Skip to navigation

PCPro-Computing in the Real World Printed from www.pcpro.co.uk

Register to receive our regular email newsletter at http://www.pcpro.co.uk/registration.

The newsletter contains links to our latest PC news, product reviews, features and how-to guides, plus special offers and competitions.

// Home / Blogs

Posted on September 30th, 2008 by Darien Graham-Smith

Home computing in the office

Last night I attended a round table discussion with Enrique Salem, COO of Symantec. The theme was the encroachment of consumer technologies into business environments.

Of course, that’s a huge topic. “Consumer technologies” covers everything from Facebook to the iPhone, and different types of business are affected in very different ways. Unsurprisingly, the discussion started out uncertain and unfocused, and I admit at first I found myself wondering it was supposed to achieve.

But as the evening went on it dawned on me that these difficulties were precisely what had drawn Mr Salem towards the topic. It’s a fascinating challenge to try to devise even broad principles for accepting new technology into a business without simultaneously opening up untold risks and challenges. Our ultimate inability to make a useful dent in the problem was in a way an eloquent conclusion.

You can’t keep the gadgets out

But there was one point that particularly stuck with me. John Brigden, Symantec’s senior VP for EMEA, pointed out that, regardless of the policies businesses may lay down, individuals will always try to use their favourite gadgets and websites at work.

That’s something I saw for myself ten years ago, when I worked at the sharp end of IT support. No matter how many times we told users they weren’t allowed to install ICQ, or to connect their personal laptops to the corporate network, they insisted on doing it. Frequently they even asked us to help them do it.

And surely that tendency will grow as the work force is gradually filled out by a generation for whom instant messaging, mobile gadgets and social networking have always been facts of everyday life. Inevitably, then, this intractable problem is only going to become more pressing. 

More and faster

Unless companies are prepared to lock down their systems in unprecedented ways – or otherwise radically reconceive their computing operations – this accelerating, unmanaged influx of new devices and services is going to force IT departments into a reactive role.

That’s hardly an encouraging prognosis, but as I say, we couldn’t come up with a solution last night. In truth, I don’t think there is a single solution: every company will have to hammer out its own compromises, and revisit them frequently to keep pace with the situation on the ground.

But through all our deliberations we did keep coming back to one inescapable fact, which I think holds true for almost all businesses: maintaining network and data security in this anarchic new ecosystem is going to be one of the biggest business challenges of the next decade.

Posted in: Random

Permalink | Trackback

Follow any responses to this entry through the RSS 2.0 feed.

16 Responses to “ Home computing in the office ”

  1. David Wright Says:
    September 30th, 2008 at 1:58 pm

    A couple of companies we deal with in the area here have a complete ban on personal gadgets. ‘Phones, MP3 players, laptops etc. have to be left with security at the entrance.

    Likewise, policies are in place to stop people installing software on company PCs and anyone caught installing anything is promptly marched off site.

    I’ve also worked at companies at the other extreme.

    It is up to the individual company to decide what is reasonable or not for their premises. Where security is a real problem, then banning all mobile devices from the site is one method, combined with decent policies on the domian.

     
  2. Dave w-Wrong Says:
    September 30th, 2008 at 4:48 pm

    I don’t think I could handle working for a company that banned all personal gadgets. Unless they were paying me really really well.. or supplied me with headphones and access to my music, damnit!

     
  3. Hamster Says:
    September 30th, 2008 at 4:57 pm

    I’m surprised that group policies aren’t implemented that prevent the installation of new hardware. Easier yet, just disable the usb ports that aren’t needed. Security settings to prevent the installation of iTunes, etc, are easy enough to configure. If a user has local access to a PC, a few simple boot cd’s could circumvent these security measures, sure, but it’s doubtful the average user is going to use them, or even consider opening the machine up and resetting the boot password as well.

    I would think that a USB thumb drive would be a bigger concern, as it’s usually a hassle to prevent them from being mounted completely. As for web sites, just add a few firewalls rules pointing to a corporate blacklist. Likewise with webpaged-based proxy services.

    If these policies are implemented, all that’s really left to do is give a fair warning that going against these policies results in an escort out the front door, as it’s pretty easy to monitor network traffic for access to unauthorized sites, use of unauthorized software/protocols, etc.

     
  4. DBT Says:
    September 30th, 2008 at 5:01 pm

    Wow, David, I thought I worked for an extreme company and all we’ve done is remove admin rights from everyone’s PC and actively uninstalling iTunes.

    We don’t stop people plugging in MP3 players, USB sticks and phones at the moment but plans are afoot.
    Should be fun as very often companies share information with us via a USB stick!

