

        2. Greg D

          Re: If you dislike change, you're going to dislike irrelevance even more

          As someone else already pointed out, this is mostly laziness and penny pinching.

          Or legacy applications that no longer have any development behind it, that a company relies upon. Again, that should be phased out before it gets to that state. Mostly due to cost saving or inability to afford a new solution to replace the legacy crap.

          Throwing home devices into the mix is going to do precisely NOTHING to resolve that situation. Ever.

          In fact, it will make it way worse. And already is in many cases where BYOD is taking over.

    3. K

      Re: If you dislike change, you're going to dislike irrelevance even more

      @AC - "Perhaps things will swing back in house over time"

      Your way behind the trend, this has already started happening for core business applications and servers. For the short-to-medium term the only increase in cloud I foresee is back up and DR.

  8. rcp27

    Don't treat users like children

    I understand the need to prevent people from connecting insecure hardware to the network to keep unwanted malware out, but blocking users from access to company information over concerns about what they might do with it seems to me to be counterproductive.

    In my work email, I only have access to information that I can get at in other ways as part of my routine job. Either the company trusts me to handle that data as part of my job or they don't. If I'm not trusted, I wouldn't be doing the job. If I'm trusted to handle sensitive data in every aspect of my job except for some obstructivist IT policy, the effect of that is not going to be to make me treat data security seriously, it is simply to make me feel contempt for IT.

    1. sabroni Silver badge
      Happy

      Re: Don't treat users like children

      Yes, very good son. Go and show your mother, I'm busy.

    2. Velv
      FAIL

      Re: Don't treat users like children

      Good security should NOT be as strong as the weakest link. Good security relies on multiple layers of protection so that if one layer fails there's backup layers that should prevent a major problem.

      People fuck up. You may be trusted to handle the most sensitive data in the world, but there are numerous examples where someone has accidentally emailed daat to the wrong person, or any number of other leak vectors "put the wrong rule on the firewall, published to the public website instead of the internal website".

      Then there's Snowdon. He was trusted having passed what is arguably the best security screening in the world (clearly it isn't). He got lots of data out.

      So saying "I'm trusted so you don't need to do anything else" is clearly just stupid.

    3. Greg D

      Re: Don't treat users like children

      Again, form my perspective (a lowly enterprise systems & network engineer), security is not the problem. My earlier posts hint at that.

      The problem is support and standardisation. I'm not even going into it any deeper than that, the problems are numerous, and one would think, obvious.

  9. Tromos

    There is another good reason for having a variety of computers in the business. If one of the products is a software package, it may help to know that it runs on more than just the one model dictated by the powers that be.

    1. Greg D

      Thats actually a really bad reason. Why would a company IT dept be interested in that? Microsoft maybe, but not typically data anyone needs.

  10. The other JJ

    One of the better articles on BYOD

    Good to see an article from IT's point of view. There were (at least) two points it barely touched on:

    1. IT policy as part of the employment contract, particularly "Thou shalt not use your company email address for personal use" so they don't demand access after leaving so they can see their Ebay history (yep, happened).

    2. And the corollary, "Thou shalt not use your personal mobile number, email address or Skype ID for company business". A client told me for years that they didn't see this as a problem until their sales director left for a rival, and they realised that HR had let him take his mobile number with him and his Skype ID was on his business cards, so prospects would be calling him direct rather than the client.

    We've found people using personal email because they couldn't configure the company one on a new phone or wouldn't agree to allow remote wipe. We routinely run a script to find external mail forwards and then search mail logs to see if they've got other staff mailing them at that address - and take it to HR to deal with.

    1. gv

      Re: One of the better articles on BYOD

      Maybe they should have employed a minder for the sales bod to follow him around and ensure that he didn't verbally give his Skype ID or write it down for the customer, or give the customer a personal phone number, or his FaceBook details, or LinkedIn profile.

      Of course then you'd also need to employ a minder for the minder to ensure that the first minder is doing their job...

  11. Yugguy

    Your company cares for you

    Up until the moment it no longer needs you. Then it will flush you down the toilet.

    It's not personal, it's just business.

    I work hard for whatever company I'm at because a) I prefer to be busy and b) it keeps my manager happy so they leave me alone. In return currently they pay me well and give me perks.

    I have no misconceptions that were I no longer needed I'd be out of the door.

  12. Joe Harrison

    bash the users

    I have every respect for IT support, the fine work we do, and the difficult conditions under which sometimes we do it. Having said that I feel that here some control freakery is barely being concealed. The article has a lot of good stuff but the writing style makes the author sound like a bit of a net nazi.

    1. Peter Gathercole Silver badge

      Re: bash the users @Joe

      But the flip side of this is that some of the things asked for in a business suggest that the person asking is unable to make sensible choices because of lack of knowledge.

      The problem here is that IT don't always appear to understand business, and the Business doesn't understand what is necessary to operate IT safely and securely. That used to be the reason why they set up an IT department in the first place.

      It's a balance, but at the moment, IMHO, it's skewed too far to the Business.

  13. MonkeyCee

    Management issue

    Some good points, of course the usual issue with any of these suggestions. Management has to be onside, and enforcing these policies, since they almost always "get in the way" of the actual work people are trying to do.

