We will be hacked soon thanks to a loose BYOD policy

[-]

Gullible_Big_9196@reddit

Is this a publicly traded company and what ticker, please. Asking for a friend.

Reply

[-]

IronHitmonlee@reddit (OP)

Hahahaha that would be insider trading… does Reddit support disappearing messages

Reply

[-]

Look_Ma_Im_On_Reddit@reddit

yes, just put !disappear30 before your message and it will disappear 30 seconds after we read it!

Reply

[-]

CaptainPonahawai@reddit

you can go hunter2 my hunter2-ing hunter2

Reply

[-]

ShittyExchangeAdmin@reddit

it even works for credit card numbers! ****-****-****-****

Reply

[-]

4P5mc@reddit

Ooh, does it work for IP addresses? 127.86.133.32

Reply

[-]

zeezero@reddit

Mine still shows the last 4 digits? \*\*\*\*-\*\*\*\*-\*\*\*\*-4678

Reply

[-]

TKInstinct@reddit

I swear to god I actually remember using this password at some point or another when I was younger

Reply

[-]

!disappear30 Sometimes I cry myself to sleep at night wondering if this is all there is to life. Wow, I could never admit that out loud, but knowing that this is going to disappear forever after 30 seconds makes me feel so safe! The healing has begun!

Reply

[-]

FriendlyNBASpidaMan@reddit

!undisappearPreviousCommentNoTakeBacks Sorry, I was curious.

Reply

[-]

SirQuackTheDuck@reddit

!disappearPreviousOP

Reply

[-]

volatilebool@reddit

!password ********** wow! It masked my password

Reply

[-]

IronHitmonlee@reddit (OP)

hahahahahahaha you guys have probably tricked someone somewhere with this

Reply

[-]

Rogue__Jedi@reddit

hunter2

Reply

[-]

UnknownPh0enix@reddit

unshadow [op-password](http://bash.org/?244321)

Reply

[-]

fractalfocuser@reddit

hunter2 is my go-to temp password for people lol

Reply

[-]

BlazorkAtWork@reddit

Edna, is that you?

Reply

[-]

Deruji@reddit

Bash.org :)

Reply

[-]

nostril_spiders@reddit

The Cuckoo's Egg, Cliff Stoll

Reply

[-]

alter3d@reddit

It's 7 asterisks a little insecure?

Reply

[-]

StabbyPants@reddit

not really, \!password uses a fixd representation, so we don't know how long it really is

Reply

[-]

ywBBxNqW@reddit

> Isn't 7 asterisks a little insecure? It's not nearly as secure as seven proxies.

Reply

[-]

kriegnes@reddit

man i really need to stop clicking on everything thats blue on reddit. if i get hacked, thats gonna be the way. actually, indians are trying to get into my shit all the time, i guess its too late already

Reply

[-]

Deruji@reddit

Hunter2 is your password?

Reply

[-]

FriendlyNBASpidaMan@reddit

It doesn't work like that. I specified no take backs. Does no one read the documentation on these tools?

Reply

[-]

SirQuackTheDuck@reddit

I wasn't talking about the comment. I was talking about *you*.

Reply

[-]

CaulShiversEye@reddit

Wait what did OP say! I can't see the comment!

Reply

[-]

ChatterBrained@reddit

Here 8 hours later to see if this gets deleted in 30 seconds

Reply

[-]

playerDotName@reddit

Hey don't disappear this because I feel the same way, so I think maybe we need a support group instead of hiding our feelings!

Reply

[-]

stupidbitch69@reddit

+1 to this

Reply

[-]

playerDotName@reddit

Username.. doesn't check out? What?

Reply

[-]

stupidbitch69@reddit

Don't know what to say to this honestly....my username might actually checkout now....

Reply

[-]

ThemesOfMurderBears@reddit

See, I read that, and thought "That *has* to be bullshit." Then I saw your comment right below it, four hours old, with that `!disappear` in front of it. Thanks!

Reply

[-]

nomnommish@reddit

>Hahahaha that would be insider trading… does Reddit support disappearing messages Just to clarify, revealing info about how a company works from the inside is not insider trading. Heck, even if you revealed some secrets, it would not be insider trading. Everything you're revealing is accessible to the public as reddit is an open forum. It would only be insider trading if you revealed insider info to a select group of people (or kept it to yourself), and you or those people traded stocks based on that info. None of that is remotely the case here.

Reply

[-]

Xplic1T@reddit

... trust me bro

Reply

[-]

VexingRaven@reddit

Correct. It might be a violation of your confidentiality agreement or something though and if that breach causes a loss of money they would probably be able to go after you in court. So still a bad idea, just for different reasons.

Reply

[-]

3cxMonkey@reddit

ROFL he has no confidentiality agreement.

Reply

[-]

VexingRaven@reddit

How do you know? I've literally never worked for someplace that didn't have one, even small companies.

Reply

[-]

H-90@reddit

Ive never had one, might be more of an American thing.

Reply

[-]

3cxMonkey@reddit

I'm in Murika and I have no clue what he's talking about. I don't know a single person that has one.

Reply

[-]

unprovoked33@reddit

*points to CEO’s behavior

Reply

[-]

peoplepersonmanguy@reddit

They had one but the CEO was furious HR would stop him from shitposting on reddit. They also used to have HR.

Reply

[-]

SkiingAway@reddit

> Everything you're revealing is accessible to the public as reddit is an open forum. If it hasn't been disclosed properly to the general public/market and it's material information, anyone trading on that information is at least theoretically at legal risk of being charged for insider trading. "They posted it in an obscure corner of the internet, anyone there could read it the moment it was posted!" is not really much better than them just calling you up and telling you personally. If it was, that's how everyone would do insider trading. Post it in a random subreddit that your buddies just happen to follow and then they make a pile of money by changing positions before the market knows about it. ------- Reddit is absolutely not sufficient to call it widely disseminated, especially not a subreddit completely unrelated to the market/finance. If it can't be expected that the market in general knows about this piece of information yet and it's material, you can't trade on it, legally. This is why companies schedule press releases, and have processes in place to disseminate them widely to the media and all parties with an interest in that company at that exact time.

Reply

[-]

BruinsFan478@reddit

This couldn't be more wrong. Material information must be shared through standard channels (e.g. press releases) and not trickled out through some random parts of the internet.

Reply

[-]

nomnommish@reddit

>This couldn't be more wrong. Material information must be shared through standard channels (e.g. press releases) and not trickled out through some random parts of the internet. Then let's be clear. Are you saying that if someone shares some info about their company on a public reddit sub, and if someone made a trade based on that, it would be considered insider trading?

Reply

[-]

BruinsFan478@reddit

If they share material information, then yes, absolutely. The reason there are predefined channels for sharing material information is so that all investors are on a level playing field when it comes to buying/selling stock. It would be unrealistic to assume that all investors are aware that material information could be shared on /r/sysadmin. That is why press releases have become the industry standard, because it's become a known channel that all investors can monitor, configure for alerts, etc., to all gain the information at approximately the same time. Now you may challenge what is considered material information, and ultimately, it's defined as information that could have an impact on stock price. This paints a fairly broad umbrella and would ultimately be up to the SEC / judicial system to determine if you had charges brought against you.

Reply

[-]

brando56894@reddit

This guy trades inside....

Reply

[-]

ThatGuyLeroy@reddit

So basically, you have to tell us now or you’re breaking the law.

Reply

[-]

LordoftheBread@reddit

Ironically a disappearing message would arguably be insider trading, you're trying to talk yourself into insider trading when just revealing it to the public wouldn't be.

Reply

[-]

OffenseTaker@reddit

not if the information is public, like on a public social media site for example

Reply

[-]

TheGreatSlaight144@reddit

calling a company by its name or ticker isn't insider trading.

Reply

[-]

spin81@reddit

It is if you're doing it in a statement strongly implying it may have its stock price take a significant dip in the near future.

Reply

[-]

TheGreatSlaight144@reddit

Publicly disclosing that information in a public forum where anyone can see it is not insider trading. That's not how it works

Reply

[-]

playerDotName@reddit

Mess with the stock market some. Not a lot. Also not a lawyer and this is a Wendy's. But I'm pretty sure Slaight is right here. If I work for Walmart and I say that I've noticed a downturn in supply vs demand, I can say that out loud to America. If I'm a CEO at Walmart and I've actually signed a piece of paper that stymies the flow of supply and then I tell all my friends before I signed that and we all went short on our own company.. that's insider trading. You have to have the knowledge before the action happens and make a stock play on it, afaik. Otherwise, it isn't insider because you, the employee, are seeing the results of the CEO signing whatever document. You can never be an insider trader because you aren't in the circle of decisions. Now, if he has made you CTO and you're disclosing that the company is going to fail because your implementation will fair, that may be gray enough to get you in trouble. Please, again, consult a lawyer if you give that many fucks about it.

Reply

[-]

Shamewizard1995@reddit

This is not a private conversation among friends though. This is a public forum accessible to anyone in the world. It would fall under your first example, “if I work for Walmart and I can say I’ve noticed a downturn in supply vs demand, I can say that out loud to America” At worst, the guy gets fired for disclosing corporate secrets. There is zero chance he is prosecuted though.

