Reply to thread

Message: [QUOTE="RF2044, post: 4104339, member: 40"] The main reason is to ensure appropriate cyber security and management of end user devices used to access company data / systems that contain sensitive information, which could be breached or exfiltrated if appropriate security controls are not in place. This is difficult to govern if people are using different devices and there's no centralized security protocol in place [this is often coordinated by IT]. One approach is to standardize equipment. Company issued laptops / desktop computers can be configured by IT with the same security software -- such as anti-malware protection, and any other tools you have in place [IDS, IPS, etc.]. These protections can be configured and changed to ensure consistency, and then "pushed" to users to ensure that the appropriate security is in place. It's also easier to coordinate changes, to implement new protections, etc. which can then be adjusted once and applied to all end users instead of having to do this individually 10, 20 or how ever many times on everyone's different device. Standardization also makes it easier to deliver ongoing support and maintenance. Of course, you can also do this if everyone has different devices, but this makes the entire process more complex. If one person has an HP [Windows] and another is using a Mac, you might need different versions of the same security software to accommodate both platforms. The configurations will be different. And of course, if your users are essentially bringing their own devices to the job and IT has a laissez faire approach, then it is difficult to ensure that security best practices are being followed. It also enhances the exposure risk for sensitive data -- for example, if someone is using a personal laptop to access your firm's data, and their wife or kid also uses the laptop, they may [inadvertently] gain access to files, data, records, etc. that they shouldn't see. Or if users are downloading documentation to their individual devices, the sensitive information has now passed outside of your organization's control and is at risk if others access the device, or if the device is lost / stolen. This isn't an insurmountable issue. Lots of companies don't use standardized devices, it just makes it a lot more difficult to ensure that security is in place and being followed. If you leave it up to the end users, then the exposure risk goes up considerably. But you can partially offset that by requiring users to VPN into your network [just an example], which means that they can only connect and access systems and data by a secure log in. It could also be configured to prevent downloading of records -- so in practice only authorized users would be able to log in and get to the data. This is already longer than I intended, so to sum up it comes down to how much security do you want to have in place, and whether you want to centrally manage the security or leave it up to the users and cross your fingers. Security can be implemented no matter which option you select, but your company will have a lot more control, consistency, and lower costs if you orchestrate it on behalf of the users, instead of leaving it up to them. [/QUOTE]

Verification: What is a Syracuse fan's favorite color?