Managing Personal Electronics and Software In the Workplace

darien writes "Last night Symantec hosted a round-table discussion on the topic of consumer devices in the workplace. John Brigden, Symantec's senior VP for EMEA, pointed out that regardless of the policies businesses may lay down, individuals will always try to use their favorite gadgets and websites at work. Reminds me of when I worked in IT support: no matter how many times we told users they weren't allowed to install ICQ, or to connect their personal laptops to the corporate network, they insisted on doing it. Frequently they even asked us to help them do it."

Fire them!

If they won't follow policy, you fire them! What's the problem? In this day and age, IT folks are easy to replace.

Think you can't? I beg to differ - I don't care who you are.

Re:Fire them!

[IndustrialComplex]

If they won't follow policy, you fire them! What's the problem? In this day and age, IT folks are easy to replace.

Think you can't? I beg to differ - I don't care who you are.

I think you need to meet somewhere in the middle. Employees expect some flexibility with their equipment, and yes there should be limitations on what you can or can not use on that equipment, but a blanket statement like "Don't follow the policy-fired" isn't what is really being asked here.

How do you find a good position for where the policy and employee desires meet? I certainly wouldn't work for a company that refused to even consider installing certain programs or the use of certain 'gadgets'.

An example of this is that how certain 'closed' or camera restricted areas are modifying their policies and training so that people can carry their cell phones with them since they nearly all have built in cameras. IE: in areas where you are already allowed to carry a cell phone, you take a special training course and then are allowed to use a cell phone that has a built in camera. There are still restrictions, but it recognizes that it is hard to find a phone w/o a camera.

The result was that you ended up with VPs and such who couldn't pick the cell phone they wanted because the stores didn't carry them without cameras. And if you don't care that a VP wants to pick a certain phone, and the only rationale you can come up with is "It's policy" Then perhaps it is you that should be worried that IT folks are easy to replace.

Re:Fire them!

[eln]

That's a nice theory, but unless you work in fast food high turnover is not a good thing. It's very expensive to find and train qualified people, so dumping them for minor things like this is unwise.

Re:Fire them!

[IndustrialComplex]

That's a nice theory, but unless you work in fast food high turnover is not a good thing. It's very expensive to find and train qualified people, so dumping them for minor things like this is unwise.

Pretty much.

It is much easier (and cheaper) to restrict things, but give employees the ability to request certain features, programs, or support for gadgets. It does take time to evaluate those requests, but it is certainly cheaper than replacing an unhappy employee or one that needs to get around the blocks because there is no method to request acess. When you make the decision, it is also helpful to explain in a dept or company wide letter why the program or gadget is blocked. Do not install "XYZ" will only get you so far. Do not install "XYZ" because it has a known security flaw that we cannot allow on our system, will give you a much better response.

Re:Fire them!

[redscare2k4]

I've lost count of how many time I've been forced to circumvent stupid policies to be able to actually do my job. Cos neither my boss nor myself want to go through the nightmare of calling the stupid IT guys (I work in IT too, it's not an attack against the whole group, only against the ones that are stupid) to tell them let me download latest winscp executable, latest linux ISO, latest spring framework release, etc.

Cos yes, the bright minds at my working place have a blanket ban that prevents downloading every damn .zip, .iso, .exe file.

And of course they also ban every IM program available, even if using it actually would save time and improve productivity, cos we won't have to send a freaking internal email (slow as hell, btw) to just give the other a job related url, a block of code, or whatever.

Yes, I know I should just tell my boss "hey, can't do it, go and tell IT their policy sucks bigtime". But my boss answer is "download it at home and bring it back in your usb". And since I'm not going to spend my free time downloading things for my job, I just circumvent their stupid policies.

So before blindly defending a strict IT policy, make sure it actually makes sense.

Re:Fire them!

[MightyYar]

I don't think anyone would question IT's value - just that when they get all self-indulgent like the obviously trolling grandparent... well, then.

You don't fire a guy for installing software - unless he's being malicious. And then you still don't fire him for installing software - you fire him for being malicious.

We used proxies to do our football pools while at work... after 10 years of doing it they suddenly installed a blocker. Did our manager know? Um, yeah, he was in the pool. Sure, we could have done the pool from home - but shouldn't work want me there? Old lab machines running Windows 95 suddenly stop working because some IT guy decides to put some policy enforcement agent on them that uses up the entire 32MB of RAM... doesn't put in RAM of course. We disable the program, computer fixed. As a result, the helpdesk guys refer people over to me when someone complains about a really slow ancient computer. IT one day caps our outgoing email size - tells us that "email is not suitable for large file transfer". Of course, they don't give us outward-facing FTP or anything else that is "suitable". Nice. So we buy space on a godaddy FTP server and use that until they get their act together.