     
  5. R P Says:
    September 30th, 2008 at 5:53 pm

    Locking down systems, banning personal devices, and so on, actually cost companies more than the losses due to a security breach. The loss of effectiveness and productivity due to steps required to work within security restrictions costs so much more in extra man-hours to achieve the same work compared to a more open system that I am surprised companies can afford to maintain such highly-limited systems and remain competitive. I guess most have fallen for the same doom-and-gloom sales pitch from the likes of Symantec and others and has kept the field more or less level. Just like the ridiculous “Y2K” disaster that did not materialize (actually it DID; the disaster was the millions/billions of boneheads that fell for the whole thing and threw their money at it), the whole idea of security as a “thing” you can generate by using expensive, system-hogging software, and by whacking off more and more of the functionality of your system resources (the functionality that made you buy the system in the first place), is total nonsense. The fact is, security still comes from the same place it always has: from the competence and integrity of the people who are involved. This applies to security of all types, not just IT-related issues. Company executives and IT managers may not like it, as it means they will have to instill in others traits that they themselves may be terribly lacking in, but that does not, however, change the underlying truth of it. It is much easier to get more budget money allocated to spend on the problem (especially with help from IT security companies that are all too happy to contribute to the scheme) than it is to do the work that would actually make a difference. In addition to stepping out from behind their well-paid whipping-boys for a moment, they would also have a “real” job to do: provide leadership, training and a loyalty-inspiring workplace as a way to keep the company secure. Drop the braindead concept of security-in-a-box, spend the money saved on actually protecting the company’s resources (i.e. healthcare, comfortable conference room chairs and fresh fruit in the break room).

    Symantec or McAfee won’t tell anyone this, but approximately 99% of all ’security breaches’ that corporations suffer are a direct result of the incompetence or apathy of a lower-level company employee. Almost all virus “attacks” on an intranet are the result of an unintentional infection by someone whose job is to use a corporate computer daily yet has no idea what a worm or virus may look like, what the risks are to the company or what to do if a problem is suspected. “Uh, push this key, then when the screen goes blue push that key and type in the number” is NOT effective training. And if that person is then treated as a non-essential human by the company, there is very little chance that he would go to any extra effort to report a suspected problem or run the risk of being blamed for it.

    For thousands of years, or for as long as humans have huddled under a rock or tree branch together, man has always had to rely on the basic human traits of someone else to ensure his own security. It was truly in his own interest to protect, and even enhance, the wellbeing and capabilities of those he dealt with daily, whether he was the village leader, the village idiot, or anyone in between. This is true now, has always been true and will continue to be true in the future as long as people have contact with one another. We will not overcome this fundamental truth with a CD we pull out of a yellow and white box. And, in fact, those CDs actually do considerable harm to our overall level of security because they completely hide (intentionally, I must add) the fundamental requirements for REAL security. We will never be able to unbox or download employee integrity or competence, and without that all is lost. WITH those two things, security concerns will take care of themselves, with or without the “security” boys.

     
  6. Anvil* Says:
    September 30th, 2008 at 5:54 pm

    I usually operate with a suite of engineering software on my system. A company will usually pay for some of it, if I want more it’s at my cost. Dealing with an IT department for updates and regular maintenance is sometimes a joke. I have to publish instructions for them and if there’s a problem they have to call so I can figure out what they did. Most IT departments learn I’m not the problem after a while and can even help when there is a larger event and have a need of extra hands to sweep up the mess.
    My concern is to what extent am I connected to their network and how much security is stripped away so they can rummage around in my system off hours. My current IT support is miffed that I’m alerted when they launch something my way and that my system is shut down off hours (no power) unless by previous arrangement it is left vulnerable for the night. Sorry I don’t have an ideal solution. Ended up with three computers at one place. Theirs, mine behind firewall, and mine not on the net.
    If a company is both sloppy and anal about having access, I’d proffer the company computer be just a corporate mailbox. The valuable information and software would then remain on my personal system either behind an additional firewall or completely disconnected from the corporate site. Most won’t go for that.
    Mmmm, maybe computer access should be earned by training and deed rather than edict or management ego. Maybe letters from former IT departments that I’m a good citizen…

     
  7. heh Says:
    September 30th, 2008 at 6:04 pm

    Don LaFontaine voice “In a world, where at least half your friends and family telecommute and wash their laundry while waiting for confirmation emails on projects…why should anyone mid career or higher tolerate draconian, indenture-style IT policies?”

    Software and hardware need to be based around real assessed confidentiality threats, not around reactive bottom-up self-management principles.

    “In a world where about 50% of managers never obtained an MBA and don’t know how to take accurate performance metrics…Websense based guilt tripping has become the new metric.”

    http://en.wikipedia.org/wiki/Theory_X_and_theory_Y

     
  8. Taz Says:
    September 30th, 2008 at 7:48 pm

    I’m not in agreement with the root cause analysis portrayed in this article. I don’t think devices are to be blamed. I think if the policies clearly describe what type of data can be transferred and what type of activity is permitted in the work environment, the staff should be able to take appropriate measures. However, a ‘when in doubt contact the IT group’ phrase would help those who are not aware of technical/security risks posed by applications (e.g. IM) and devices (e.g. MP3 players and unencrypted USB keys).