Reply

[-]

sarge21@reddit

Publicly accessible does not mean public. Information has to be "widely disseminated" before it is considered public, and that includes a "reasonable waiting period" https://www.sec.gov/news/speech/2008/spch073008km.htm

Reply

[-]

SpeculationMaster@reddit

pretty sure that Reddit has a widely disseminated reach

Reply

[-]

PowerShellGenius@reddit

Reddit isn't one community. I would guess the legal system would see a big difference between a post that stays at the top of r/popular until the next search engine indexes it, and a comment under a r/sysadmin post.

Reply

[-]

sarge21@reddit

Pretty sure that there are other considerations to be made that you're choosing to ignore

Reply

[-]

playerDotName@reddit

Well, a non-zero if he has been made C level and is making decisions that will result in the things he is saying, right? We don't know for sure that isn't the case, and I trust a business far enough to claim that *was* the case to try to get $5k out of someone or something. I doubt all this is something or will happen, but it's a fair warning in a small business as an IT guy. These asshats will run a business that doesn't even have C level execs and then say "well bob was our CTO at the time" when your title was "Senior Help Desk" and shit. Be careful is all I'm saying.

Reply

[-]

PowerShellGenius@reddit

>If I'm a CEO at Walmart and I've actually signed a piece of paper that stymies the flow of supply and then I tell **all my friends** before I signed that and we all went short on our own company.. that's insider trading. Emphasis on "all my friends" (as opposed to calling the local media, or updating a top post on a large public forum accessible without even logging in, or some other way of making it public and *not* targeting your friends to know first).

Reply

[-]

TabooRaver@reddit

It can also be illegal under stock manipulation. As that's how they charge pump n dump schemes(where a person talks up/down a traded company, takes out a position, and then collects a profit when the price returns to normal). But unless op shorts the company... I think they'll be fine.

Reply

[-]

playerDotName@reddit

Yeah. That's the key we're all forgetting, isn't it? As long as op isn't in the market at all, *trading* at all doesn't apply. At worst, you're protected as a whistleblower. I say worst because protected.. ain't.

Reply

[-]

undermark5@reddit

Pretty sure that even if you're not in the decision making circle you still have knowledge that's not legally available to the general public that's actually what insider trading is, doesn't matter how you got the information if it's not available to the general public (could have come from a friend that's an employee or the friend of a friend). If you notice the entire market is dropping external to your employment with Walmart and that anyone that is following market trends would have been able to spot as well that's not insider trading, that's reading the market information that's publicly available. If you know the CEO recently signed some contract or something that's going to impact the business in a major way and you react by trading (assuming the deal isn't public knowledge yet) that's insider trading even though you did it after the deal was signed and even though you didn't have any say on the decision. Granted, if you've only got limited purchasing power and only gain a couple thousand dollars, it's unlikely that it would be noticed unless it becomes a trend (not saying that you should actively and knowingly participate in illegal activity though) Granted, apparently what constitutes insider trading and the legality of it varies from country to country, but that's how I understand it in the US.

Reply

[-]

playerDotName@reddit

Let's be real and wrap the whole thing up. If this isn't over $250k worth of damages, no one is going to give a shit in 2023 anyway. Maybe we can reduce that to 100k or something, but I highly doubt this person posting a company name on Reddit is going to hurt them that bad. If it does, then alright.. we should really be doing more with our power. Sorry you lost your job and got sued bro, but welcome to the most powerful team on earth, I guess.

Reply

[-]

volatilebool@reddit

Remember we have a multi tiered justice system as well. The big guys get away with more than they’d let us

Reply

[-]

dangercrow@reddit

Correct! Its not insider trading. However, it is probably 'unlawful disclosure'.

Reply

[-]

hugglesthemerciless@reddit

The disclosed information is insider info though, it's talking about internal company policy

Reply

[-]

off-on@reddit

Insider?! I barely KNEW er’!!

Reply

[-]

TEOsix@reddit

Also, the company man never divulge they were even hacked.

Reply

[-]

the_cramdown@reddit

Outsider trading

Reply

[-]

0-2er@reddit

The Little Short

Reply

[-]

EstoyTristeSiempre@reddit

Public trading then.

Reply

[-]

synonyco@reddit

Please do not comment about things you clearly have no knowledge. That is neither the letter of or the spirit of the insider trading laws. This situation bears zero resemblance to insider trading.

Reply

[-]

sarge21@reddit

There are clear rules on how information can be disclosed to the public, and an insider sharing nonpublic information so that a small group of people have an advantage is exactly why insider trading laws exist.

Reply

[-]

synonyco@reddit

insider trading noun 1. The illegal buying or selling of securities on the basis of information that is unavailable to the public. 2. Buying or selling securities of a publicly-held company by a person who has privileged access to information concerning the company's financial condition or plans. 3. Buying or selling corporate stock by a corporate officer or other insider on the basis of information that has not been made public and is supposed to remain confidential As I said, not insider trading.

Reply

[-]

sarge21@reddit

>Illegal insider trading includes tipping others when you have any sort of material nonpublic information. https://www.investopedia.com/terms/i/insidertrading.asp

Reply

[-]

synonyco@reddit

Not in a public forum. Jesus, man... Give up. You are wrong.

Reply

[-]

cosmos7@reddit

lol... not on a public forum you dingdong

Reply

[-]

thedreday@reddit

Which this post does not

Reply

[-]

awoeoc@reddit

We are all insiders on this blessed day

Reply

[-]

flunky_the_majestic@reddit

Do you think all of Reddit is an insider?

Reply

[-]

sgthulkarox@reddit

Maybe, maybe not. Does OP have the means to defend themselves to a civil suit from the SEC or 'damaged' shareholders? Cause they will sue, regardless of the winability.

Reply

[-]

I_Stabbed_Jon_Snow@reddit

I’m in congress so it’s cool

Reply

[-]

nighthawke75@reddit

Mmm, so would the SEC and FTC. Be ready for the audit of your life.

Reply

[-]

lordpuddingcup@reddit

If you guy it it’s insider trading if you let people know a company is run by an idiot your a whistleblower

Reply

[-]

computergeek125@reddit

Yeah probably is. Knowing that a company is going to implement a detrimental policy soon I would imagine is considered material non-public information.

Reply

[-]

pioxs@reddit

Well posting it on a reddit post feels like its no longer non-public.

Reply

[-]

sarge21@reddit

You're wrong. There are laws on how to disclose nonpublic information that are intended to prevent someone from having an advantage in timing their trades just because they happened to be reading a forum.

Reply

[-]

darthsirc@reddit

No it’s not

Reply

[-]

TKInstinct@reddit

No but it supports making a separate unrelated account and using VPN's.

Reply

[-]

ohyeahwell@reddit

Highly regarded

Reply

[-]

dreadcain@reddit

Its only insider trading for you, fair game for the rest of us

Reply

[-]

Dracomarine@reddit

If congress can do it, then why can't we...?

Reply

[-]

anna_lynn_fection@reddit

Because we didn't vote for us.

Reply

[-]

Fyzzle@reddit

I'll vote for me any day

Reply

[-]

Dracomarine@reddit

I mean, so?

Reply

[-]

IronHitmonlee@reddit (OP)

Congress make laws for us and “friendly suggestions” for themselves

Reply

[-]

MaharajaofMalta@reddit

for the record... this would not be insider trading. just friendly discussion about cyber risk and one individual's (you) prediction of the cause of those risks

Reply

[-]

OkDragonfruit1929@reddit

Congress does it all the time.

Reply

[-]

rybl@reddit

I don't think posting on a public forum would be insider trading though probably not a great career move.

Reply

[-]

dweezil22@reddit

Publicly disclosing it while being unable to resist the urge to short it yourself WOULD be insider trading for OP ;)

Reply

[-]

0-2er@reddit

for OP, sure, but what about the rest of us?

Reply

[-]

bad_brown@reddit

If Congress can do it, I want to, too.

Reply

[-]

NaiaSFW@reddit

I mean if you post it here it would then be public info right (not a lawyer just trolling reddit)

Reply

[-]

FatherOfTheVoid@reddit

PM me please, markets have been brutal and I don't want to sit on a ticker that's bound to start bleeding any second.

Reply

[-]

drunk_recipe@reddit

Lol just say it, nobody can find out it was you

Reply

[-]

5erif@reddit

Except the CEO after seeing details of their recent private conversation.

Reply

[-]

Manifesto3433@reddit

Well drop us all a hint & nuke your acc ;)

Reply

[-]

ImbambiBitch@reddit

Just give us a few PMs

Reply

[-]

joeykins82@reddit

Feel free to DM me ;)

Reply

[-]

anynonus@reddit

Either give us the ticker or install our cryptolocker software on a BYOD. Don't leave us hanging, man.

Reply

[-]

Harpes96@reddit

Agreed.

Reply

[-]

SpambotSwatter@reddit

/u/Harpes96 is a scammer! **Do not click any links they share or reply to**. Please downvote their comment and click the `report` button, selecting `Spam` then `Harmful bots`. With enough reports, the reddit algorithm will suspend this scammer. --- >!^(If this message seems out of context, it may be because Harpes96 is copying content to farm karma, and deletes their scam activity when called out - Read the pins on my profile for more information.)!<

Reply

[-]

electrowiz64@reddit

How would you profit on this? You buy and they’re hacked, it’s just gonna go down…

Reply

[-]

trutheality@reddit

There are a few ways to profit off stock price going down: shorting (mathematically works out to buying negative stock, usually for a fee), as well as various options trading strategies.

