Slashdot Mirror
Ask Slashdot: Should Employers Ban Smartphones?
An anonymous reader writes "Due to a concern that smartphones (and other electronic devices) could be infected with malware and used to spy on sensitive information, my employer has recently banned all personal electronic devices from their spaces. The concern comes from articles like this one. My question to slashdot readers: How reasonable is this concern? How can this sort of malware be prevented from showing up on our devices? Is there a way to educate employees about preventing this sort of thing rather than banning the devices altogether? This current reality is that people have started to rely on having their smartphones with them at all times for things such as receiving emergency calls from day cares and schools, making personal calls during normal working hours (i.e. to make doctor's appointments), accessing password managers, and scheduling calendar events."
You have asked an audience that knows just how ingrained smartphones are to our everyday lives. The last half of your question is a "given."
The burden of proof is on the employer to show that no other mitigating measure can address the risks. Summarily banning child protecting, emergency-aleviating technology, not to mention the tools with which we coordinate the rest of our lives, is truly bad form and will bite the employer more often than they know.
If you are working with sensitive documents, these people will remove the camera from your iPhone for $20:
http://www.iresq.com/iphone-camera-removal.html
Want to do the whole office? A 79 cent roll of electrical tape will do the trick.
The problems are solvable and worth solving. That management favors solutions that are simply a matter of writing policy, is in their nature, so don't sit in the dark and bitch, fix the bulb.
Would you ban laptops at work for the same reason?
Surprisingly smartphones have not been around forever and little Johnny & Sally still managed to make it thru daycare okay. If there's an EMERGENCY, outsiders can call your employer's main number and ask for you. You get paid to work, not deal with personal matters.
what about people in the field who use them for work???
also useing a smart phone is cheaper then cell phone + data card in a laptop.
Someone has to say it, may as well be me. What is this MSN?
I hate sigs.
Would you ban laptops at work for the same reason?
A lot of businesses do in fact ban laptops that aren't company-owned.
Anything that can breach security in a government setting is worth withholding indefinitely until a practical policy can be approved which reduces risk to near zero.
For unrelated/unregulated industries, this approach is unreliable, impractical, unprofitable, and let's face it, just plain stupid.
When the foot seeks the place of the head, the line is crossed. Know your place. Keep your place. Be a shoe.
if you work in a sensitive area then expect high security
if you work for a US GOVERNMENT agency around classified information then you're probably following these rules already
if you work in a start up with cool tech you might expect something like this
if you work in your average workplace no one is going to care
How reasonable is this concern?
Very reasonable, if your employer is a CA. Not at all reasonable if your employer sells hubcaps. Need more info.
How can this sort of malware be prevented?
Educate employees. (But your next question shows that you already know this.)
Is there a way to educate employees...?
Yes. Employees are not algorithms. That's why we employ them instead of just computers.
This current reality is that people have started to rely on having their smartphones...
Yes, if you want effective employees, you should allow them to use their brains, as well as extensions that make them more effective.
Do you have any questions that lack obvious answers--perhaps something worth discussing in a forum?
It is entirely possible to allow employees to have their smartphones and even notebooks, while keeping them isolated from the company's main network. I did this once for a client. It is not trivial but it is also not magic.
However, after some time, the complain about people not being able to use those equipments to have full access started piling up, to a point it was decided it would be a lesser problem just to ban them.
What people need to understand is that they are inside a company, not their homes. Yes, it can be interesting to the company to allow some accept and freedom, thus improving morale and productivity, but controls are needed, both for security and legal reasons. That is unaccepted to enough people to make it not worthy for the companies to implement.
morcego
Yes, these functions can be easily taken care of with a laptop. However with the constant shuffling from meeting to meeting many times the phone often becomes the go-to device when away from the desk. When away from the office, communications in the evening, over the weekends, etc. are becoming increasingly more prevalent.
This brings up the entire philosophical debate on how much more (or less) productive everything makes people who now no longer have the luxury of checking out, having a singular focus, is forced to multitask, etc. but the greater point is if the expectations are for the constant connectivity of employees in a workplace then you have to take the good with the bad.
If you're working on material or systems that are classified, or something akin to the iPhone 6, then yeah. Letting *any* communications device into the work area is a very bad idea. You are being targeted. Probably very specifically, too.
If you're not working on anything of that nature, then probably not. Who cares if anyone sees the inside of your office? Or hears you talking sports scores? It's creepy as Hell, and you should probably be more worried about the fact that someone is mucking around inside your phone, listening to you.
The exception to this, is when you walk by some moron's desk, and they have their smartphone plugged into the USB port of the computer, MOUNTED AS A HARD DRIVE.
A computer which is inside the company firewall.
Sometimes, you just have to assume the lowest common denominator, because convenience in listening to an MP3 collection will always trump common sense.
[End Of Line]
I would consider them (Boeing) and others in their line of business to have about the most conservative position on such technology. Seeing as how they have pretty much given up on such rules, I don't see how any other employers expect to get away with them.
Also, if employees are going to steal proprietary data (for which I'm sure there is a company policy prohibiting said activity), sneaking a camera, USB drive or whatever onto the property in violation of rules is not going to be a deterrent.
Have gnu, will travel.
If, after 20+ years of personal computers we still can't stop people from accidentally downloading malware, good luck preventing it on smart phones and other portable devices. The problem is, and always will be, the ignorance of the user.
People in the field would have a device provided by the company, because the employee would be billing back all related expenditure (data and voice) to the company anyway. That device would be locked down by the IT dept; Both Android and iPhone support device policies and central management now, and BlackBerry was designed for this use.
