Ask Slashdot: Should Employers Ban Smartphones?

An anonymous reader writes "Due to a concern that smartphones (and other electronic devices) could be infected with malware and used to spy on sensitive information, my employer has recently banned all personal electronic devices from their spaces. The concern comes from articles like this one. My question to slashdot readers: How reasonable is this concern? How can this sort of malware be prevented from showing up on our devices? Is there a way to educate employees about preventing this sort of thing rather than banning the devices altogether? This current reality is that people have started to rely on having their smartphones with them at all times for things such as receiving emergency calls from day cares and schools, making personal calls during normal working hours (i.e. to make doctor's appointments), accessing password managers, and scheduling calendar events."

No persuasion required

You have asked an audience that knows just how ingrained smartphones are to our everyday lives. The last half of your question is a "given."

The burden of proof is on the employer to show that no other mitigating measure can address the risks. Summarily banning child protecting, emergency-aleviating technology, not to mention the tools with which we coordinate the rest of our lives, is truly bad form and will bite the employer more often than they know.

If you are working with sensitive documents, these people will remove the camera from your iPhone for $20:
http://www.iresq.com/iphone-camera-removal.html
Want to do the whole office? A 79 cent roll of electrical tape will do the trick.

The problems are solvable and worth solving. That management favors solutions that are simply a matter of writing policy, is in their nature, so don't sit in the dark and bitch, fix the bulb.

Re:No persuasion required

The burden of proof is on the employer to show that no other mitigating measure can address the risks.

My current employer has banned all personal cellphones and personal laptops for some time. It is really not that hard to get around, and the burden is not on them to prove anything. You are paid to work and presumably want your job. If not having your pacifier with you at all times makes you that uncomfortable, find a different job. Or you can give out your work number for emergencies or set your cell phone to automatically forward calls during business hours to your desk phone. If you need to make a personal call that you do not want to/cant make from your desk line, go out to your car during lunch and make it.

That management favors solutions that are simply a matter of writing policy, is in their nature, so don't sit in the dark and bitch, fix the bulb.

So if a concern is the microphone on the phone you have no problem filling that with epoxy?

Re:No persuasion required

[tepples]

If you need to make a personal call that you do not want to/cant make from your desk line, go out to your car during lunch and make it.

What do you recommend for people who use public transit instead of driving to work?

Re:No persuasion required

[Minwee]

What do you recommend for people who use public transit instead of driving to work?

Death

I see that you work for the Muni.

Re:No persuasion required

[Monsieur+Canard]

My company does a lot of DoD work. The policy is: no personally owned electronics may connect to company assets. Ever. We can have personal smartphones (but no notebooks or tablets) as long as they do not have a functional camera. For Android phones the only option is to remove the camera or JBWeld over the lens. For my new iPhone the local AT&T store enabled restrictions on the camera with a password only they know and gave me a letter as such. That's good enough for our security folks. It's not a perfect situation as disabling the camera kills things like having Siri dial phone numbers for me (as apparently that somehow involves Facetime) but it's better than any sort of destruction. Plus I was able to get the camera un-disabled (yeah, I know) when I went on vacation for a week and then have it re-disabled.

Re:No persuasion required

[PmanAce]

Summarily banning child protecting, emergency-aleviating technology

What happened to giving them your work place number like you know, your parents did? Children were just as safe before smart phones...

not to mention the tools with which we coordinate the rest of our lives

I don't agree with this at all. 10+ years ago we didn't use smart phones and we coordinated the rest of our lives just fine.

The problems are solvable and worth solving. That management favors solutions that are simply a matter of writing policy, is in their nature, so don't sit in the dark and bitch, fix the bulb.

I think management just wants you to do your job and not have you sit there browsing facebook on your phone, texting your friends or calling for appointments while you are getting paid.

Re:No persuasion required

[Runaway1956]

Burden of proof? WTF is that all about? We have problems with phones in our plant. They haven't been banned - yet. But we have problems with people's attention being distracted from their jobs. An issue that has never been addressed at our plant, is the possibility of "sensitive" and "secret" documents being recorded. Trade secrets are trade secrets, easily recorded and sold to whoever might be interested in them when everyone carries a phone with a camera.

There is no "burden of proof" - if management becomes aware of risk, they can ban anything and everything that they deem to be a part of the risk.

We also suffer from vandalism. So far, it has been confined to physical vandalism of equipment. Some day, some bright boy is going to figure out that he can plug in a WIFI, and use his smart phone to introduce anything he likes to the computerized equipment. The older equipment may not recognize a WIFI device, but the newer machines certainly do.

