[bsder]

Until someone breaks into a company via a personal mobile device and steals a whole bunch of data, and now companies are liable for security faults on mobile devices they don't have any control over. Oh, wait ...

Anytime someone asks me to use their personal whatever to do "work" my reply is twofold: "Okay, 1) the company now gets to scan and archive everything on your personal device--please do make sure that there are no naked pictures, including those of you, your partner or your children taking baths, etc. or we will have to fire you and likely report you to the police and 2) the service you are requesting will be promoted to a public facing service and will be available outside the firewall with our standard security features--I will take that up with the CxO levels."

1) generally stops people cold and it should.

Generally you get "You can DO that?" followed by an "Ummmmmmmmm..." as they think about what is on their phone. I don't want to scan your personal device. I don't want to know what you do, really. Please, spare me. I was an email admin in the early days of the Internet; I didn't want to see it then, and I certainly don't want to see it now.

2) this causes an actual discussion about need and risk.

This is going to be outside and is a security hazard; how much risk is really involved? Do we really need this service available to multiple people, or is this a one-off request? I'm not even averse to a one-off, but I'll keep an eye on it (I always have sunset deadlines for outside services if I can). If, after say 6 months, it's still just one person using it, it's probably going to get shut back down.

I understand that firewalls aren't magic. I try to harden things inside the firewall to the same levels as outside. However, work needs to get done, people take shortcuts, etc. "Secure" is not absolute--my goal is to try to align the risks with the benefits while only being about 1/2 an asshole about it.

Sorry, but if I'm always nice, nobody listens. :)

[Silhouette]

Personally I also like the one about installing software on any personal device that is used to access company systems so any company sysadmin can instantly remote wipe it at their own discretion if they decide security is at risk.

It turns out that some people didn't realise that the above story was supposed to be satirical and actually built tools that will do that. Whatever you do, don't ask those people about stats on things like legitimate vs. accidental, malicious or negligent wipes. Certainly don't ask about the proportion of employees who were subject to "bad" wipes but got no apology or compensation, just an HR or legal goon pointing to an agreement they signed but did not even slightly understand in which they explicitly consented to exactly that.

If a business has a genuine need for someone to have mobile access to its systems -- which is sometimes reasonable, though not nearly as often as a certain kind of manager pretends -- then the business should provide a completely independent device under its own control for that purpose. It's really that simple.

[bsder]

> the business should provide a completely independent device under its own control for that purpose. It's really that simple.

I agree. We provide laptops and phones. However, you would not believe the bitching about "Now I have to carry another phone and computer."

And, whenever we wind up with a better laptop on hand, we do a surprise "upgrade" to somebody unannounced. We take the old one and hand them a new blank one with no access to the old one to simulate a hard drive crash.

If they aren't back up and running in 4 hours, we take the new laptop back, blank it, give them their old laptop back and give the new one to somebody else.

The fact that they aren't going to get a new shiny computer unless their computer is recoverable focuses their attention quite well.