IT is great - except when they aren't. Not everyone breaking the rules is someone you'd want to fire.

Re:Fire them!

[Jaeph]

In general I agree with you - I've seen some strong & stupid policies in my time. But this I have to call-out:

"And of course they also ban every IM program available, even if using it actually would save time and improve productivity..."

They do this because the vast, vast majority of people use it for chatting when they should be working. Even people who do use it productively often *also* use it for chatting.

If I owned a company, I would ban chat in a heartbeat.

-Jeff

Re:Fire them!

[remmelt]

You're assuming that if you ban IM, people will be more productive. I don't think that's true: they'll just find something else to be unproductive with.

Workers need time off besides lunch and coffee breaks. Either way you'll get the unproductiveness, either through sloppy work at the end of the day or by them having their mini breaks. If that time is spent chatting to their girlfriends, that's fine.

On the other hand, when they are being productive, they can easily save time by sending bits of code or whatever through IM. This increases their productivity.

I don't see the problem, except for if I would find myself working for a person who is this restrictive about my life, I'd quit in a heartbeat.

Re:Fire them!

[MightyYar]

Installing a potential attack vector like ICQ when you were asked not to should be grounds for firing.

No, it shouldn't.

Then again, why does IT let these people even have the ability to install software of any kind?

Exactly. The only reason we have IT is because the average person can't keep up with all of this stuff. If security and networking were easy, there wouldn't be an IT department. If IT wants all potential attack vectors ruled out, then they should do it by locking down the PC. If an otherwise good secretary clicks on an ICQ installer at some point, she sure as hell should NOT be fired.

Let me ask you - if you lose your ID badge, maybe leave it on the bus... should you be fired? After all, someone could use it to enter the building - it's a security risk that is all your fault, regardless of intent.

Re:Fire them!

[phoenix321]

Problem is: you're dealing with real actual people that have real actual lives and interests. Your job is to secure IT infrastructure AND support your users. If you care only about your holy sanctified security, you're only doing one half of your job and if they manage to install software, you don't even perform that half properly.

People use ICQ at home all the time and somehow many of them manage to not get rootkitted and that's not out of sheer luck. So where's the problem in reproducing the same guidelines for your workplace that sane home users follow when using ICQ? There are peer-reviewed GPL'ed ICQ clients, remember?

And why is IT security on desktop machines so important? You control their web access, you control your servers and your data center is behind many layers of firewalling. The worst that could happen is a w32.Blaster outbreak among your workstations and that's going to happen only if you skimp on updates, scanners and internal firewalling.

So what? You have images to reinstall one machine in less than ten minutes. The poor little user who wrecked his machine by installing ICQ will be ashamed for weeks among his coworkers. You can BOFH them into oblivion later on, so why should anyone be fired then?

And then again this is not only about revenue-risk-tradeoffs but also because of company attitudes, company loyalty, trust between departments and an environment worth working in. After all, we all do 10 hour workdays sometimes and God help our office staff if they were confined to Word and Excel only then. We want them to actually like going to work, because that saves a ton of wage raises in the long run and reduces turnover by extreme percentages. If you annoy your users, you cost your company brownie points and raise turnovers. And high turnovers cost more than all ICQ desasters combined.

Re:Fire them!

[MightyYar]

Yeah, I know exactly what you mean. Honestly, I don't know why IT doesn't just lock down PCs as the default. None of this "make a business case" stuff to install something new - just have a half-competent IT guy okay the install and let the user's supervisor know that it's going on.

And sometimes people who fancy themselves competent make some mistakes (ahem, me, ahem). Like one time I was testing QNX (we used it on an embedded system) and I plugged it into the network with a fixed IP and it crashed a bunch of boxes... something to do with ARP tables... whoops! So please be patient with us lusers :)

Re:Fire them!

[lgw]

Well, it seems like the useful number here is "how many IT guys could I fire if people followed the rules a little better". Are you sure you want management to have that number? I'd expect them to announce a policy, fire half the IT staff, and consider it a win. People wouldn't actually change their habits, of course, so it would be unpleasant all around.

Technologies are a part of life now...

[BobMcD]

You have to shore these up with human controls: enforced policies, employee agreements, and the like.

This is a human problem caused by our adaptation to technology in our entire lives. Should the computer have been a device you only run into at work, the draconian idea of 'you may only do what we say' may have stuck. But since people get to experience life outside this kind of control, they're going to crave it everywhere.

And resisting it is mostly just frustrating everyone.

