Do we need to come up with new ways to deal with the risks associated with non-company equipment being connected to our networks? I presently operate a policy that prevents anyone plugging in their own personal laptop computer. There are a number of reasons why, mostly related to the threats of malware and other unauthorised software polluting the network. In fact, like many other organisations we have a standard, one-size-fits-all, desktop computer build. I say one-size-fits-all but in fact it’s not quite that straightforward because certain groups – developers, for instance – require more flexiblity. Even so, GPOs are tightly controlled with software in place to identify any desktops that fail to comply.
However, my thoughts are now turning to the idea that perhaps there should be more flexibility in the system to allow users own personal systems to connect. There is more demand for this than ever before across an increasing variety of different types of device ranging from laptops, PDAs, digital cameras, and other multi-media devices. However, I’m also very conscious of the need to remain in control of the network. The question is one of how to enable the business and personal resources to live side by side.
What problem am I trying to solve? Here’s a few:
My opinion is that we should be enabling use of personal equipment and managing the risk. This means strengthening the security of our enterprise systems and the data that’s on them whilst relaxing some of the constraints presently placed on users.
I was reading an article referring to a document entitled “Zen and the art of ceding control of consumer tech to end users.” The point is made that “The adoption of consumer technology in the enterprise has a huge impact on the support and customer care IT has to provide…..You can’t keep up with the pace of consumer technology. You can’t support it all yourself because there are too many. You can’t ignore it. The only alternative is to outsource some of the responsibility to the end users.” The article goes on to quote
Instead of dictating policy or enforcing standards, IT’s role is to “set guidelines and steer users in the right direction,”
I agree. The days of IT dictating what users can and can’t do should be over. Users need flexibility and enablement but we also need to maintain centralized management and control.
It’s a big challenge because our policies are so geared up to socialist – two legs good, four legs bad – style management. I’m also very mindful of the fact that if we are to open up to non-company equipment that we also need to get better at making users more personally aware and accountable for risk. From an information security management perspective it makes me very nervous because of the obvious risks but also exciting because if I can get this right then I’ll have achieved something of value to the business.