Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: Do You Use a Smartphone At Work, Contrary to Policy?

Posted by timothy on from the they'll-never-take-me-alive dept.

Jason McNew writes: I have been in IT since the late '90s, and began a graduate degree in Cyber Security with Penn State two years ago. I have always been interested in how and why users break policies, despite being trained carefully. I have observed the same phenomena even in highly secure government facilities — I watched people take iPhones into highly sensitive government facilities on several occasions. That led me to wonder to what extent the same problem exists in the private sector: Portable Electronic Devices (PEDs) are a huge threat to both security and intellectual property. This question has become the subject of a pilot study I am doing for grad school. So, do you use a smart phone or other PED during work hours, even though you are not supposed to? Please let me know, and I will provide the results in a subsequent submission to Slashdot.

7 of 227 comments (clear)

  1. Re:No! by cayenne8 · · Score: 4, Insightful
    I've never worked at a center where smart phones and the like were Verboten. This includes different govt. facilities too. Secure ones.

    About the only policy they had, was to NOT set up or use any wireless access points, they did actively scan for these but cellphones and the like they never had a policy against them on worksite.

    --
    Light travels faster than sound. This is why some people appear bright until you hear them speak.........
  2. Perceived incompetence and lack of rationale. by Anonymous Coward · · Score: 5, Insightful

    When you see people around you at work who are incompetent in your field, you assume that people throughout the organization are often incompetent in their field. When I worked in government, this wasn't uncommon. So you have a lot of rules, many of which are inconvenient to you. Since the *reasons* for the rules aren't ever published, you write off the inconvenient ones as incompetence; you don't believe they're actually any threat at all, and the punishments are sporadic-at-best, so you ignore the rule.

    Taken out of the normal corporate workplace, there are rules against phones on airplanes. For over a decade... they simply didn't matter to the plane, and it was easily observable to any traveller, as often, the person next to you wouldn't turn off a damn thing, and things worked out fine.

    The reason for the rule was that one phone a mile in the air could try to connect to hundreds of ground based towers, hosing the whole network. Since you weren't able to connect, you couldn't see that; you just used the phone. But since the *reason* for the rule wasn't really published, and the effects seemed nonexistent, people ignored the rule all the time.

    That, and holy hell, phones really aren't a security risk. People are a security risk; if someone's allowed to see the same document a thousand times, they can simply memorize it instead of taking a picture. You need to have people you trust; the government simply runs on the policy that no one can be trusted, and (often!) gets far less competent people because of that... ...which leads back to my first point, which is when you see occasional incompetence around you, you assume the rules were written by someone incompetent.

    1. Re:Perceived incompetence and lack of rationale. by painandgreed · · Score: 3, Insightful

      That, and holy hell, phones really aren't a security risk. People are a security risk; if someone's allowed to see the same document a thousand times, they can simply memorize it instead of taking a picture. You need to have people you trust; the government simply runs on the policy that no one can be trusted, and (often!) gets far less competent people because of that...

      Well, phones are considered the security risk. They do trust the people, but not the phones. A cousin of mine works on a secure military base. They used to be able to keep their phones, so long as the batteries could be taken out and be sure they were non-operative. With the iPhone and similar, they couldn't take out the battery, couldn't be sure it was off, and couldn't really tell if it was recording data whether or not or if the owner even knew about it. Thus, they banned all phones at the door. They weren't worried about somebody there as much as about somebody installing software or otherwise hacking the phone itself without the knowledge the owner. They are, after all, not really phones, but small pocket computers with wireless connections whose power is probably greater than what we worked with ten years ago as a desktop.

  3. Proof of Security Risk from Portable Electronics by SenatorPerry · · Score: 3, Insightful

    "Portable Electronic Devices (PEDs) are a huge threat to both security and intellectual property." - Citation needed.

    Just because it could be used in a particular way does not make it inevitable that it will be used that way. In a citation you need to provide solid evidence that this has occurred and that this is a risk. In cases "I" have heard it was an action of the employee in control of the PEDs that initiated the security/IP theft. In those cases that person had physical access to the assets and would simply have chosen another mechanism for theft if PEDs weren't available.

  4. Threat? by Jaime2 · · Score: 3, Insightful

    Portable Electronic Devices (PEDs) are a huge threat to both security and intellectual property.

    But, security is a huge threat to productivity. Is it possible that while the employees were being drilled on security, they were being held accountable for productivity and not given tools that were nearly as productive as their PEDs? For example, everyone likes to yell at the guy who's not paying attention to the meeting because he's texting, but they forget that the same technology allows you to send the on call guy to the meeting and have an 95% chance he will be able to actively participate. The alternatives are to have a second meeting or hire another tech so there is one on call and one available for the meeting.

    People immersed in security all day sometimes forget that security is about tradeoffs, not eliminating all sources of "insecurity". A good general rule is that if a security policy is being widely ignored, then it is probably not properly aligned with the organization's goals.

  5. Security vs Productivity by jklovanc · · Score: 3, Insightful

    I find it interesting that so many people refer to security getting in the way of productivity. What happens of all your security circumventions cause a breach that results in R&D being stolen, the system being hacked and customer personal information released, systems being taken down, etc. These can cause millions of dollars of loss. All your "producivity improvements" may be negated and much more by a breach caused by your failure to follow the rules. I think that the "my productivity is being harmed" people are too focused on their own job and refuse to see the big picture.

  6. Re:No! by greggman · · Score: 4, Insightful

    That policy is not going to survive as people start augmenting their eyes and brains. It might be 10 or 20 or 30yrs out but it will happen. First the blind or near blind, followed maybe by soldiers, eventually just like cellphones went from military only to briefcase size to geeks only to no 15 yr old girl would be caught dead without one, so will this other stuff