Reply

[-]

Armigine@reddit

you could potentially short the stock, though since the timeline on an attack is uncertain you'd likely just be wanting to dump the stock if you held it and avoid a potential loss

Reply

[-]

Caedro@reddit

r/Sysadmin arguing about insider trading is hilarious. Thanks for this chain.

Reply

[-]

SaintRemus@reddit

The *moderately* Big Short - coming to an AMC theater near you!

Reply

[-]

zhaoz@reddit

If it only has 2 info sec staff, probably not.

Reply

[-]

ThatGuyLeroy@reddit

Had**

Reply

[-]

PMzyox@reddit

I’ll be your friend. What are we shorting?

Reply

[-]

Vfef@reddit

Jesus. For real. Op also has a post from 2 months ago about sharing accounts and figuring out how to share MFA between multiple devices. OP if this is a public company, you should probably let the investors or investment board know why these things they are asking you to do is horrible and give examples of other companies that have had issues with the same things. Also ask for 1m bonus.

Reply

[-]

MiKeMcDnet@reddit

NGL... If this was a publicly traded company, having just two infosec staff is frightening enough. Has to be a small outfit.

Reply

[-]

VexingRaven@reddit

Not all public companies are huge. You can be a small public company.

Reply

[-]

thesilversverker@reddit

CTS:TO BYOD is a bad fucking idea, cmv.

Reply

[-]

playerDotName@reddit

He's in the UK guys. Not a company we're interested in, more than likely. Us ticker chasers can calm down.

Reply

[-]

joeykins82@reddit

BYOD phones or BYOD laptops? Phones, just InTune manage them in a sensible way and give serious thought to Azure Information Protection if you want to get yourself a DLP & rights management tool. Endpoints, that’s much more problematic and unless you’re gonna go full virtual desktop it’s a recipe for disaster.

Reply

[-]

IronHitmonlee@reddit (OP)

It’s both, most people will start with phones but it also includes laptops. Their was a huge project to ensure all staff had a suitable laptop for work but C-Level users would often boast to users about using their personal laptops so I am certain it will end up with them using their personal laptops also.

Reply

[-]

NotThePersona@reddit

Personally, segregated blank for byod devices and if you want to access corporate stuff you use a jump box. Preferably with MFA on it. Under no circumstances should a byod machine have direct access to a share. If that's what they insist on write the biggest most detailed CYA email you can and have all the to people sign off on it. Then do what you can to get your backups as segregated as possible, including some form of immutable (airgap or similar) version.

Reply

[-]

EarlyEditor@reddit

I understand a sharedrive. How about access to cloud storage like OneDrive? Noticed it's becoming a lot more common and I was wondering if there was much of a difference

Reply

[-]

NotThePersona@reddit

Not really much difference, although apparently Microsoft has some detection and mitigation in place. I don't have a lot of one drive experience tbh. I imagine if you access through the browser it will be more secure then if you have everyone syncing locally but as I said not my area of expertise.

Reply

[-]

EarlyEditor@reddit

Cheers, I was thinking it might be something like that. I guess restricting to browser (and office apps) probably isn't a bad step, if not allowed to do anything else. On a side note, I know of a situation where a new staff member got access to the shared drive, deleted everything by accident (was cleaning their computer) and because of how the files were restored, they were all just in the one folder. It was google drive, but basically google said they couldn't do anything for them.

Reply

[-]

NotThePersona@reddit

Yeah most cloud storage doesn't actually use a folder structure from what I understand. It uses tags or since other meta data to simulate it, but all files from their perspective sit in the root. So if that meta data couldn't be restored, everything gets dumped into the root folder.

Reply

[-]

EarlyEditor@reddit

Thanks that's heaps interesting. Probably a silly idea but I kinda wonder if in large cloud providers they cross check file hashes and if two people have the same file (e.g a torrented movie that isn't blacklisted) if they just only store the file "once" to save space but still count towards both users storage (once excluding redundancies/backups) .

Reply

[-]

Juvyn00b@reddit

Good policy! Also may want to block the devices from east west communications; just to further limit any shenanigans that can go on.

Reply

[-]

skunkboy72@reddit

what are east west communications?

Reply

[-]

jnmtx@reddit

BYOD device to BYOD device in the dirty LAN.

Reply

[-]

ghjm@reddit

Communications between two BYOD devices. North-south is communication between a BYOD device and company servers.

Reply

[-]

tel_tel@reddit

Device to device, and north-south would be upstream or downstream the network like to a server or a router.

Reply

[-]

Kierkegaard_Soren@reddit

CYA emails so important. And save a copy.

Reply

[-]

NotThePersona@reddit

Shit rolls downhill, so make sure you build a wall to hold it at the top.

Reply

[-]

TKInstinct@reddit

I remember at my old place we were giving out instructions on how to access the secure MDM network for personal devices. Not good.

Reply

[-]

Fyzzle@reddit

If you're doing the right thing, you want a paper trail.

Reply

[-]

who_cares345@reddit

You could require that devices be enrolled in some sort of mdm or endpoint manager and use a rmm solution. In addition if you still have a work issue device assigned to them you could require if they want to use their personal device they must rdp into a managed machine or a virtual machine instance like something base on Citrix.

Reply

[-]

Rambles_Off_Topics@reddit

Everytime our CEO or others wanted to make a dumb decision like you are suggesting I would pull in our insurance auditors. Generally after stating they won't cover you if you they change their mind.

Reply

[-]

2Salmon4U@reddit

That’s pretty smart. Fair warning for OP though, I did something similar with a proposed accounting practice. Brought in our CPA’s opinion and got fired a month later

Reply

[-]

Bronichiwa_@reddit

What did they says was the reason for firing?

Reply

[-]

2Salmon4U@reddit

“It’s just not working out” I’m in a state where employers can fire for any reason and provide no reason.

Reply

[-]

Tracerisaslut@reddit

That’s actually genius. I’ll make a note of that for when I get into management

Reply

[-]

HellzillaQ@reddit

Hire a security firm that will stand behind you and tell the board this is a terrible idea.

Reply

[-]

IronHitmonlee@reddit (OP)

I can’t no budget for that unfortunately.

Reply

[-]

chillymoose@reddit

If you're in Canada there's currently a $15k federal grant for beefing up cybsec planning in qualifying companies.

Reply

[-]

HellzillaQ@reddit

Resume time. CYA on emails. BCC your personal email when telling them this is a very bad idea and you will have no part in it.

Reply

[-]

Hewlett-PackHard@reddit

>BCC your personal email This can get you in a lot of trouble, depending on the sector and contracts. Just go into M365 and slap the litigation hold flag on your mailbox.

Reply

[-]

FastRedPonyCar@reddit

I setup an apple mail rule a couple companies ago that copied incoming messages to a PST on my computer. Didn’t show up as an O365 rule so there was none the wiser.

Reply

[-]

HellzillaQ@reddit

If you are terminated, you lose access to those emails and the account. If a high security sector is trying to implement a BYOD process, they have more problems than someone bcc'ing and email that states that they will not be following those orders.

Reply

[-]

Hewlett-PackHard@reddit

Not high security obviously, but more litigious.

Reply

[-]

Cistoran@reddit

> If you get termed and still have a copy without having to drag them through discovery then you obviously improperly/unlawfully exfiltrated company data. Step 1: BCC yourself on the email Step 2: You get fired Step 3: They try to pin it on you Step 4: Sue them, enter discovery Step 5: Ask for a copy of the email you know you sent Step 6: If they produce it, you win. If they don't produce it, you also win. It's not that complex.

Reply

[-]

thortgot@reddit

You do realize that during discovery the fact that you BCCd yourself would come to light right? If OP has a confidentiality policy that this would breach, that loses the case right then and there.

Reply

[-]

Cistoran@reddit

Confidentiality policies don't cover illegal behavior. Just like you can put whatever the fuck you want in a contract, but a lot of it might not be enforceable or even legal.

Reply

[-]

thortgot@reddit

Let me know how that works out for you.

Reply

[-]

Cistoran@reddit

I mean I literally work for a law firm, and all the attorneys are well aware of this, hence why our policies and procedures are the way they are. We're literally in the middle of multiple law suits that I've been deposed for where data was exfiltrated. I had to go through discovery, not only for email I sent or received, but had to run multiple content searches for eDiscovery on multiple employees both former, and current, across a variety of platforms. I'm pretty well acquainted with how this works.

Reply

[-]

HopefulEuclid@reddit

I'd wager being scapegoated for a company-wide ransomware attack would be more trouble.

Reply

[-]

IronHitmonlee@reddit (OP)

I normally save emails and send it to myself. Is BCC better or is there no difference.

Reply

[-]

digdilem@reddit

When sending emails to yourself, be very careful you don't break your own exfiltration policies. The irony in getting sued for that would be crippling.