    If a company exposes high-risk data to employees who cannot be trusted and then expects a PC/data lock-down would help, they should seriously rethink their HR hiring principles/policies.

    Bottom line… spending the time and effort in properly educating employees about security issues and values in the work place is the best way to ‘tech-proof’ the IT Security policies.

    I guess I should get back to my work now!

     
  9. EuroCoder Says:
    October 1st, 2008 at 9:19 am

    I don’t know if this is a cultural difference, but I work in Scandinavia, and personally I would switch company instantly if they tried to establish some kind of rules or policies to limit what I do while I’m not productive. We all need our small breaks, and by interfering with those the company would only erode my loyalty to them. The efficiency of most “office” jobs can’t really be measured easily, if I spend some time writing this rant it’s probably not away from my current project – I just need some time to vent my brain and approach problems from different angles.

    They pay my salary, and in return I get the job done. The rest of the time I expect them to respect my privacy. If I can’t trust the company not to snoop my browsing, time use or email I’m one step closer to leaving and taking whatever I consider my intellectual property (experience, code, whatever) with me… The company wants employees they can trust, but also the employees need to trust the company to play fair. Every inch towards a 1984 workplace makes me seriously consider going contractor.

     
  10. all_about_trust Says:
    October 1st, 2008 at 9:54 am

    security policies in IT are, almost without exception, a joke. would ops chain employees to their desks to ensure that workers don’t prop open fire doors with the extinguisher? of course they wouldn’t. yet many IT security policies are doing just that with technology – “here is your tech, but we’ve disabled most of the interesting and useful stuff, because we’ve decided that you cannot be trusted.” hardly ideal for fostering new ideas or trust within a business, but great if you want a disinterested and resentful user base.

    where draconian policy does work – in workplaces where safety is paramount – it is self evident that it’s a good idea to use the guard when operating the industrial lathe and so on. perhaps, becuase the example set by gov’t and big business in relation to data security is so lax, people are less inclined to believe in the importance of IT security? could that be it?

     
  11. David Wright Says:
    October 1st, 2008 at 10:34 am

    The advertising agency where I currently work is the first where carrying MP3 players has been acceptable.

    In most companies I’ve worked for, listening to music was a definite no-no. I hated it, when I was out in the general pool office, sitting there listening to 6 different MP3 tracks at the same time, all played through headphones, way too loud! It is a real concentration breaker and productivity sapper.

    Most companies I’ve worked at allowed mobile ‘phones, but only if they didn’t have a camera in – company policies in place since before mobile ‘phones or digital cameras banned all photographic equipment. This was an important security precaution for most of the big companies, especially in the R&D departments, so if you were fool enough to get a mobile with a camera, you had to expect leave it in the car or hand it in at reception, when coming on site.

    To be honest, I find it harder to work in the office which are more “liberal” in their attitudes to things like mobiles and music players than in a traditional office atmosphere…

     
  12. Chris_B Says:
    October 1st, 2008 at 10:37 am

    I’m going to guess that the people above who left replies objecting to PC lockdowns dont work in regulated companies. Its all fine and dandy if you work for Aaron’s Auto Body to allow people to plug in whatever virus laden gadget they just got from a flea market or install the latest time waster software, but once its a hospital, bank, or government agency, locking down your ports and web access is a must.

    There are ways to do PC lockdown with 3rd party tools or with Windows Group Policy or both. Any competent firewall admin is already blocking most outbound ports anyway.

    One of the worst things MS ever did for corporate security was to have an icon named “My Computer”. At work, its not your computer, its the company’s computer and they can do what they want with it.

     
  13. all_about_trust Says:
    October 1st, 2008 at 1:33 pm

    Chris_B – attitude, not regulation, is key. Take hospitals – regulations are tighter now than they were 50 years ago, and yet C-diff and MSRA are problems right now. Why is that? Perhaps it’s because cleanliness is seen as a supply-side budget line rather than a clinical necessity for sick patients. It’s certainly disingenous to point at legal requirements and suggest they’re working just fine, and more regulation will help if it’s necessary – because it would seem that they’re not doing the job.

    You can hide behind rules and regulations all you like, but it’s behaviours and attitudes that will work in the long term.