Bad form, you say? This is the United States, in the year 2012. Management has dismissed half of the lessons ever learned about keeping personnel happy. They don't give a damn about happy employees. There are four or five applicants for every job that opens up. They don't NEED to keep more than some key personnel happy. Even junior management is subject to layoff at any time.

Bad form and burden of proof, you say. Either you are a very lucky person, and have a really great job where management actually thinks about you and your needs - or you're stuck in the mid-1980's. Nowadays, management doesn't even measure their turnover rates among labor, skilled labor, and trades people. Moving up the chain of command, there is a little superficial "caring" shown to the engineers, and a little more "caring" for junior management.

More, the states are backing up employers far more than they did in past decades. I think it was Michigan that just became a "right to work" state. The employer need prove nothing - the employer rules, and you obey. There is no civil right being infringed if the employer bans your electronic toys during work hours.

Re:No persuasion required

[realityimpaired]

They pay you to work, not to sit at your desk playing farmville or tower defense on your cell phone.

My office has noticed a genuine drop in the quality and quantity of work that gets done by folks who screw around with their cell phones when they're supposed to be working, and has banned them at your desks. Put it on stun, and put it in a drawer. On your own time (breaks/lunches), it's allowed to come out, but as a courtesy to other people who *are* supposed to be working, they ask that any phone calls/whatever you make be done in the hall, lunch room, or outside.

How is that intrusive, or corporate feudalism?

And for any emergencies, I have a company-provided e-mail which can be used, and I have a desk phone which people can call.

Re:No persuasion required

[schnell]

This whole question is based on a false premise that personal and corporate smartphones can't be managed. The answer is very simple:

Are these work-mandated/provided smartphones that have access to the company e-mail/intranet system? If so, then the company needs to invest in Mobile Device Management (MDM) software like Good, MobileIron or even a BlackBerry BES and lock down which apps end users can install, what can be downloaded or forwarded, etc.

Are these personal smartphones? Don't provide any access to the company e-mail/intranet or any other system on non-company devices so whatever malware you decided to install has no impact on the company.

Whether personal smartphones are allowed in a business should not even be a question unless you work in an environment where employees taking pictures of documents, people or facilities is a security risk (the government has a lot of these environments), and generally in those cases you are not allowed electronic devices in those restricted facilities, period - work or personal.

BTW the linked Washington Times article (quality news source, there) describes a proof of concept app but does not describe the platform(s), attack/delivery vectors or anything else about how you would actually hijack a phone in this way. I'm pretty sure it wouldn't get approved in Google Play, the iOS App Store, or any other reputable app source. So if your employers are afraid of that, then they need to up their med dosages.

Re:No persuasion required

[TubeSteak]

It's quite a different world ten years ago.

The technology may be different, but the mechanics of our daily lives haven't changed much since the wired telephone, refrigerators, and cars became ubiquitous.

Re:No persuasion required

[h4rr4r]

That is the tradeoff from expecting people to take care of business during personal time.

It cuts both ways. You want me on call 24x7 for a week and available if you really need me other times, then I will be making personal calls on the clock.

Re:No persuasion required

[mycroft16]

"10+ years ago we didn't use smart phones and we coordinated the rest of our lives just fine." This argument is ridiculous. It assumes that nothing in the world has changed, which is obviously flawed. It's like saying that people didn't use cars in the 1830's and still got around just fine, so why should we be using them now? Progress and innovations are made to make things easier and more accessible. Rather than carry a 12 month calendar around everywhere you go, or a planner as a separate book, now you have your email, calendar, to dos, notes, voice recordings, phone, etc all in a single device that fits in your palm. No more need for a briefcase worth of crap. Just a single phone. Sure people got along find 10+ years ago, using the best that was available to them at the time. And so should we.

Re:No persuasion required

[cellocgw]

Your company may be in the minority (on the conservative end of the spectrum). I've worked for several different DoD contractors over the years, and once they got past the "OMG phones cameras run RUN" stage, they all figured out how to allow personal cellphones, even with cameras, into the main plant area. There are rules, carefully enforced, about maintaining airgaps (and no WiFi) between personal and corporate networks, etc. There's no reason, other than panic or deep-seated distrust of your entire staff, to ban personal devices in the workplace.

Re:No persuasion required

[sjames]

I know this may come as a surprise to you and the rest of corporate America, but nobody gives a crap about your secret documents. Really, nobody cares at all. Sure, it's fun to play "secret agent man', but nobody is actually clamoring for them.

