This article is more than 1 year old
Spoiling staff with toys could turn against your business
Keep BYOD under control
Many companies put staff engagement high on the agenda: they reason that if you keep staff happy they are likely to be productive and stick with you through difficult times as well as when it is all going swimmingly.
It is a perfectly sensible thing to do – so long as you involve the IT department in the process.
My first IT support role was in 1989 and in those 25-plus years I have witnessed my fair share of horror stories that were caused entirely by the company's desire to keep its users happy.
This has sometimes taken the form of an approved company policy created for staff engagement purposes. But it is equally sometimes the case that a well-meaning individual has done something a bit daft – though generally not with malice aforethought.
I dislike the idea of allowing people to use their own devices on a corporate network. Even an ADSL internet connection with a Wi-Fi SSID that is entirely separate from the corporate network can be problematic.
For example I have been contacted by an external company that thought someone had tried to hack it from our company's “guest” broadband network. I have also had problems when the multitude of personal devices (phones, tablets, laptops) owned by our employees had overflowed the IP address range defined in the broadband router.
Given the current penchant for bring your own device (BYOD), we can't simply ignore the desire for connecting personal devices to the network in some way. There are, however, only two ways to do it:
- Let them connect via Wi-Fi to a LAN outside the firewall, then jump into a virtual desktop or equivalent with two-factor authentication in front of it. Never use a traditional VPN that connects the machine so it feels like it is on the LAN with regard to file sharing (it is hard to monitor users as they drag your corporate secrets to their laptops) and server connectivity (untraceable SQL injection effectively happening across the LAN is never pretty).
- If you must let users connect via a cabled LAN, use LAN admission technology to ensure that they can't get onto the main network until their computer has proved it is fully patched and has up-to-date antivirus software.
In the first case, with the advent of 4G data services even Wi-Fi is becoming a bit of an optional extra: my iPhone 6 gives me about 20Mbps bidirectionally on an almost all-you-can-eat plan, so unless I am roaming I tend not even to bother with Wi-Fi.
If you go for the second option you should then turn it off, because all you have achieved is letting them drag your corporate secrets to their desktop much faster than with a VPN solution.
Pick your own
I have sometimes walked round the offices of companies I worked for and marvelled at the range of company owned machines sitting on desks.
(I have also marvelled at the number of laptops chained to desks with security straps whose locks have all but seized up, so rarely have the machines been taken out of the office, but that is another story).
Sometimes the companies have purchased machines one or two at a time and models have moved on. I can forgive this, though if you are sensible you go for a vendor with a corporate range whose spec is guaranteed to be static for a good while. But sometimes people have been allowed to buy whatever they wished.
Pity the poor IT guy who has to deal with a mishmash of hardware; laptops in particular are tricky enough to pull apart and diagnose without having to contend with different vendors' kit that fit together in wholly different ways.
There are only two possible reasons for deliberately allowing different brands of a particular type of kit (desktop PC, laptop computer and so on). One is that you have changed your standard vendor so you still have some older kit from the previous vendor as well as the newer kit.
The other is that you sometimes sell stuff to computer vendors and you need to be seen rocking up to their offices with the right brand of laptop: when I worked in publishing turning up at DEC's office with a DEC laptop gave a good first impression. In fact, we had one of each of half a dozen brands in our cupboard and loaned them out as required.
Define a standard, evolve it as infrequently as you can, and enforce it. At the very most have a basic laptop, a power-user laptop and a standard desktop. There is no conceivable need to let users have the machines of their choice.
Check your privileges
Hands up anyone who doesn't have at least a handful of users whose file access privileges are way above what they need. Those of you with your hands up: I bet you are fibbing.
The scariest instance of over-elevation I experienced was a few years back when I needed Remote Desktop connectivity to 14 servers for a project I was working on. When the email came in confirming that the access had been granted I tried it but got the well-known “You're not authorised for remote login” error. A quick email interchange later and this was sorted.
While I was waiting for some stuff to run I idly browsed my AD permissions. Oddly, I couldn't see membership of the group that granted remote login. And when I looked closer I saw that I didn't need it because they had made me a domain administrator (which in AD terms means God).
Never, ever grant anyone elevated privileges just because you either don't have the time to configure a proper permission set or you don't know how to do it. Ever.
Oh, and if your systems director wants domain admin privileges just because he's the systems director, tell him where to go (politely).