     
  14. CP Says:
    October 1st, 2008 at 1:50 pm

    The problem with large user bases, is that they cannot be trusted. Period. A saavy individual will understand the need to connect multiple devices to a machine, and know how to mitigate the risk down to an acceptable level (A/V scans, avoid sketchy sites, know .vbs from .exe etc.). The bulk of the userbase within an office environment is NOT saavy. (Hence the need for an IT department.) They will try to plug in anything they think they can get away with, and are genuinely surprised when I show up to tell them their account has been suspended due to introduced malware. I imagine, one might feel differently if their doctor or lawyer had lax security positions. Especially when your medical records or inheritance were lost, then found preventable in the courts.

    If anyone knows of a programmatic way to lock down USB ports, or to auto A/V scan new drives as they are mounted (preferrably before users are allowed access), I’m all ears. I am stuck with Symantec unfortunately. Currently user/group policy prevents devices from being installed without admin authentication, which works 80% of the time. However some of our users have identical devices at home PDAs etc., and policy lockdown does not differentiate between home/work devices. Once that PDA is installed, any other handset will connect without needing authentication.

     
  15. R P Says:
    October 1st, 2008 at 6:10 pm

    As Chris_B has so clearly demonstrated, lack of an understanding of the real issue runs rampant across most of the corporations and groups in the US. If someone buys an MP3 player at a flea market and is just too incompetent to be trusted bringing it to work, WHY IS HE USING A COMPUTER IN A CRITICAL HOSPITAL OR GOVERNMENT JOB? If he can not safely operate an MP3 player, he certainly can not be a real genius at operating a system-critical PC and should not be expected to without adequate training. There is no way to make something idiot-proof, and trying to do so only results in producing a more intelligence-resistant strain of idiot. Frankly, most IT departments are swamped with them already (see any of the previous responses declaring, “We need lockdown!” “We need lockdown!” for anecdotal evidence of this phenomenon in action).

    This is, for some reason, a particularly widespread issue in the US (the whole “can’t trust anyone” approach to employee management, not just the super-idiot epidemic). I have worked in Norway, Denmark, Holland, and many other places in Europe and, as EuroCoder says, things are different. People are expected to use their best judgment and discretion in doing their jobs effectively, and in exchange for this are actually allowed to do so. Those who are not skilled enough to work in an office with functional, open PCs around without endangering the company or its assets are not expected to without more training and experience. An individual’s sense of responsibilithy for his own actions — to himself, fellow employees, the company and the community — is all the security that is needed to more or less eliminate the risk of someone jeopardizing the company’s property when they are not sure if it is safe. The integrity an employee would show by going to the IT department to ask if using an MP3 player is safe is rewarded with being allowed to (even helped to) if it actually is harmless.

    In the US, anyone that went to an IT department anywhere and asked, “Is it safe to use this MP3 player?” would be told either: that it is a policy violation; that the MP3 player is not on the list of approved devices; that his manager would have to review and approve it after it was sent off and returned from 9 xray scans and a complete de-soldering; or (the worst answer possible but also the most frequent) “I’m updating our virus data…. Uhhh, I won’t be able to do anything until I fix the Exchange server that got broke in the update, and then reboot the WebSense server that got broke because the system virus scanner deleted the WebSense blacklist and then the AV scanner got shutdown and maybe broke by the firewall because it looked like it tried to access port 25 but it didn’t and now the AD server has broke because it thought the AV scanner violated domain policy and….” Genetically-modified idiot. If there is any one crop that Europe should continue to ban importing from the US, it is the GM-idiot.

    Why are Americans so afraid of everything? Afraid of IT security, afraid to take a walk at night, afraid of guns, afraid of not having a gun, afraid of unbottled water, afraid of water bottles, afraid of lying, afraid of being really honest, afraid that any non-English language is just a trick to talk about us and hatch plots, afraid to leave home, afraid to stay home (with or without a gun), afraid of killer bees, afraid of anything unpasteurized, afraid that e-coli is a micro-terrorist, afraid of paying living wages to meat-handlers to help avoid e-coli epidemics, afraid of meat-handlers. If someone can answer that question, the question of IT security will be answered, also.

     
  16. Ajax Max Says:
    October 1st, 2008 at 6:34 pm

    CP, you appear to be exactly the sort of runaway IT hack that is the real source of the whole security problem. You should remember that none of your policies, virus scans, and so on actually help with security and in reality only throw the company’s money away on software and waste employees’ productive time on waiting for braindead “security” processes to run on their systems. If a large user base can not be trusted (in a work environment) the company with the large user base has outgrown its ability to manage itself and is on an inevitable ride down the crapper. You should resign while there are still enough other dimwitted companies left that you have a chance at finding another job before they all collapse. Otherwise you will be stuck having to accept some sort of janitorial position, probably in a prison or psych ward.

     

Leave a Reply

Spam Protection by WP-SpamFree

* required fields

* Will not be published

Authors

Categories

Archives

advertisement

SEARCH
SIGN UP

Your email:

Your password:

remember me

advertisement


Hitwise Top 10 Website 2010