    My personal favorite is determining what level access the service/help desk bods have. If you want issues fixed by first level techs, then they need very high security access. Take that away and make them call loggers will result in better security, but shittier users, since you can't just get a file restored over the phone. Or when the sysadmin team who usually deal with 10-30 jobs per day are now required to do (for securitah!) various tasks the helldesk used to do, suddenly can't cope with 200+ calls logges per day.

    For most organisations, you can call up, tell them you've come back from holiday, and can't recall your username ("It's usually already entered, but Bob's been using my computer") and could they reset your password too, and they'll just do it without batting an eyelid.

    Very important is to check that how the system was designed is actually how it works. A number of times I've been told "but Bob doesn't have remote access" or "Bob isn't in the AD group for remote access" but since Bob is quite happily working away remotely (and has been for months) then there clearly is some difference between what is documented for remote working and the practise.

    As for the HR forms for new staff.... Christ almighty. HR manage to fuck up more details than I can recall. Mainly spelling of names, mixing up surnames and first names, incorrect starting finishing dates, failing to record extensions of contracts, incorrect assignments of responsibilities, lack of signoff for security access. Most seem unable to deal with their actual jobs, managing to be ignorant of contract and employment law, and unable to revise contracts to resemble reality. Funniest was when my contract specified working hours (between 8am and 6pm Monday to Friday) for a role where I only worked 6pm to 12am plus weekends. I asked them to revise it five times, getting a "new" contract each time that was _exactly_ the same as the previous one. No matter how I spelled it out, I was classified as a service desk bod, and thus must only have the SD contract, even if the contract was flat out wrong.

    If management and HR are competent, then a lot of policies will be sensible and enforced well. If they are numpties then no matter how good a techie you are, you'll get fucked by dumb decisions or dumb enforcement.

  14. Naughtyhorse

    Ahhh the good old days...

    I remember once working for a company, the sign above the door said it was a distribution network operator, however turned out the main purpose of the company was giving the IT department an easy ride.

    great idea having 2 laptop specs and 1 desktop spec, of course it's a bit of a shame that both laptop specs were crap, and desktops were only available to 1/2 a dozen ops staff....

    (trying) to open 3 gig data files on centrino based laptop with 2 gig of ram, running xp was such fun.

    pandering to users is one thing, providing a service so that users can earn money and you know, pay your fucking wages is another.

  15. This post has been deleted by its author

  16. Triggerfish

    Onenote

    That's one to watch for, you find users syncing their notebooks with their home MSN/Hotmail accounts.

  17. ecofeco Silver badge

    BYOD is insane

    EVERY place I've worked, BYOD is relegated to guest status on the wifi and never even allowed to be connected by cable nor to be used for ANY official business.

    I've said it over and over and most security admins I know agree with me: BYOD is a stupid, stupid security risk.

  18. Glen Turner 666

    BYOD works in some organisations, not that you'd know it from this author

    Reading this article you wouldn't think that universities happily have thousands of BYOD devices on their networks every working day. It would have been better if the article, rather than condemning BYOD outright, looked at how they do it and the risks and benefits to the organisation.

    1. Peter Gathercole Silver badge

      Re: BYOD works in some organisations, not that you'd know it from this author

      Universities are a completely different kettle of fish to your normal company network. It is defined by BYOD, because the Universities are not capable of providing the number of devices needed by the students.

      Basic security in a University is that you have a number of relatively untrusted networks (normally by location) that the devices attach to with fairly basic security (registered MAC address, normally), with island networks containing all of the main University servers with strong firewalls on the borders of the islands that only allow a small number of trusted services through. Within each untrusted network you will have some routing and maybe print services, but any file repository will be in the islands.

      Any special access to departmental servers for specialist services is controlled on a device-by-device basis, with increasing levels of control requirements, registration and mandatory patching to allow this access.

      In addition, most Universities (AFAIK) operate a blacklist policy where if a device is found to be affecting other users seriously (viruses, deliberate intrusion attempts etc.), it is prevented from connecting to any of the networks until the issue has been resolved to the satisfaction of the University techies, and normally at a fee.

      So the networks that the students connect to is much more like the guest networks that companies operate (with a little more security), and the island networks are more like a core company network.

      This makes the analogy much clearer, and probably puts the break between the networks in a bit more context.

  19. Bathrug

    its a two level issues, BYOD is great for users who want to use better kit than assigned and certainly companies see this as a free ride for overheads on the hardware side. This however does take into consideration that business free hardware has a technical support aspect that can be costly.

    Of course what then happens when somebody cant do their job because their equipment is shyte, and you are asked nicely to sort it out. I am not a PC world geek corner employee, I'm not here to fix the crap that belongs in the local tip's electrical bins.

    That doesn't mean that BYOD doesn't have a place , but in real terms, its been developed into a standard by people wanting to use Facebook on equipment that they control and approved by businesses that want to save heap loads of cash on equipment/licensing.

    As for standardization , whats wrong with it ..... really? I bet you most of the " i really need a i7 laptop " is for undisclosed reasons such as watching movies, playing games and other work free activities. I work in a place that has some level of standardization but most of the kit is old and gets replaced as when something dies, I would like to standardize with new equipment and certainly if the likes of chrome book can give you everything for little all cloud based then those higher level munchkins need to raise a business case, " I want......" is not a case, its a want... a desire. Just give everyone Salesforce, Office365/google docs and a netbook.. and they CAN do their job.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like