Finally had enough. Come see us over at https://soylentnews.org/
We were have some pretty bizarre network problems in our office one day - some machines were able to connect to our db server whilst some couldn't, and other could intermittently. Long story short*, somebody's smartphone (Android in this case) was responding to ARP requests (requesting the MAC of the server) even though it was showing its IP address as being assigned by DHCP. I reckon its previous IP on the user's home network was the same as our server, and for some reason kept answering to them.
*Once I realised that packets didn't seem to be making it to the server (pings were intermittent), it dawned upon me to check the ARP tables on the clients. Looking up the manufacturer of the MAC address didn't immediately help as I didn't recognise the name, though I assumed it was a phone. At that stage I wasted time looking through all the phones looking for an IP address conflict (bad assumption). Finally looked up the DHCP leases for the offending MAC, found it's current IP (no hostname was provided by the client), found the offending phone, and very nearly shoved it the arse of the owner.
It's that simple. Buy a wall charger (if you need to charge the phone during the day) and keep the thing completely off the grid at work. There's no way I would connect a storage device to my company network. They tend to frown on that kind of thing.
So where's the problem?
Is it fair? Sure. But if they want to ban your phone in their office, politely tell them you are quite fairly banning their office on your phone. No work after 5, no emails over the weekend, no contact over holidays; that stick goes both ways and if you can't bring your life to work you shouldn't have to bring your work into your life.
I live in constant fear of the Coming of the Red Spiders.
We are actually in the midst of going through something similar at my company (a very open, not secretive environmental firm). We recognized through employee surveillance and traffic logs that cell phones were a huge security risk at our firm and the decision was made to control as much as we could while still maintaining our "Mom & Pop" company feel.
We switched all of our cell phones from one carrier to ATT and we purchased the MobileIron software (VPS and Sentry) to control all the aspects of the company phones that enter our buildings. In addition, for the people who chose the monthly subsidy as opposed to a company phone, we prevent them from getting WiFi access from within our offices as best we can (MAC whitelisting isn't foolproof but helps with 99% of our users). We don't allow the non-company provided phones to work if they are plugged into workstations via USB cable. With MobileIron I can control basically every aspect of their smartphones including camera control, data usage, app installs, etc.
Now, we don't have this fully running in production yet so I can't comment on the pitfalls I'm sure to face, but the short answer is workplaces don't necessarily need to ban smartphones as that could actually cripple some business processes; however, they are definitely a security threat that need to be managed just like other corporate and employee owned devices.
Hagrin.com
My god, this attitude is amazing, what primitive part of the world did you grow up in? Most normal employers realize that work and private live are not so easily seperated and simply allow the two to intertwine. If I ask someone to stay late because of deadlines, can I then deny them time to make calls during office hours to arrange private things? Hell, this must be an American thing. Do you also object to people using the company printer?
Of course, normal people realize there is a line, you can print out a form, your CV is a bit touchy and you do NOT print out a thousand copies of your novel but come on!
If your tried that master slave attitude in Europe, you would find yourself soon with no employees left.
Unless there is a VERY real need for security, everyone carries a mobile phone with them in Europe. The idea you shouldn't answer a personal call during office hours is just so 19th century. Come on, join us in the future, we got cookies!
Ten to one this gti_guy doesn't have a job, lives in a trailer on government assistance and whines about all those leeches living of the state.
People good enough at their job to have one know they are valuable and companies are willing to keep them happy.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
No, it most certainly is not. Salary negotiated by both parties is indeed enough compensation because you were involved in its negotiation. The number of hours per week you owe to your employer is part of your employment contract. Beyond that contract is not covered and therefore NOT COVERED. I am happy to go above and beyond for a company I enjoy working for, but my rights are my rights.
If you need to make a personal call that you do not want to/cant make from your desk line, go out to your car during lunch and make it.
What do you recommend for people who use public transit instead of driving to work?
Go outside and make the call? I mean, how many people are out there working in submarines, underground silos or a bunker in the middle of the Mojave Desert for whom the simplest, most general case solution is not applicable?
No, it is not. For several reasons.
First of all, insurance companies explicitly tell customers *NOT* to leave any valuables in their automobile.
Secondly, auto-insurance does not cover any property stolen from an automobile anyways, and personal property insurance often doesn't generally cover things left in an automobile while you are at work anyways unless you are paying on a special (and much more expensive) plan that explicitly covers theft from your car.
Finally, not everybody drives to work in the first place.
This is work, not school. I can keep my cell phone turned off or even in my briefcase if my employer feels its necessary, but I can't think of any reason that I should not be allowed to bring it onto premises at all other than unhealthy paranoia.
File under 'M' for 'Manic ranting'
Part of my job is to advise companies on security policies like this, and I have advised in favor of such restrictions when asked. However this is done out of respect for the end-user's privacy. The reasoning is that there are two conflicting priorities in permitting BYOD use and network access:
First, as a security officer I have a duty to ensure that the network and all devices connected to it remain secure.
Second, as an agent of the company I have absolutely no right to dictate to an employee what they must or must not do with their device to prove that it is secure. It is their device which they purchased with their money to use for their own purposes.
Since I cannot prove that the device is secure without violating their privacy or exerting an unreasonable amount of control over the device, the only resolution is that the device is not permitted.
If you really need a device, then the resolution to that is to get the company to buy you a device -- at which point the company owns it, and can dictate what security measures are taken.
At the end of the day, a company pays you to do a job, and as such has the final say over how you do it and what tools you use to do it. It may not be your choice, or the best choice, or even an efficient choice. But that's how they want it done.
Good employers will listen to their staff and make adjustments and get the tools that their staff need. But it isn't mandatory.
If you don't like the job, and the employer won't change it to suit you, you have two choices: live with it, or leave.
you should read everything on the internet as if it had "but I'm probably talking out of my ass" appended to it.