Most of your double deep dark secret methods and techniques are actually SOP at any company in your field. REALLY! The rest are obvious but only applicable to the particular situation at your company.

If you actually had worthwhile secret documents, someone would have already sold them in exchange for a nice retirement to a tropical paradise somewhere. There was a time when employee loyalty might have prevented that, but it went out the window the day after loyalty to employees did. If your employer REALLY had secrets that were worth anything, it would pay above average, offer generous vacation time and other perks and generally treat it's employees as if they held the future of the company in their hands. But that costs money, so it's out of the question.

No

[Eightbitgnosis]

Would you ban laptops at work for the same reason?

Re:No

[jimbolauski]

We allow personal laptops and smart phones but we have two internal networks one that is for the unclean and one for verified systems. The unclean network only allows access to to the internet and a few of our internal systems, email, calendars, and contacts, only stuff that is exposed to the outside all ready. Plugging in an unverified computer into the clean network will usually cause our IT guy to come find the person. I got dinged for that after plugging in a Micro-Controler board that was not recognized by the network in about 5 minutes.

Ban of outside laptops

[tepples]

Would you ban laptops at work for the same reason?

A lot of businesses do in fact ban laptops that aren't company-owned.

Re:Ban of outside laptops

[TubeSteak]

A lot of businesses do in fact ban laptops that aren't company-owned.

Exactly. You have a work phone number in exactly the same way that you have a work computer.

I don't really think "but daycare and school" makes for a compelling argument.
They have your work number on file, let them use it.

All the other reasons listed are ones of convienence, not necessity.

Re:Ban of outside laptops

All the other reasons listed are ones of convienence, not necessity.

Almost certainly. That said, all employees expect a certain amount of convenience, which varies greatly by situation.

I'm an IT guy. If a company I worked for started with the, "no smartphones at work" thing just because they wanted to make sure they were getting every last second of productivity out of you, whilst working you overtime for no additional pay (as this rule will almost certainly be, every time), I'd add it to a list of reasons to go elsewhere.

As with most things, it's not necessarily one thing that makes you leave... it's a lot of things adding to employee dissatisfaction.

How reasonable is this concern?

[spikenerd]

How reasonable is this concern?

Very reasonable, if your employer is a CA. Not at all reasonable if your employer sells hubcaps. Need more info.

How can this sort of malware be prevented?

Educate employees. (But your next question shows that you already know this.)

Is there a way to educate employees...?

Yes. Employees are not algorithms. That's why we employ them instead of just computers.

This current reality is that people have started to rely on having their smartphones...

Yes, if you want effective employees, you should allow them to use their brains, as well as extensions that make them more effective.

Do you have any questions that lack obvious answers--perhaps something worth discussing in a forum?

Re:Suck it up.

As long as my job pays me for every minute they intrude into my personal life or past the 8 hours a day I owe them, sounds fine with me.

Back a few decades ago ....

[PPH]

... when I worked for Boeing, this was their company policy. No cameras, radios, or recording devices were allowed on company property. Although this was necessary in areas where classified DoD work was being done, they just applied this policy to all facilities. As cell phones and PDAs with cameras andd recording capabilities became commonplace, they pretty much gave up on enforcing the 'no devices allowed' rule (probably still in force in actual secure areas).

I would consider them (Boeing) and others in their line of business to have about the most conservative position on such technology. Seeing as how they have pretty much given up on such rules, I don't see how any other employers expect to get away with them.

Also, if employees are going to steal proprietary data (for which I'm sure there is a company policy prohibiting said activity), sneaking a camera, USB drive or whatever onto the property in violation of rules is not going to be a deterrent.

Good luck

[ironicsky]

If, after 20+ years of personal computers we still can't stop people from accidentally downloading malware, good luck preventing it on smart phones and other portable devices. The problem is, and always will be, the ignorance of the user.

Not just malware that is an issue

[oobayly]

We were have some pretty bizarre network problems in our office one day - some machines were able to connect to our db server whilst some couldn't, and other could intermittently. Long story short*, somebody's smartphone (Android in this case) was responding to ARP requests (requesting the MAC of the server) even though it was showing its IP address as being assigned by DHCP. I reckon its previous IP on the user's home network was the same as our server, and for some reason kept answering to them.