Reply

[-]

cjohnson2136@reddit

If you are just sending the email to yourself that's fine. But if you reply to management then BCC your personal email at the same time.

Reply

[-]

dirtcreature@reddit

Be very careful. This can expose you to policy violations if someone digs deep enough.

Reply

[-]

Killaship@reddit

It sends emails to yourself, and other people CC'd won't see it. BCC means Blind Carbon Copy.

Reply

[-]

IronHitmonlee@reddit (OP)

Isn’t there a way to see it via eDiscovery, I think I did it once.

Reply

[-]

gangaskan@reddit

who cares, send it to a new email. that way your personal email is not compromised if the event occurs.

Reply

[-]

IronHitmonlee@reddit (OP)

Oh yea thanks

Reply

[-]

oldspiceland@reddit

FYI if something goes south and your email is BCCing to an external unidentified third party email it will look incredibly bad for you. Just so you know.

Reply

[-]

Shanesan@reddit

It’ll look incredibly bad for you until you tell a judge “I believe I was in a hostile work environment and, when the C-Suites decision inevitably went south, I wanted a proper record that couldn’t be edited by them proving that.” Ask a lawyer to confirm of course.

Reply

[-]

oldspiceland@reddit

No it’ll still look bad to the investigators that will come in after the fact and be looking for any suspicious behavior that might suggest a disgruntled employee would be the one to initiate the attack.

Reply

[-]

Shanesan@reddit

Maybe, but they’ll need a lot more proof than that I suspect. “Guys this is a bad idea and let me count the well-established ways by my trade as to why this is” isn’t the smoking gun.

Reply

[-]

oldspiceland@reddit

Proof for what? For firing you and blacklisting you? What are you hoping the CYA in this case covers your ass from? The only thing the company is going to do in this case is fire you and the only thing they need as proof is that you have a non-zero chance of having been involved and were acting in a way that’s suspicious. They’ll fire you for cause and that’s it. Are you guys worried that somehow you’d be criminally liable for the actions of a company that you’re employed by? If there’s a fear of that you should already be getting an attorney involved and having all emails locked in a litigation hold. This he-said/she-said isn’t anywhere near bulletproof in court.

Reply

[-]

Shanesan@reddit

I think you missed the “shit goes south” part. If they’re looking for a black sheep to lay blame on, that’s not going to be me, and they can fire me all they want for CYA, I don’t want to work at a place where I feel I have to do that anyway. They won’t blame me and sue me when they get cryptolockered, and if they do I’ll have the proof. Will they sue you?

Reply

[-]

oldspiceland@reddit

They’ll blame you anyways is my point and you trying to do something sketchy isn’t going to change that.

Reply

[-]

Shanesan@reddit

I edited the previous, you’re too quick.

Reply

[-]

PhiberOptikz@reddit

There's also the option of simply downloading the email to a file (.eml). Then you can open it in any mail client.

Reply

[-]

kevin_k@reddit

As long as you have access to it, yes. You may need it after you're no longer employed there

Reply

[-]

MrScrib@reddit

I prefer Behind Cover Copy.

Reply

[-]

Pantera_Atrox@reddit

The best way to save email is to save as in outlook and save the .eml/.msg file. Then you can safeguard those files and have both the windows file metadata and the original full email header info that doesn't always xfer with forward/reply.

Reply

[-]

HolyDiver019283@reddit

I’ve always seen this and wondered, well first if it has ever actually helped? Surely if the C level want to dump it on you, having an email with your concerns serves little more than a Told-You-So. But I also have concerns over sending to personal email. Isn’t that what we try and stop other staff doing with DLP etc?

Reply

[-]

HopefulEuclid@reddit

>But I also have concerns over sending to personal email. Isn’t that what we try and stop other staff doing with DLP etc? Sure, but when you're dealing with a situation like this, not being pinned with the inevitable shitstorm is a little more important.

Reply

[-]

just_change_it@reddit

You wouldn't go with the risk acceptance form method? If the goal is to get fired, sure this is a problem. If the goal is to make sure the company is reasonably protected within the constraints they are willing to work within and accept an amount of risk, so long as you outline how big of an issue this is- your ass is covered that way. Usually when confronted with personal liability for decision making and the associated costs (cybersecurity insurance) idiocy is less likely to be an issue.

Reply

[-]

ronya_t@reddit

Yep, you don't want to be implicated in any lawsuits or fines that will inevitably accrue due to a privacy violation. Document your recommendations (some sort of risk assessment) and get management to say in written why they accept said risk. "We had no budget...but I guess we'll have to shell out 20% of our revenue to pay this Privacy violation fine."

Reply

[-]

MisterCBax@reddit

Ask for a raise and paid security certification exams. If they expect you to handle security related matters congrats, that changes your job title. My suggestion is document EVERYTHING and when shit hits the fan you can say told ya so.

Reply

[-]

disc0mbobulated@reddit

Do they have insurance? That would be a start.

Reply

[-]

DiseaseDeathDecay@reddit

Specifically cybersecurity insurance. I'm sure they don't, but that's one way to force sane cybersecurity policies.

Reply

[-]

NoyzMaker@reddit

Then you have no budget to go BYOD either. You are also going to run in to potential licensing issues for software as well. I assume he sees this as a cost savings.

Reply

[-]

Trevize_Demerzel@reddit

" I can’t no budget for that unfortunately. "  Then that is your answer.

Reply

[-]

HerissonMignion@reddit

Cya

Reply

[-]

HearingConscious2505@reddit

Address all of your concerns to him via email (and bcc your personal email account as long as the emails don't include any sensitive or privileged information), and include anyone else that may need to know. This isn't to change his mind, of course, it's just to cover your own ass.

Reply

[-]

ThatITguy2015@reddit

Lawl on the personal laptops on a secure network. This is pure nightmare. Hopefully they follow through with some of the suggestions mentioned below if that actually happens.

Reply

[-]

VLAN-Enthusiast@reddit

Okay but C levels can typically afford a high end laptop. Cubicle goons won’t like the price tag on the T14 or 5530 that you strongly advise they purchase, and will come to you when they’re Acer Aspire they bought on marketplace is “being glitchy”. BYOD = I don’t support your hardware.

Reply

[-]

Tack122@reddit

"Yeah but Jimothy has complained his ability to close sales has been degraded because the computer systems don't work, fix his laptop. What do we pay you for?"

Reply

[-]

Cancer_Ridden_Lung@reddit

Have people sign a bunch of forms and install mdm or something similar on their devices. Let all users know that you can and will wipe all data with no warning if they are compromised. 95% of people will not go through with it.

Reply

[-]

flash_killer2007@reddit

sort of secure tip: you can also do an intune policy like a compliance policy and only allow a certain group of people to log in into office 365 if their os will meet some criteria like having a password, an antivirus and some more. this will work on BYOD windows devices

Reply

[-]

agoia@reddit

Lol meanwhile a lot of my users ask me why their personal laptops are so much slower than what we issue.

Reply

[-]

IronHitmonlee@reddit (OP)

This is supposed to be the way.

Reply

[-]

RFC2549_is_bestest@reddit

Get a NAC, either Cisco ISE or Aruba ClearPass. Both have options for managing BYOD devices, where you can restrict network access, enforce antivirus policies and software patching. Neither of these products are cheap, but they will do what you need.

Reply

[-]

VexingRaven@reddit

What exactly is their goal here? What do they want to accomplish by allowing BYOD?

Reply

[-]

Sinsilenc@reddit

We use vdi so this isnt an issue for us. This may be a route you want to go.

Reply

[-]

Wind_Freak@reddit

How far are you on the path to zero trust?

Reply

[-]

VexingRaven@reddit

You don't need to Intune manage the BYOD devices and I recommend you don't. Instead, implement Application Protection policies and manage the apps only. MDM enrolling employee-owned devices is a rabbit hole of liability I want nothing to do with. For Windows devices you can do some level of App Protection too but it's more limited than Mobile devices and will probably not be enough unless they literally just want to browse email on their personal computers.

Reply

[-]

tango_one_six@reddit

I'd add deploying a basic Azure Information Protection/Purview policy, label all your data, and enforce labeling. This will cover the workstation portion that MAM can't cover, and will also allow you to apply access controls on all labeled data. If there's no bandwidth to do that, then yes, MAM is going to be the most basic thing you can roll out there.

Reply

[-]

VexingRaven@reddit

Does AIP function on non-company devices without MAM support? My understanding is that the functionality of both MAM and AIP are very limited on Windows without full device management.

Reply

[-]

tango_one_six@reddit

Yep. AIP labels and protection follow the file. User would need to authenticate with their corporate identity no matter where they open the file. Makes it a useful solution if you have no control over what devices the file may end up at.

Reply

[-]

FriedAds@reddit

MAM all the way for BYOD. Regardless if Laptops or Mobiles.

Reply

[-]

VexingRaven@reddit

Unfortunately MAM, at least when I last looked at it, was very limited on Windows devices beyond the Office Suite and OneDrive.

Reply

[-]

DETLions2024Champs@reddit

MAM-WE 😎

Reply

[-]

LFphant@reddit

How important is an anti-BYOD policy regarding Personal Smartphones, i.e. signing into Teams or Outlook on a personal device? I understand the super-strong stance against personal workstations, but I'm looking for feedback from the community regarding smartphones specifically. Should this be an area of concern?