Now, I'm not saying you have to support every oddball app on the planet. I would recommend you have an 'approved software' list, and back that software up with support. Saying 'that is not supported, use this' is far better than locking things down, from my experience.

Focus on the wetware, not the software and hardware...

Re:Technologies are a part of life now...

[plague3106]

Face the facts. You're at work. Unless you're on break, you're expected to leave your personal life at the door.

Actually, the courts, at least in the US, disagree with you. They've stated that yes, you can use very small amounts of times to take care of personal errends, even if not on break. They've spelled out reasonable phone use, so I imagine email / web use would also be reasonably included.

People forced into small, strict break times are routinely found to be less productive that those allowed some other distractions at work. It's really in your best interest to lighten up a bit.

Re:Technologies are a part of life now...

[myz24]

I actually don't think this guy was entirely out of line. There are some really good tips in there for people who don't realize what you can do to help control things. I don't let people install apps either because it increases my support issues on things that just aren't important.

I can't tell you how many times people would complain to me that their computers were slow. I'd find weatherbug on the machine and remove it. Seeing the computer was faster they thanked me and installed it again and then complain their computer is slow. No matter how often I explained that that program was the issue, they just wouldn't get it. Sometimes you really do have to protect users from themselves.

Re:Technologies are a part of life now...

[I'm+not+really+here]

If you don;t like it, take a pay cut and go work for the other guy...

Funny thing is, you run a shop like that, and when you need that developer to work 80 hours a week for the next 3 weeks to get a project done on time, and he says "Hell no! I get paid for 40, and you make absolutely sure you get that 40 out of me. Why should I give you anything extra?"

So, you fire them, and your project tanks.

Then they get a job elsewhere, where they are free to do whatever, but have deadlines. They meet every deadline at their new job and still have the freedom to enjoy their life. Their new job has a project, and the manager says "hey, I know it's been nice and easy for the last couple of months, but we have a biggie that just came through - a nasty bug in the code needs to be fixed by friday so it can be QA'd for the release... We're gonna have to pull a few all nighters." This "problem employee" that you fired responds "No problem. I'll get right on it." and that company does better than yours.

People are people. Take away freedoms and treat them like hired cattle, and they will look for other jobs, even lower paying jobs, so that they have the freedom to be human.

Re:Technologies are a part of life now...

[Anonymous+Brave+Guy]

If you're working in an environment where complete security is essential and staff can't be trusted, and there is no possibility of fixing the latter problem, then perhaps that sort of measure is justified. Anyone working in such an environment probably accepts that as part of the nature of their job anyway.

On the other hand, it is currently 20:15 where I am, and I am goofing off reading Slashdot for a few minutes while waiting to make sure a build and test run gets going OK overnight. Would I still be here if I had to sit at my desk doing nothing for this time? Hell, no. Contrary to your claim that we are being well paid for our services, I imagine most people doing what I'm doing now aren't being paid at all to be at the office this late.

Incidentally, I don't log my breaks formally during the day, and I frequently have some browser window open somewhere on a site that has personal interest. By your reckoning, it's amazing I ever get anything done, because obviously I'm just slacking off all day. Of course, that's not the reality: I just like to switch my attention frequently for a short time rather than for long periods at fixed intervals, and I'm pretty sure that working this way suits me better and therefore makes me more productive in the end, which is clearly in my employer's best interests.

And with that, my build is done...

Simple solution, stop trying to ban devices

[umStefa]

Companies need to start looking at WHY their employee's want to connect personal devices to coporate systems. If its just so that they can import calenders, contact lists, etc into their PDA or calender at home then set up systems to allow it. If its to take confidential materials out of the office to work on at home (since how many people actually work a 40 hour week anymore), then set up proper encryption protocals to allow this but at the same time minimize the risks associated with data being lost.

Remember the best way to get somebody to do something is to tell them they are not allowed to.

Not a problem

[smooth+wombat]

We block certain website groups (adult, gambling, games, etc) by default and everyone must go through our proxy to the outside world. Web logs are checked throughout the day and those who try 30 different ways to get to boobsgonewild.com are reported.

Most people have only User permissions so they can't install something and we regularly do sweeps of unapproved software on those people who do have admin privileges. I'm the one who generally gets the call to remove the software. We also check for firewalls on PCs and other software which can potentially bypass our firewall or hide the user.

As far as electronics are concerned, the worst we have are people using fans or heaters, depending on the season.

Not sure what the big deal is. These are just basic network security measures which any decent admin should do and have set up.

Re:Not a problem

[MobyDisk]

I don't see why some IT departments bother to block web sites. It is a double-edged sword, and both edges cut against the company.