*Once I realised that packets didn't seem to be making it to the server (pings were intermittent), it dawned upon me to check the ARP tables on the clients. Looking up the manufacturer of the MAC address didn't immediately help as I didn't recognise the name, though I assumed it was a phone. At that stage I wasted time looking through all the phones looking for an IP address conflict (bad assumption). Finally looked up the DHCP leases for the offending MAC, found it's current IP (no hostname was provided by the client), found the offending phone, and very nearly shoved it the arse of the owner.

MobileIron

[hagrin]

We are actually in the midst of going through something similar at my company (a very open, not secretive environmental firm). We recognized through employee surveillance and traffic logs that cell phones were a huge security risk at our firm and the decision was made to control as much as we could while still maintaining our "Mom & Pop" company feel.

We switched all of our cell phones from one carrier to ATT and we purchased the MobileIron software (VPS and Sentry) to control all the aspects of the company phones that enter our buildings. In addition, for the people who chose the monthly subsidy as opposed to a company phone, we prevent them from getting WiFi access from within our offices as best we can (MAC whitelisting isn't foolproof but helps with 99% of our users). We don't allow the non-company provided phones to work if they are plugged into workstations via USB cable. With MobileIron I can control basically every aspect of their smartphones including camera control, data usage, app installs, etc.

Now, we don't have this fully running in production yet so I can't comment on the pitfalls I'm sure to face, but the short answer is workplaces don't necessarily need to ban smartphones as that could actually cripple some business processes; however, they are definitely a security threat that need to be managed just like other corporate and employee owned devices.

What a good little slave you are

[SmallFurryCreature]

My god, this attitude is amazing, what primitive part of the world did you grow up in? Most normal employers realize that work and private live are not so easily seperated and simply allow the two to intertwine. If I ask someone to stay late because of deadlines, can I then deny them time to make calls during office hours to arrange private things? Hell, this must be an American thing. Do you also object to people using the company printer?

Of course, normal people realize there is a line, you can print out a form, your CV is a bit touchy and you do NOT print out a thousand copies of your novel but come on!

If your tried that master slave attitude in Europe, you would find yourself soon with no employees left.

Unless there is a VERY real need for security, everyone carries a mobile phone with them in Europe. The idea you shouldn't answer a personal call during office hours is just so 19th century. Come on, join us in the future, we got cookies!

Ten to one this gti_guy doesn't have a job, lives in a trailer on government assistance and whines about all those leeches living of the state.

People good enough at their job to have one know they are valuable and companies are willing to keep them happy.

Re:What a good little slave you are

No, it's certainly not an "American" thing. It's a bunch of indignant unmarried, childless aspies who've never actually faced the problem spouting off about their "issues" with policies like this. And I'm pretty sure there's no national boundaries for that.

Most employers have a "reasonable personal use" policy. If you're spending hours on the phone gossipping with your neighbors, then yeah, you'll probably be talked to. Have to take a short break to call the doctor's office to schedule a checkup? Call your wife to ask her to pick up the kids because you're going to be stuck at the office a little later than expected? Call the plumber to come fix that frozen pipe? Arrange with UPS to pick up the package at their delivery center since you won't be home to receive it? Get a call from daycare to let you know that little Johnny just had an allergic reaction?

These are all typical things you might need to do during the day, and these are all typical things that corporate "acceptable use policy" will deem "acceptable use," except for certain very specific cases - i.e., DoD contracting, very very secret "trade secret" work, etc. Most companies won't allow you to connect personal devices to the corporate network, but more and more of them are setting up secondary "internet only" networks for phones, tablets, personal laptops, and the like. This concern about "they could hijack your phone and take pictures of your facility and map the interior!" is silly for anybody who doesn't work in a top secret facility.

Here's an easy rule of thumb test: if you can bring your kid into your office and let them sit around there with you... you don't need to restrict cell phone use.

Re:Suck it up.

[MightyYar]

Am I too old or something? We always ran our personal lives from work, but it used to be a lot more invasive. You couldn't take care of many things online, so you had to leave work during working hours to take care of it. Any time you needed customer service, you had to use the telephone at work. You'd have errands to run, so you would either come in late, take an extended lunch, or leave early. Expecting a call? You had to hover near your desk so that you wouldn't miss it.

I won't defend tweeting, updating Facebook, and the like - but I think that most employers recognize that letting people take care of some personal stuff while at work ultimately improves productivity.

Re:Occam wanna sell you a razor

[Big+Hairy+Ian]

You can get a mobile phone signal on a Submarine? I didn't even know they'd licensed the ULF Range :)