Reply

[-]

ProgressBartender@reddit

But he could go full virtual desktop or or even full Citrix sessions and create a castle moat environment , where no one has direct access to the Crown Jewels (to complete the metaphor).

Reply

[-]

JustZisGuy@reddit

What are the dragon and wizard in this metaphor?

Reply

[-]

schism-for-mgmt@reddit

spearphishing?

Reply

[-]

Bezos_Balls@reddit

W365 is the only way for BYOD laptops. They can use whatever shiny laptop they want with a VM for 40-$60 a month. For phones use the app protection policies in Intune or fully enroll in an MDM and manage the shit out of it.

Reply

[-]

EspurrStare@reddit

Or just isolate them in their own VLAN through wifi, if DLP is not needed. Phones were never an issue at any work I participated in, but I see how they could be. If your firewall isn't set properly to isolate wifi traffic, that's on you. Laptops, you will at the very least have to have some sort of NAC solution. I found that at the time (as research), OpenNAC+OpenVPN were a good opensource solution to achieve this. Even on environments without 802.1X support. OP should really start to think into more host based security. Disabling LLMNR, setting up even simple HBIPS like fail2ban,sshguard and IPBan, possibly setting up an aggressive IPS inside their own network without even doing the IDS (he won't have data of what is regular traffic, and also, helps making a statement).

Reply

[-]

who_cares345@reddit

I work at a university and they have policies for personal phones in which depending on the type of data or data classification, one may need to get written approval to have data on such device. The data level that is in question is I think critical which means pii and things like SSN. They also require that if you use email on the device it be capable of remote wipe (activesync). In addition to this, it is highly recommended that the device be encrypted and have password protected.

Reply

[-]

_IAMPi_@reddit

I've read a bunch of the replies and a bunch of the rhetoric is a little over blown. BYOD is nothing to really panic over cause at the end of the day unless you are running a decent end point solution it won't make a difference. Red teams, pentesters, and threat actors will blow through your environment like a tornado through a trailer park. That being said working at an immature organization offers opportunity for you to define your role, implement new security solutions, and a ton of experience. Just change your approach. Don't go to management with a technical problem but instead with a business problem. Keep you ear open to other companies in your industry and network with IT staff there so you can get comparable insights. if all else fails, the best advise I ever heard was "If your in security working for a company that doesn't care about security then you need to look for a new company." Regards, former network engineer former IT security practitioner Current Red Teamer

Reply

[-]

IronHitmonlee@reddit (OP)

You have a few good points. The only reason why this is a problem is because they want a solution now. To build a good working solution will take time. Now I’m not saying I’m going to create an in penetrable solution if I was given more time but at least a solid one, I admit my post makes it seem as if phones are the main problem but this would include BYOD laptops. Also management is an issue but yes it does allow me to get creative with solutions and explore a lot of security solutions I haven’t used before… as long as there are no serious issues between now and then.

Reply

[-]

Emergency_Wolf_5764@reddit

u/IronHitmonlee If your idiot CEO and his henchmen insist on BYOD, then the least you guys can do is enforce a company policy that MFA and MDM security enrollment and anti-virus apps have to be installed on each employee's phone. That way the device can be remotely locked/company data wiped if the phone ever gets lost or stolen. Some employees may not be comfortable with this, but too bad, so sad. No MFA means no access to company systems anyway.

Reply

[-]

zmvrcoz@reddit

Use a good MDM solution. Provide App Protection Policies and Compliance Policies

Reply

[-]

TheOneTrueTrench@reddit

Honestly, they are security hostile. Sounds like you're already on it, but this is ***definitely*** a resume-generating event.

Reply

[-]

IronHitmonlee@reddit (OP)

hahahahaha resume-generating event sounds epic… but you’re completely right.

Reply

[-]

rUnThEoN@reddit

Tell the users that by adding themself to mail/exhange you get the right to completly wipe their phones.

Reply

[-]

IronHitmonlee@reddit (OP)

I have and that is in the draft policy, should I create a reason and wipe someone’s phone to put the rest in fear of using their personal phone or is that too dangerous.

Reply

[-]

rUnThEoN@reddit

Get that in writing for users who want to use their phone like that. And mention that upon leaving the company, that device will be wiped immidiatly without prewarning. Company information on private phones is a nono. Also make sure you have the app combinations down. A lot of people will use the outlook app in which this should work. Im not sure about gmail. It wont work for webapp.

Reply

[-]

IronHitmonlee@reddit (OP)

You’re a star “fear will keep them in line” I cannot believe I didn’t think of this. WHO DO YOU THINK YOU ARE I AM. Yea I don’t like paying mobile games or in app content but you may have given me the phrase of fear to stop them. Here’s an award.

Reply

[-]

oopsthatsastarhothot@reddit

block all social media on all personal devices. That ought to drive off almost everyone. Messenger, Facebook, tictok, Twitter. The works.

Reply

[-]

Lee_Ars@reddit

That lasts until the CEO kicks your door down and orders you to unblock facebook and tiktok because he "needs them" for "work."

Reply

[-]

oopsthatsastarhothot@reddit

and then you make him sign an acknowledgement. and then wait for the first crypto ransomware.

Reply

[-]

Lee_Ars@reddit

> and then you make him sign an acknowledgement. I don't mean this in a rude way, because we're on /r/sysadmin and not /r/ShittySysadmin, but good fucking luck with that. Having been on the receiving end of this kind of bullshit once, at a dysfunctional dot com crazy job that I'm glad I left, my anecdotal experience is that a CEO stupid enough to dismiss the infosec people (and presumably also the risk & internal audit crew, if one existed) is also a CEO who wouldn't hesitate to tell the lone remaining person to fuck off with a signed "acknowledgement." When this happened to me, it was "Install the thing I want, or I'll go find someone who will."

Reply

[-]

IronHitmonlee@reddit (OP)

Yea it’s difficult but it’s seems I’ve become I smooth talking after lunch. I’ve it seems I won’t have to sign it plus TikTok is currently being grilled so I just said buzzwords like “malicious AI”, “spying on you”, “works with the Chinese government” and the wannabe went blue.

Reply

[-]

thortgot@reddit

I'm all for blocking social media on corporate devices, but "malicious AI". Dude, where do you get this stuff? You shouldn't lie to your users. They won't believe when it actually matters.

Reply

[-]

IronHitmonlee@reddit (OP)

The outlook vulnerability was detected by AI and AI can be used to exploit it. It’s not a lie.

Reply

[-]

thortgot@reddit

You said TikTok is a malicious AI, how do you justify that?

Reply

[-]

IronHitmonlee@reddit (OP)

The buzzwords don’t pertain to just TikTok, my sentence was worded poorly here so it may have seemed like that’s what I was going to tell them. I meant starting off with saying TikTok is in congress for the allegations of spying and then I would mention the other buzzwords for separate applications, cloud services, social media companies etc. I personally don’t think TikTok is worse than any other social media company in terms of spying and TikTok probably isn’t anywhere near as unethical as Meta.

Reply

[-]

IronHitmonlee@reddit (OP)

I’m blocking WhatsApp too

Reply

[-]

oopsthatsastarhothot@reddit

Dam straight. Block everything you think you can get away with. Don't forget discord. Cut them off of all not work coms. Be open and obvious about it. "Sorry boss, we can't force people to let us use their devices. Everyone refused" ¯\_(ツ)_/¯

Reply

[-]

rUnThEoN@reddit

Np. Fear is also what brought you here. Here is a usefull post about risk management: https://www.reddit.com/r/sysadmin/comments/t30vcp/you_cant_eliminate_every_risk_and_you_shouldnt/?utm_source=share&utm_medium=android_app&utm_name=androidcss&utm_term=1&utm_content=share_button Here is the microsoft link, for different exchanges versions, use google. https://learn.microsoft.com/en-us/exchange/clients/exchange-activesync/remote-wipe?view=exchserver-2019

Reply

[-]

jimmy999111@reddit

make sure to include this: "the company retains the right to wipe all employee devices, personal or work provided, which includes and not limited to deleting all personal and work related files, pictures, videos, documents, applications, contacts, emails, messages, call logs, and other media. The company retains the right to access all data listed above, at any time and for any reason". maybe add some more juicy stuff. that part alone should scare and have almost every employee complaing about the BYOD policy. and you're not lying either.

Reply

[-]

gundog48@reddit

Wtf? Obviously don't do that. Why would you create an unnecessary problem and fuck over one of your colleagues?

Reply

[-]

IronHitmonlee@reddit (OP)

or my colleagues could like… not use their personal phones for work and save me from doing tasks I do not have the time to do!!!! This isn’t a case of where people can’t do their work because of their equipment. WTF should I lay down to be the fall guy for a man child or 3 when they can just use the company issued devices. They’ve been hacked. Hired infosec fired infosec and I should just wait and hope when they get hacked it’s years after I’ve left hell no.

Reply

[-]

thortgot@reddit

....What? Your reasoning makes absolutely no sense. Wiping a random person's phone for no reason won't make other users less likely to take risky actions. BYOD isn't an inherently insecure system. Force an MDM on them before they can get access to your corporate resources. This isn't that complicated. You aren't "the fall guy" unless you are signing off on insecure solutions for regulatory or compliance reasons which you should absolutely not do.

