Security Still Allows for Variety of Laptop Policy Options for SMBs


In my post, "Should You Allow MacBooks on the Network?" I wrote about the issue of technical support when employees ask to start bringing their personal laptops into the workplace. Or, worse, just do it without asking. As staffers demand access to the corporate network with systems never envisioned at the planning stage, the result might well be a ballooning support cost.


Now, let's look more closely at what probably makes you even more nervous: the security issues.


In the story of the Trojan War, the Trojan Horse proved pivotal to the Greeks winning when it was unwittingly brought into the City of Troy. Similarly, that lone laptop brought in by an unwitting staff member could be host to any number of types of malware. The end result is the potential for multiple attack vectors originating from this laptop -- leading to the possible compromise of your network.


Obviously, appliances such as Intrusion Detection Systems (IDS), or hiring a network administrator with a sharp eye, should help prevent this situation from getting very far. Alternatively, you could follow my earlier suggestion and impose an outright ban on external laptops.


I am mindful that outright bans might not go well with the culture that you wish to foster in your organization. In such a scenario, I would suggest communicating a clear company-wide policy with unambiguous rules to define what is, and is not, allowed. For example, criteria such as the mandatory installation of antivirus software or software firewalls could be stipulated as conditions before access to the company network from personal laptops is granted. And no matter the particulars of your policy on these devices, the only way to ensure that they will do what you want them to do is to make your employees aware of them and give them enough information that they care.


If you have already deployed wireless in your organization, another solution might well be to create an additional wireless network for non-corporate computers only. Network traffic within this zone could then be more closely monitored for signs of nefarious activities. Indeed, this strategy could be useful for granting temporary access to contractors without allowing them to connect to anything vital.


I hope my suggestions have helped you. If you have any questions, feel free to leave your comments here.