| HN Mirror

Y	Hacker News new \| ask \| show \| jobs

by _abox 1739 days ago

I don't think it's only the company's lifecycle affecting this. I've been working for multinationals my entire career and I've seen a bit of a 'wave'.

When I started my career in the late 90s, personal use was extremely low. This was because there was not much internet yet in the workplace, you actually had to request internet access and if you got it it was very restricted. Most people only had desktops, you were really special if you had a laptop. Work was a 9-5 thing and jobs and IT were very strictly focused on your role. There just wasn't much non-work-related stuff to do except perhaps playing solitaire. Security was pretty good actually but really focused on the on-prem networks. If a hacker did make it on there they could run wild as nothing was encrypted. Nobody had admin rights.

Then in the 2000s-2010 things started loosening up. Everyone had internet access and it was mostly used for non-work. Most people still had desktops but were doing their webmail a lot. Extracurricular activities were less frowned upon. I remember one time walking into the customer care centre (I was admin) and pretty much everyone was playing this flash game online where you had to swing a penguin and throw it a long distance, it was a bit like an early "angry birds". Managers were walking around and didn't really care, as long as the calls were answered when they came in. More and more people started getting laptops as they were getting cheaper. The old CRTs started disappearing for TFTs. If you had a work mobile phone (mostly managers) it was highly restricted like a blackberry or still a dumbphone.

Then came the cloud in the 2010s, blurring the line between 'internet' and 'work' much further. All people started getting laptops as they were no longer more expensive than PCs. The credit crisis in the late 2000s left its mark and there was a strong focus on productivity, no matter where or when. People logged in to O365 from home which was totally open, with username/password and no MFA. People had all kinds of work stuff on their phone, as MDM was still pretty basic. This period was peak security laxness. Security was viewed as an auxiliary cost not providing productivity. Not just in our company, this was the age of "USB stick with state secrets lost in taxi" headlines. Only financial institutions and government really had real security. People were using all kinds of cloud storage for work besides the official one and attempts from security to put a stop to it were hampered because 'people have to be able to work'. People were working at any hour on any device and this also made the burnout (and on the personal side, smartphone addiction) a common thing.

And then of course the reality check came in the shape of WannaCry. Things didn't change overnight but security was suddenly back on the map. The word of security was once again critical in the process, investment in it was no longer seen as unnecessary. MFA was introduced pretty quickly and restrictions to what users can do on the cloud. Limiting to official online storage tools only, we banned dropbox for example. As a result we've been slowly returning to a phase where security is on the map again. At the same time privacy became more important. Both for the company (GDPR was a big driver!) but in the minds of the users in terms of "what work can see".

These days we're not really ruling out personal use or work use on personal devices, but doing it in a much more conscious way. MDM restrictions are more common. Android got Work Profile which is a pretty ideal way of providing work access on a personal device IMO. Strong restrictions from work but no visibility on what the user does on the 'personal side' of the phone. We're starting to implement document encryption with Azure Information Protection, meaning a document can be tracked and protected all the time. This is also the time of SSL inspection proxies, and limitations on what users can do if they log into the O365 cloud from an unofficial device. Admin rights which had slowly been granted by default to pretty much everyone over the last decade are now being removed again.

I think this is where we're heading now, we don't want to lose the flexibility of mixing work with personal, especially now that so many people work from home. But the separation is becoming more 'official' and supported by the operating systems. We're also seeing a return of the VDI concept which was gone from the old Citrix days. I think most of the intermix between the work and private will take place on personal devices, not on work ones. And where it does happen on work machines it will be in the browser only.