Reply

[-]

gundog48@reddit

Your problem is with management for not giving you the resources you need to run this project. Wiping an employee's personal device, who has nothing to do with this decision, is not only immoral, it's an abuse of your position. Check your company's policies and your contract carefully. If I did that, and it was discovered that I did it to 'send a message' I would be immediately fired for gross misconduct, which is not something you really want on record. Nobody's asking you to be a 'fall guy'. You're right, there are legitimate concerns here, but doing what you're suggesting is an *actual* example of harm that you're supposed to prevent, not engage in due to office politics. How big is your organisation? The whole structure, priorities and everything sound absolutely bizarre. I thought it was quite a small one until I heard that they forked out for two infosec guys!

Reply

[-]

Fatvod@reddit

Are you genuinely suggesting you wipe someone's phone right now just to put the fear in others? If you did that to me I would do everything in my power to get you fired. Don't be an asshole.

Reply

[-]

gundog48@reddit

If someone did that in my organisation to 'send a message' they would be instantly sacked for gross misconduct. What a disgusting thing to suggest.

Reply

[-]

Fatvod@reddit

This subreddit seems insane sometimes. Unless this guy works for the NSA I genuinely couldn't name you another company that forces users not to have company email on their phone. It's 2023, this is common and standard nowadays. If you morons are sharing secure company data through email then you deserve to get hacked. People in here are on a power trip a lot of the time.

Reply

[-]

NoyzMaker@reddit

If and when you get a subpoena for all communications that will include their personal devices. This is how Enron happened in that everyone conducted business on personal devices outside regulator assessment. It is also imperative that you draft documentation that they can't use software not provided by the company either. Most software people have on their personal devices (assuming they even have one) isn't licensed for commercial use.

Reply

[-]

ghosthak00@reddit

Sir where my email? Sir why is Tik tok block?

Reply

[-]

NoyzMaker@reddit

With a proper MDM setup it won't matter because you will effectively have a work container separated so when we "nuke" your stuff it is just that.

Reply

[-]

Jkabaseball@reddit

If you detect possible IOC of their accounts, you have the rights to take actions to secure the accounts. In ways such as changing passwords........... and wiping devices.

Reply

[-]

Vogete@reddit

Android now have work profiles that prevent companies to wipe the entire phone, but allows them to isolate and wipe corporate apps/data. Don't know about iOS though.

Reply

[-]

rUnThEoN@reddit

That would require users to know about work profiles.

Reply

[-]

dustojnikhummer@reddit

And for OEMs like Xiaomi to not hide them

Reply

[-]

synicalx1@reddit

Not really these days, that all gets created and setup by whatever your MDM's ride-along/portal app is.

Reply

[-]

Vogete@reddit

Nope. For us when you log in to outlook, it automatically creates the profile for you. Users don't need to know what it is, it is set up automatically.

Reply

[-]

thatoneguy009@reddit

IMO this route is effective at addressing 80% of your users. When I was last involved with a push to implement MDM on BYOD we let the users "do the talking" and stir up the fear that we'd be able to inspect their personal phone data, that we'd wipe the personal partition of their phone along with the company one, etc. Because of that talk alone we saw very little users even attempt it. Once we addressed that talk it was to the tune of "no, we can't inspect your personal usage, no we won't wipe personal stuff **unless** we have difficulty wiping it normally, gotta protect that company data we thank you for understanding" Also, for BYOD laptops or PCs, require your businesses AV, DLP agent, Intune, etc. For VPN connecting to company network have a check that validates that those (at the current version) need to be installed else it'll rejected. I've seen this implemented with Cisco Radius before. iirc all that was done was checking to see if a txt file was in a directory for the AV. People simply didn't want the company sec tools on their personals. No liability for protecting the BYOD device but no connection without company sec tools in place. Dissuaded people further

Reply

[-]

TCIE@reddit

Couldn't this be done with Windows NPS as well (Window's implementation of RADIUS) if they didn't have another way to set up a VPN with policies?

Reply

[-]

QF17@reddit

Is that even necessary in 2023 or are you just trying to be intentionally malicious. If I add outlook to my iPhone and sign in to my work account can’t you just turf outlook remotely? Likewise, I think intune can detect jail broken devices, so as long as mine isn’t, what reason do you have for wiping my entire phone?

Reply

[-]

rUnThEoN@reddit

Downloaded e-mail attachments? Yes you can do this and that but the truth of it is, in case of doubt, wipe whole property. Its not my problem people give away the rights to their property to someone else. The truth is, the decision is in the hands of the company, not the employe. So the user should have a plan for either situation at hand, small wipe or big wipe, just in case the admin accidently clicks the wrong option.

Reply

[-]

gundog48@reddit

Had no idea this was a thing, can this 'feature' be disabled altogether? We were planning on moving to 365 later this year, but there's no way in hell we're going to roll it out if it has this ability.

Reply

[-]

QF17@reddit

Complete remote wipe? I believe it’s a policy you can set and your users have to accept. The standard (and more sane approach) is for organisations to have the ability to nuke the outlook part of a phone - essentially clearing local cache and signing out

Reply

[-]

QF17@reddit

Point one, that’s not someone hacking their phone, that’s someone being intentionally malicious - which are two completely separate things. And what’s to stop that user from just forwarding the email to a different address and downloading it from there? I also believe InTune has outlook policies which prevent attachment downloads on personal devices. What’s your next argument?

Reply

[-]

rUnThEoN@reddit

Basically none, you got it down pretty much. Malicious users will be malicious. Malicious company will be the same. The problem is the deployment. Without knowing the details of all the things, go back to basics. Did you ever have the case of someone getting fired over serius misconduct? As long as the technical possibility is there, it will be used and they will find a reason for it.

Reply

[-]

QF17@reddit

> go back to basics. What does back to basics even mean? Is that running an on-prem version of Exchange 2013 because that’s what we did back in the day before M365 came along Is it disabling mfa because having multiple forms of authentication is complex? Is back to basics disabling the vpn and requiring everyone to be physically in the office to access office resources? There’s no such things a back to basics in 2023. Computing has always been an evolving technology and security has always been a moving target. You need to balance the risks with the needs. Swinging too far one way (physical access from the office only) is just as bad as swinging too far the other way (enabling webmail without mfa)

Reply

[-]

rUnThEoN@reddit

Can you belive that on prem still exist? Or that users would be challenged by using a vpn? I am sure you are the more evolved admin but some of the stuff you mentioned only works when you are already up to date which most companys arent.

Reply

[-]

MairusuPawa@reddit

I *hate* the onus about jailbroken devices. Of course mine is. I'm a Linux sysadmin. I am not going to carry a Linux pocket computer with me at all times if I can't even be the owner of said OS and this set my own rules. No way I'll trust a manufacturer and no way I'll trust Google to be clean.

Reply

[-]

Teal-Fox@reddit

Genuinely curious as to how you use your phone that requires jailbreak/root, that couldn't be achieved without these days? Not had my phone rooted for years as I can do most things without on modern versions of Android. In the rare case I need something more, I usually just SSH onto one of my boxes and do it from there.

Reply

[-]

Yeah_Nah_Cunt@reddit

Personally it's just from a privacy standpoint. I'm running Graphine OS on a pixel. It gives you finite control of what data can be shared about you. Plus the additional features like different user environments mean I can sandbox things for testing in an isolated use case

Reply

[-]

Teal-Fox@reddit

That's pretty cool, I use an additional user on mine to sandbox my work stuff, but it's obviously limited in "stock" (as much as that means anything these days) Android builds.  Privacy-wise I tend to trust my current phone (Oppo) albiet with my own tweaks and limited de-Googling, but I've definitely had some devices in recent years (\*cough\* Samsung) where a custom ROM has felt essential in order to have some actual control over what my device is doing.

Reply

[-]

MairusuPawa@reddit

That's the phone you want to keep under watch. For instance, if you want to make sure your SSH client randomly installed from the first Google Play Store result isn't stealing credentials, you'll need to be the owner of your own device as a first step. A common use case would also be blacklisting domains at the /etc/hosts level.

Reply

[-]

Teal-Fox@reddit

I manage to get around those without root tbh.  SSH is done via Termux, which is open-source thus fully reviewable. For DNS blocking, apps like Blokada (also open-source) can achieve this in a more intuitive manner by use of a VPN routed via the localhost.  This isn't to knock having rooted or jailbroken devices, I used to live by my custom ROMs, it's just I personally haven't had the need for a fair few years now and am genuinely curious how others are making use of it these days.

Reply

[-]

Real_Lemon8789@reddit

The company can’t trust access from rooted devices even if they aren’t compromised with sketchy side loaded apps. Rooted phones are commonly used to bypass security policies designed to prevent data exfiltration since they can be set up to spoof that they are following policies that they really are not.

Reply

[-]

QF17@reddit

But do you not agree that having a jail broken device increases the risk of a compromised device?

Reply

[-]

MairusuPawa@reddit

No.

Reply

[-]

QF17@reddit

So therefore you must agree that you can have a sensible byod policy if you trust your users.