On one hand, if employees are visiting porn sites on company time, they should be fired. Setup a proxy, trap it, and get them out of there. Don't block them, and keep an unhappy unproductive employee around.

Second, if small things like checking the sports scores, or stocks, or news is what keeps them happy at work, then don't waste resources trying to stop them. Their boss has measures to determine if an employee is wasting time - let those measures work. If you want to keep logs of how often they do it, then fine. But don't try to block them because ultimately you can't. You can't stop them from talking about it at the water cooler or checking the scores on their cell phones, or bringing in magazines and newspapers. It isn't the IT departments job to police social behavior in the office. That's their boss's job. Often times these types of activities lead to comradery like the after-work fantasy football league. It bonds the employees and makes them more stable.

Re:Not a problem

[Just+Some+Guy]

I guess I'm lucky to work for a more enlightened company. Our policy is simple: we're all adults with a job to do, and as long as you do it efficiently without causing problems, nothing else really matters. Honestly, I'd hate working for your employer and probably wouldn't last a month.

Re:Not a problem

This has got to be a troll, but on the off chance it isn't: wow. You are the type of IT guy we "software" guys laugh at. What you must be letting slip by by thinking you can actually monitor to that degree. Not only that, but software guys are often excruciatingly hard to replace, and I've never had a manager not shield me from IT whenever I let him know I'd be "breaking the rules" by installing some FOSS tools. Frankly, they normally couldn't give a flying you know what, as long as I ran my decisions by legal first.

I hate to burst your bubble, but SSH beats pretty much every tactic you described and you'd be hard pressed to argue a developer doesn't need basic SSH tools. Did you use epoxy glue on all the USB ports as well?

How about trying to understand your users and work with them instead of lording it over them? If you have no one who can't get by your "restrictions" you might take that as a sign that your company only pays for and retains the worst talent, and you career may not be in good hands.

At work, supposed to be working...

[fprintf]

I know when I am at work, I am supposed to be working. Nevertheless, there really doesn't need to be an all or nothing policy as it improves employee morale to allow some personal flexibility in the workplace. I know my company tries very hard to lock things down, and yet does allow some off-topic internet browsing (Slashdot, right now for example) and the occasional personal telephone call. They are, however, quick to remind us that the electronic networks to which we connect are a) company property and b) exposed as a security risk anytime we try and connect a personal electronic device. Thumb drives, iPods, PDAs, cell phones etc. are all blocked from connecting to the network.

It is all a balancing act, and a tough one at that. In the end, and no matter how much I might dislike it at times, however, they are right to restrict my access to these devices. In a funny way, they are helping me with my addiction problem - getting me off the Web.

It's like Prohibition - Unenforcable

[eagee]

To quote Einstein: "The prestige of government has undoubtedly been lowered considerably by the Prohibition law. For nothing is more destructive of respect for the government and the law of the land than passing laws which cannot be enforced. It is an open secret that the dangerous increase of crime in this country is closely connected with this."

The same kind of thing applies in a corporation. You don't want to lower morale, and you especially don't want employees to lose respect for your policies. That certainly poses more risk to the success of an organization than connecting your iPhone to the wifi network.

Maybe a better solution would be investing in IT infrastructure.

Re:Some possible solutions.

[thatskinnyguy]

...since most lusers have no idea about...

you set up all computers used by lusers to boot

What kind of attitude is this? You come-off as a condescending PHB. All the other stuff is good but damn. That just put a bad taste in my mouth.

Re:Failure to lock down machine = users WILL insta

[eagee]

Yea, try locking down the computer in a software RND department. If you succeed, you'll most likely have trouble keeping them around. IMHO there has to be a balance between security and freedom. Some security risks need to be a cost of doing business in order to keep your employees happy. I know if I couldn't read slashdot - I'd have a serious morale problem.

Re:Good luck with that.

[MyLongNickName]

I think this is one of those things where you need to identify the work environment you are in. I have worked in banking. It the operation division, what you said would be absolutely true. No second chances. If you went over to corporate, you'd find a more lax attitude. Whether you like it or agree with it, that is the way it was.

If you go to a smaller company, you will probably see an even laxer attitude. The policies vary greatly depending on the organization.

Re:Perspective

[tbannist]

It's interesting you should mention that, because it's Internet Explorer that is most widely known for having such serious 0-day exploits.

You know, the browser that you're usually required use instead of that untrustworthy, shifty, new comer, Firefox.

If "it might break someday" is your excuse for saying "no", you might as well shut the whole company down now, crawl into a deep bunker and hide until the day you die.

Unreasonable cowardice is not a virtue.