Why does everyone pussyfoot around this issue - just come out and say it: the laptop computer is a corporate liability. Even if the user "behaves", the minute it leaves the building it's exposed to risks which are beyond the capability of all but a security expert to comprehend.
It doesn't help that users have this attitude that, because they can push a power switch and work a mouse/keyboard, they are "PC experts"... that because they have high-speed access at home, it's "just like" what is in the office.
There are, of course, a few corporations which lock the laptops down so that the user cannot do any damage, i.e. the administrator access is limited to IT dept., but the converse is more common: the employees treat the laptop like it's a present to them, with which they can do what they like; as noted in the article, in some cases it becomes the "family computer"... and exposed to the avalanche of malicious spam and web sites.
We all know what happens but nobody seems to want to take the proper steps to prevent the inevitable.
the real problem: confrontation aversion
The root of this problem is not "laptops", or even more broadly taken, "mobile devices." Disabling firewall rules, installing file sharing software on desktop machines - "because we didn't know better" illuminates the problem.
We can only implement so many technical solutions - eventually we're going to have to address the "human" issues.
And human issues are the real problem. The passive-aggressive nature of humanity and a serious aversion to confrontation are the major road-blocks to success with policy.
Businesses the steps are simple:
1. Establish policy (decide and DOCUMENT what you will and will not tolerate - be clear and specific.)
2. Educate all employees, third party vendors, contractors, etc on the specifics of those policies. Require signatures and maintain those acceptance documents to reference in the future!
3. Audit against that policy (do it yourself or hire a consulting firm that specializes in that area) This is all about governance!
4. Enforce that policy! Show you're serious about consequences. Stop avoiding confrontation. Require your employees to take responsibility for their actions and stop allowing them to play the blame game... "well, you didn't specifically block downloads of that file type so it is your fault I dowloaded it." WHAT? Force individuals to take responsibility and stop laying blame.
If businesses would get serious about policy training and enforcement the free-for-all would end.
It's usually not IT...
Any responsible IT shop will tell you laptops are a security nightmare. What's an even bigger nightmare, is management being intent on giving EVERYONE a laptop, because they just 'might' get the urge to work from home every now and then. Forget that the laptops are fundamentally slower, more expensive, harder to repair, harder to upgrade, easier to steal, easier to break into, complicated, finicky, limited in upgradability, etc etc etc. Managers who side with people who 'need' a 20"+ LCD, AS WELL AS, their 17" widescreen laptop (closed and tucked neatly away, instead of actually expanding screen real estate, they've just stretched it and put it on a larger screen at the same resolution) These same people then take their laptop home, and let their kids trip over the power cord, or dump milk into them, or pull keys off of the keyboards. Then complain becuase the systems they're relegated to aren't fast enough.
Not to mention Management's inability to hold the user-force up to any kind of security requirements, from having the screen-saver lockout turned off two weeks after applying it (again) or stretched to the point of uselessness (anthing can happen in 10 minutes, but a whole lot MORE of anything can happen in 2 hours), to IT disallowing mobile devices we cannot remotely wipe (and preserve corporate data), and having management over-ride the ban, because half of those with at least a V in their title have already run out and bought the latest consumer gadget, with nary a glance at security or IT's recommendations.
It's not IT, we KNOW laptops aren't great, it's management's bullheadedness, and intransigence to reality regarding ROI and security that's hosing many companies.
Post new comment