Reply

[-]

MairusuPawa@reddit

I'll go with "pretty much". Setting rules to prevent common automated malware isn't a bad idea either. Just because you have admin rights on your laptop doesn't mean you'll whitelist ILoveYou.exe for instance. But I trust tcpdump, among others.

Reply

[-]

FanClubof5@reddit

Most modern mdms will let you wipe all the company data/apps without doing the whole phone. My org has it setup so you can access resources like o365 for anywhere and that having something like Intune on your phone allows you to reduce the login events through a central broker service and possibly reduce the MFA prompts frequency.

Reply

[-]

WeirdExponent@reddit

I don't load mail for work on my phone... 100% just use [office.com](https://office.com) in web browser...and create home screen link. God knows I DON'T want to be bothered on my phone about every little problem.

Reply

[-]

GastonUre@reddit

Get on dark net and invite some assholes with Wannacry or other grade-a ransomware. After first serious outbreak that will hurt their bonuses, you can be sure that C-suits won't want BYOD anymore.

Reply

[-]

IronHitmonlee@reddit (OP)

As tempting as that sounds it would make it my fault if they somehow manage to trace it back. Also, they would be looking to blame someone for their lack of planning… me

Reply

[-]

GastonUre@reddit

You ought to have a paper trail by now that would demonstrate you outlined those very risks.

Reply

[-]

IronHitmonlee@reddit (OP)

I found the old data policy and I must say the infosec guys really tried. It hasn’t been updated since but it has the C- Suite and my bosses name on it. I’m keeping a trail of that also

Reply

[-]

Mike22april@reddit

Use 802.1x EAP/TLS with a required certificate issuance through corp controller MDM such as Intune

Reply

[-]

IronHitmonlee@reddit (OP)

Good call

Reply

[-]

akadmin@reddit

Build a solution instead of saying no. BYOD can be fine if it's internet only and you're containerizing apps and presenting them with mfa

Reply

[-]

IronHitmonlee@reddit (OP)

Problem is we don’t even have a ticket system, (I joined the company 3 months ago) so there’s a lot of tasks I was looking towards doing later and this was one of them. I managed to keep BYOD down but it was brought up again and they are charging full steam aged with it. The data protection employees have realised they can no longer stop it. So basically I planned to start this next year when we had basic things sorted but now I don’t think I could do it in time. And yes… everyone has admin rights.

Reply

[-]

thortgot@reddit

You had an infosec team but everyone had admin rights on corporate assets? Those people had no right to be called infosec.

Reply

[-]

IronHitmonlee@reddit (OP)

I get what you mean, I don’t know what battles they would of faced against the wannabe CEO and the rest of the C suite.

Reply

[-]

akadmin@reddit

Idk if y'all have an azure IaaS sub and Microsoft licensing but if so you can probably spin up a vnet with a couple avd hosts and present your apps through what is basically remoteapp as a service, leveraging conditional access for MFA. Works pretty well and will also allow for remote work

Reply

[-]

Variaxist@reddit

He already mentioned upper management has been using their own devices and bragging about it. They likely think it'll be exactly the same for the other users with no roadblocks.

Reply

[-]

akadmin@reddit

awful. In this situation I'd get everything in emails and make proper recommendations - if they still say "allow bob's laptop on the corp wifi", outline the risks in the email and ask once more - if they say yes to the risks, print that email and when bob spreads ransomware you can pull out that piece of paper and dust your hands of responsibility

Reply

[-]

firefish5000@reddit

That's like half the reason you wouldn't want to move to byod. Sounds like you have fewer problems to worry about for the switch and a lot more for where we are now. While from what you said it certainly sounds like management but, but... Maybe there is a reason the infosec team was fired and you were kept...

Reply

[-]

theotheritmanager@reddit

To be fair it sounds like you guys have tons of other issues going on. The fact you guys have 2 infosec people but zero ticketing is a massive red flag unto itself. If I were to randomly walk into an org like that, ticketing would be a higher priority than BYOD. You've been there 3 months. *Calm down*. Present an action plan to your boss or the business. How big is the org? How big is the team? BYOD and DLP has to follow a discussion about org risk, which rolls into a cybersecurity framework. Has that all been done? Honestly it sounds like you're just panicking here my friend, and that's not helping anyone. IT should be communicating a security strategy and plan before any of this is dealt with. (By the way, tons of companies have fairly open BYOD and they somehow manage to survive. Even more companies don't implement much on the DLP side of things, either).

Reply

[-]

ceantuco@reddit

Many moons ago during the NT times, I worked for a company where the previous admin had given most users admin rights... my daily tasks were removing virus, recovering data and uninstalling applications/programs users download from the internet like AOL lol until I was able to configure the appropriate permissions and remove everyone's domain admin rights. Def NOT fun times.

Reply

[-]

HTKsos@reddit

I came into a job where there was no budget, not ticket system, and someone solved permission denied errors by giving each user domain admin rights. There was also no dedicated IT. There was a smart decision that RDP was the way to keep the CEO's laptop off the network. This is small company, obviously, and no sane person would continue working with this. But it was fixable, mostly through cloudsourcing, and sneaking in solutions that weren't noticed, like removing the admin rights after making sure they didn't need them. Also a few cases of not getting ransomware because they didn't have rights helped. The key is approaching problems from their point of view, but more informed. If They insist on BYOD, find ways to let them do their job with the devices they have, and mitigate security risks as best you can. This will take a bit or research and talking to them, but it may be worth it when you move on because they are not playing you enough for being a one man IT shop.

Reply

[-]

Binyah@reddit

`And yes… everyone has admin rights.` BYOD is the least of it. This is a recipe for disaster. I'd start applying elsewhere now because you definitely do not want to be on the other end of thing once it blows up (and it will). Just to reiterate although probably doesn't need to be said - letting go of all your infosec people at once is not a common thing. It definitely sounds like a culture problem rooting directly from your senior management based off the comments you've mentioned.

Reply

[-]

ItaJohnson@reddit

Didn’t doing something similar go well for Sony?

Reply

[-]

HipsterSlug@reddit

> everyone has admin rights You have my condolences.

Reply

[-]

iwinsallthethings@reddit

They will have their consequences.

Reply

[-]

IronHitmonlee@reddit (OP)

This is the way

Reply

[-]

anomalous_cowherd@reddit

They rarely arrive lubed...

Reply

[-]

jpmoney@reddit

> everyone has admin rights Project BYOD step one: access rights review. "To ensure success of the BYOD project, we need to ensure blah blah blah blah".

Reply

[-]

GhoastTypist@reddit

How big is the company to have 2 infosec people and no ticketing system? Everyone has admin rights? wth is going on there. I have a lot of red flags. I get why you don't want BYOD, its not because BYOD is bad, its just you're not in a place to implement it well enough at the moment by the sounds of things.

Reply

[-]

BlueHatBrit@reddit

Whether you agree with it or not, the business has made BOYD a priority. You need to adjust your priorities accordingly. Speak to your boss and tell them you're going to have to pause some existing work to focus on accommodating BYOD.

Reply

[-]

joliolioli@reddit

I'm surprised by all the calls that BYOD is quite so dire - we're at a university, with 30,000+ BYOD users (staff and students) with multiple BYOD devices per user, with absoloutely no management in place. Accessing internally, people can mount shares, access services directly, connect to anything they want pretty much without restriction. Is it an issue? Nope - plenty of infrastructure set up correctly to identify things like out of date devices (externally, without needing management agents installed on devices), potential malware, dangerous devices etc. and block network access and redirect them to a page explaining what people need to do. Happy users, happy network.

Reply

[-]

IronHitmonlee@reddit (OP)

The key ingredient it “plenty of infrastructure set up correct” we are missing almost everything and don’t have the resources (human and time) to ensure data breach risks are low in the time they want BYOD to be available.

Reply

[-]

sea-teabag@reddit

Enforce conditional access policies via Azure. Have them enrol their devices to InTune and tell them if they fuck around with company data their devices will be wiped for security reasons. There is a lot of document protection as well as access restrictions you can enforce with Azure so I'd recommend that

Reply

[-]

TasteTheViolence@reddit

Just say that IT reserves the right to remotely wipe your phone, with no prior notification or permission at any resonable suspicion of malicious activity. Then, when you see "odd" traffic, just remote wipe staff phones and say that you had resonable suspicion the device had malware on it and did what was needed to protect the companies data. When you've wiped a few peoples phones, word will get out and no-one will want to use their personal devices. It may not be ethical, but it works!

Reply

[-]

mylittleplaceholder@reddit

Lock the data up. Use terminal services or desktop virtualization and don't let sensitive data leave your protected area. Treat the BYOD devices like the public internet and firewall them off.

Reply

[-]

Emotional-Meeting753@reddit

Also make sure to open up rdp to the internet.

Reply

[-]

NVPcMan@reddit

The compliance staff was let go, and you've been here three months? If there is no one left in compliance and no one above you in IT, then tell the executives this is outside of your professional ability to do without compliance and outsource it. Also, look for a new job if you have this level of concern. If you want to make this right, virtual desktop pools and zero trust shouldn't be that difficult to implement if the company is small enough to have so few IT staff that they don't need a ticketing system.

