I never got the BYOD thing.
My employer should provide the required tools, if not, then the work is done within the constraints of what is available.
I’d rather buy and manage my own device, which is then powerful enough for my needs.
But some of the differences lie in understanding how to work around constraints.
I've been putting off requesting some specific administered software removal from my own machine for months because I keep getting caught up in much more pressing work. In most cases I'm able to just work around it. In other cases, it just eats up time. But I can see the path through to a solution more clearly than any corporate wrangling.
In smaller or more nimble companies you or rather your line manager can influence hardware budget as an offset of your salary v productivity. Also in some larger organisations where departments/teams are more autonomous and have more slack your manager may be able to influence that.
But in many large organisations, those who decides what standardised underpowered hardware you shall have may never have even met your line manager and they can not influence that policy.
I have once worked with a client that handed out a completely hamstrung laptops with barely any memory and slow disks to all contractors. Project builds would take 30 minutes or more, and I'd watch paint dry by reading slashdot(a long time ago), jousting on chairs in the corridor etc... Plus more time lost as you don't realise instantly when the build has finished and the time to reload all the context back into your own brain's memory...
The difference in cost between a top spec machine and the one they handed out was less than the invoice cost of the lost productivity in a day or two. I was there for two years... Granted after a while I did get better and better machines but never good.
Though I no longer really work for clients that do that, and my last few contracts have been BYOD which is fine by me. As long as they provide a quality external monitor and the sit-stand desk then I'll bring my own macbook.
Honestly, I've been there; coding on a single 15" screen. Eventually most employees brought in a second monitor from home.
But if this is the case I believe strongly, that the employer must provide the necessary tooling.
These state, that there needs to be proof of several data security aspects on all devices of all people working in a facility for one of these companies/clients as a contractor:
- Anti Virus software up to date
- Firewall active
- Harddisk encrypted
- Ability to remotely lock device
- Ability to remotely wipe device
To ensure that this is in place at all times on all devices one needs a programatic solution - Endpoint Management. And as this needs to be root (for remote wipe) - this could be seen as spyware (as I like to call it internally).
So yeah - there are a lot of companies/industries enforcing this. As someone above said - banking is another industry, insurance, medical and other high profile stuff with sensitive data might come to mind.
The text does not say this - but this I added just from experience. And I actually hope that someday companies like mine could go the Apple way and ensure Endpoint Management on a per user account basis. That way I could still take home my company laptop and use it privately with a different user.
I strongly believe all this software only enlarges the potential attack surface.
Not sure if this "zoo" of software is more of a security theater and a legal protection to be able to tell everybody "we did all we could possibly do" in case of an attack/hack/what not.
But even if I strongly suspect my device was more secure before, I know, that lot's of less tech-savvy people will have at least some standard (encrypted SDD, and such) enforced. So I am not yet decided if in the end the net benefit is positive.
It all about fulfilling IT and law checklists.
You say spyware; I say software that guarantees there is a password, that there is a reasonable lock-out time, that encryption is enabled, etc. Leaking data because you let your most gullible employee install whatever he or she liked on their laptop and phone (eg facebooks spyware certs so they can read all your traffic) is going to get you in trouble in a hurry.
For example, CCPA. Which applies to a lot of us in 6 months.
> duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information
I am undecided if in the end the additional software is a net positive. I am totally on your side that some basic security measures need to be enforced. And I know that this might be possible in terms of culture and processes like onboarding with a small number of employees.
And I know, that in a global corp this isn't feasible.
Non the less am I not sure that just throwing software at a basic problem of awareness really helps in the end. Esp. if the to be enforced standards like ISO 27001 are in some cases weakening the security.
I am enforced to use shorter passwords now. And I need to rotate them after a specific amount of time. I automatically have software installed (because next to security stuff we get some additional software) that does not exactly have a reputation of being secure.
So while there is light there is also quite some shadow.
If in the end this proves to be net positive. We will have to wait and see.
Any yes: I call it spyware. It has its own SSL certs, could potentially open my connections, monitors all and every connection my device makes, can (without me knowing) download any file on my device. And also can plant any file on my device without my knowledge.
As root it can add any additional functionality without my knowledge. And it does, as far as I have been told, scan any network I connect to for unmanaged devices and transmits (to quote) "a rich set of information for the located assets, including the hostname, MAC and IP addresses, device manufacturer, operating systems, open ports, applications, and historical information such as the first and last time the asset was seen on the network."
And it is not only being marketed as being compliant to GDPR, but actively helping and supporting companies to become compliant with this exact feature.
I also talked them out of requiring virus detection on our macs, but this took a lot of work to avoid trusting (most) laptops.
But also thanks a lot for the idea to do this and try that. Not sure if it works with being ISO 27001 certified - but at least one can try.