Profile Facebook Twitter My Space Friendster Friendfeed You Tube
Kompas Tempo Detiknews
Google Yahoo MSN
Blue Sky Simple News Simple News R.1 Simple News R.2 Simple News R.3 Simple News R.4

Sunday, February 20, 2011

Employee Devices Come To Work “Bring Your Own” Notebooks: Smart Move Or Risky Business?

Employees have been bringing personal electronics to the office for years: Music players, digital cameras, PDAs, and more have all been introduced to the workplace, often with no problem, though occasionally with dire results. But what about when employees use personal notebooks, smartphones, and other devices not as toys to use over lunch but as part of the actual workflow? That is, what happens when employees, in effect, provide their own office technology?

Allowing—or in some cases, requiring— employees to use their personal laptops and phones at work is a growing trend. According to a recent Gartner survey, 14% of workers could be using employee-owned notebooks as their primary work computer within a year or so. The study also pointed out that employers
are almost evenly divided on the topic: While 48% of surveyed companies prohibit the use of personal laptops at work, 43% allow their use.
Happy Employees, Happy Employers
Most employees like the idea of using their own computers and smartphones for work—especially if the company offers (as most do) a stipend of some sort to help offset the cost of the device. The companies, meanwhile, reason that a happy employee is a more productive employee.


But it’s really all about money, of course. Companies that encourage employees to use their own computers and phones need not buy those devices, which means they spend less money on equipment, even with a stipend. The cost savings can be considerable.

The Risks
But bringing employee-owned devices to work is not without risks. If the program is not well thought out, serious security and legal issues can arise, says security expert James O’Gorman. Take smartphones, for example: “Who owns that data on the phone?” asks O’Gorman, a developer for Social-Engineer.org. “It’s a personal device, but it contains company data. If the employee leaves the company, does the company
have the right to do a remote wipe of the phone? Or would that destroy the employee’s personal data, given that most remote wipe functions reset the phone to factory defaults? In the event of a lawsuit, is the device discoverable? Does the employee want his personal property involved in a company legal matter? Who is responsible for device security, and how can it be enforced?”

These are questions that employers cannot afford to ignore. Some hard questions must be asked and answered before moving ahead with a “bring your own notebook” policy: Who supports these devices? (If it’s the company, does that eat up the supposed cost savings?) If an employee is walking around with a notebook on which company data resides, who really owns that data? If the laptop is stolen or misplaced, who is responsible? If the employee leaves, who is in control of that data? And if an employee picks up a virus or worm, brings that malware into the office, and connects to the company network, what then?

Some experts argue that the practice of having employees bring their own notebooks and smartphones to the office is simply too risky. “I advocate that employees have clearly separate corporate and personal devices,
from phones to laptops,” says O’Gorman. “This keeps the company out of the employee’s personal life, and it ensures that the employee’s personal life cannot affect the company’s IT infrastructure.”

The Benefits
Nonetheless, some companies feel they have a handle on the risks and that the potential benefits are too great to ignore. “We do allow people to bring their own laptops into the company and hook them up to our network,” says Jim Swartz, CIO of Sybase, an enterprise software and services company with more than 4,000 employees.

Saving money. Sybase began experimenting with employee-owned laptops three or four years ago as an attempt to find alternatives to the expensive laptops it was placing on every employee’s desk. “That led us on a path toward developing virtual workstations and Desktops,” says Swartz. “As we went along that path, we found that there’s a point at which you can start thinking about letting people use different types of devices, and by providing some other tools—such as network access controls—you could control and protect your network and [still] allow people to bring in their own devices.

While some companies worry that IT departments will end up supporting multiple employee devices if those devices are allowed to become part of the workflow, Swartz says that Sybase avoids that problem.
“That’s part of the agreement,” he says. “If you want to use your own machine, then you take full responsibility for its support, including repair.”

Staying secure. Worries about security and legalities are wellfounded, says Swartz. In order to avoid those problems, Sybase has gone the route of “sandboxing” access to the corporate network. Employee access is through a virtual Desktop that does not allow them to download company assets to their local devices. The only thing on the employee’s device is remote access VPN software that lets the employee interact with information on the network, but which does not allow storage of those files: “We don’t let data leak to any device,” says Swartz.

The sandbox approach means that the employee never has company data on his or her system, and is thus never responsible for the security or ownership of that data. This approach provides an attractive flexibility to both the company and the employees. “We think we’re seeing more of our colleagues in other companies doing the same sorts of things and recognizing the benefits of allowing the employees to bring in devices they really like. And for those people who use a company-provided device, if a company-owned, consumer-grade laptop or a thin client device breaks, the time to get people back up and running is very, very short.”

Not everyone is confident that “sandboxing” will completely protect company assets. Some worry, for example, about keystroke loggers such as those installed by the Zeus botnet. “If you look at that sort of malware, you will see a level of sophistication that can bypass that kind of control,” says O’Gorman. “If the thin client-style employee system is not subject to the same level of control as corporate systems, it remains the weak link in terms of malware that can lead to credential theft.”

Think It Through
In the end, of course, company officers will have to make the decision to allow (or disallow) the use of personal notebooks and phones as part of the typical workflow. It’s a trend that’s on the rise, but one that requires a thoroughly thought-out policy that takes into account the potential support, legal, and security implications. ▲

Related Post:

Widget by [ Iptek-4u ]

0 comments:

Post a Comment

 
Copyright © 2010 - All right reserved