Reply

[-]

IronHitmonlee@reddit (OP)

Oh no they needed a ticketing system, I was basically lied too and told they have one… I think I understated how unreasonable they are in this post. I’ve heard some conversations about some… interesting stuff. I’ve been told this is my problem F&%#ing deal with it whilst they consistently reduce the IT team, I may still be here cos I saved there skin twice already. They have been shown 1000s of reasons why they should not do this but want to do it for “ease of use”

Reply

[-]

Bronichiwa_@reddit

How the fuck do they pass any industry standard audits?! No reputable company would do business with them if they cousins provide pen test reports and so on. Wouldn’t this shot be a glaring vuln if not implemented correctly? We get pinged all the time with customer we sell our SaaS products to weekly with new vulns, asking for us to prove we’re compliant in remediation and patching for those vulns. This has to be a small time company

Reply

[-]

gnnr25@reddit

> I may still be here cos I saved there skin twice already. That's the problem right there. They're taking advantage of you because they know you have a conscious.

Reply

[-]

allen_abduction@reddit

Please update your resume, and contact a few headhunters; you might become the fall guy for all this shit about to go down.

Reply

[-]

insomniahag@reddit

This place sounds like a nightmare for IT. No infosec team, boss wants everyone using unsecured personal devices, AND no ticketing system? How do you keep track of service requests? OP, I'd run for the hills from this company.

Reply

[-]

IronHitmonlee@reddit (OP)

It’s hell which had a door of gold and money and bliss. Alas… ‘twas all lies aside from pay which isn’t worth the looming death.

Reply

[-]

223454@reddit

>aside from pay which isn’t worth the looming death If the pay is good, I'd just stick it out. The worst they can do is fire you, which would be easy to explain in interviews. The only way to know if it's good is to get other offers and compare.

Reply

[-]

wrincewind@reddit

you don't even have to worry about getting a reference from them. Hard to contact a company that no longer exists.

Reply

[-]

pinkycatcher@reddit

Honestly, tell them they need to hire two InfoSec guys to help out with this project.

Reply

[-]

samtheredditman@reddit

Imo, ride the golden slide to the end, but do not forget to cover your ass. You are going to get blamed and fired for the next security incident. If you're lucky, you'll get at least a year at the place before that happens. Keep documentation of all their requests and your recommendations being ignored on your personal devices and email. Back is up, do not forget and do not lose it. In extreme cases, that data might be the only thing that keeps you from going to prison.

Reply

[-]

Pantera_Atrox@reddit

Nah, fuck all that. I mean, you're probably already looking for something else, right? In the meantime, just run with every stupid idea they toss out. Obvi, do the CYA emails, copying at least two people in leadership on every one. But just run with it, do whatever they want and take mischievous glee when they start to crumble and burn. If you're still there, you can then reply to all in those CYA emails with some form of "I f'n toadaso'. Ride it out and keep full detailed records for an epic r/maliciouscompliance post. Also, if they're this stupid, they probably would never notice if there was any torrent or mining activity going in whatever kind of data center (or closet) they have setup.

Reply

[-]

insomniahag@reddit

It sounds like even if you present them with a solid method for securing their mobile devices, they won't listen anyway because security is apparently "inconvenient." I see one of two things happening: eventually they will try to fire you for pushing back on security measures, or they will strong arm you into letting them do what they want and then blame and fire you after the first data breach. Run!

Reply

[-]

AdFinal6026@reddit

I second this. It is always best to not be the one in charge when a catastrophic data breach or ransomware attack eventually happens. Even if you have properly documented the absurd requests to higher management and said it was risky but did it anyway and are therefore not sueable, at least not into total oblivion, you will forever be known as "the head of IT when the security breach happened". You will be blamed when you are not hearing about it. What others say about you when you are not in the room, is your trademark. I know sysadmins and other types of IT responsible people who have made up unrelated reasons to terminate their employment, once the requests about lax security from middle/upper management start adding up and it is apparent those will never listen, as it is easier that way to search for the next job with regards to references.

Reply

[-]

insomniahag@reddit

This is exactly it. Ignorant management will force your hand even when presented with evidence they're putting the company at risk because they're not going to be held liable when their own plan backfires. They're going to claim you didn't implement appropriate security measures and place all the blame on you. Push off BYOD as long as possible so you can get out before your name gets tied to thar dumpster fire.

Reply

[-]

Friendly_Pim@reddit

IT is best run by the feelings of the leadership team. /s

Reply

[-]

mlloyd@reddit

> Alas… ‘twas all lies aside from pay which isn’t worth the looming death. I think you care too much. You have to match energies with your upper management. If they don't care about this stuff, you shouldn't either. By that I mean, recommend best practices and write CYA emails after they refuse them and then do what they ask for. If you're not the CIO, it's not your responsibility to own these bad decisions - so don't.

Reply

[-]

Xzenor@reddit

Why are you still there?

Reply

[-]

Mortivarus@reddit

Now imagine if their only remaining fixer just suddenly got up and left? The whole house of cards would gloriously collapse...

Reply

[-]

smoike@reddit

And if he leaves, it's also not his problem. Win win.

Reply

[-]

bearded-beardie@reddit

Ease of use my ass. This is a cost savings measure. They want to stop buying hardware and have employees buy their own equipment. Run, don’t walk away from this, you will be left holding the bag.

Reply

[-]

1TakeFrank@reddit

A combination of App Protection Policy (to protect data within managed apps) and Conditional Access Policy to enforce the use of those managed apps will accomplish this without having to force your users to enroll BYOD devices in an MDM

Reply

[-]

netgek1979@reddit

Here's the fun part. Your CEO isn't as powerful as you think he/she is. Have an exit strategy Work with a board member. Let them know the compliance regulations, the actual risk, and the mitigation plan. In short, advise them the questions to ask, and the consequences. Articulate your personal exposure by doing so, and why it's good for the organization that these questions are asked You have a 90% chance or making a board member ally if done correctly

Reply

[-]

NightOfTheLivingHam@reddit

You work for twitter dont you?

Reply

[-]

AFS23@reddit

Assume breach, prepare for war!

Reply

[-]

Dakan-Bacon@reddit

Fuck that guy

Reply

[-]

Crazy_Hick_in_NH@reddit

And then what? 😝

Reply

[-]

sweetrobna@reddit

There are several endpoint management systems that really limit the exposure here, intune is probably the most popular one. They can prevent screenshots, downloading email, even copying and pasting. But if everyone has admin rights you have way bigger problems than byod phones for email

Reply

[-]

GoryRamsy@reddit

The only solution is to group policy away the power main.

Reply

[-]

ccellist@reddit

Do you work for Twitter then?

Reply

[-]

neekoriss@reddit

implement Zscaler. they can secure traffic for BYOD devices. Can also filter traffic inline to look for Data Leaks. either route the traffic through tunnels for users on prem, are make it a requirement for users to download their agent if they need to hit sensitive data. there are ways you can enforce this by making that data only available if traffic is going through zscaler

Reply

[-]

ToShibariumandBeyond@reddit

Think of it as a top down design approach. Start with the basics of: - how will data come in - how will the data traverse once in - how will this data be caputured for compliance and legislation requirements - how will these requirements be enforced. - do the devices include access to operational priv account, or will the policies be only for standard user account. Examples for the above would be: - Are devices phones or laptops? Regardless, you could lool at establishing endpoint management with configuration that either the device must be enrolled, and has certain requirements to remain compliant i.e. must have antivirus installed, must not have programs from a org blacklist, must have the latest updates with leeway for a 5 day grace period after each release etc. - Accounts coming in fron BYOD (from a zero trust perspective), must be standard users, will all priv account access through elevating a request that utilises forced config such as MFA, JIT (Time limited access), required a secondary to approve the request such as yourself or a trusted manager. - Attempt as much as practical with your ceo that a monitoring (potentially include soar and SIEM) system is used. For Azure look to implement Defender for Cloud, that can then feed into Sentinel as a fully fleshed SIEM. TLDR: Implement a Zero Trust Design that restricts everyone until they verify through multiple strong authentication methods, that allows access, but removes any implicit trust, regardless or device or location.

Reply

[-]

Better-Sundae-8429@reddit

Found the PAM vendor.

Reply

[-]

ToShibariumandBeyond@reddit

Not quite haha! I worked with a large vendor implementing a PAM solution recently, but only as a consultant, not a vendor myself :)

Reply

[-]

iwinsallthethings@reddit

If you were their security team, you would have been fired. This is a losing battle. Based on other responses, this isn’t really happening.

Reply

[-]

ToShibariumandBeyond@reddit

At the end of the day, if the C suite can't acknowledge they need to move in the direction of zero trust design, work with the engineers on current and potential threats with no wiggle room towards security staff, then I wouldn't want to hang around that company regardless.

Reply

[-]

DevAnalyzeOperate@reddit

What's the point of policy that won't be enforced due to a lack of manpower and upper management support? Let it burn and start looking for new work because you don't necessarily want to be consumed in the shit monsoon. I'm sure businesses have bright ideas like "Man having locks on our doors is so inconvenient!" and just remove them all now and again and some will get away with such notions for a shockingly long time but you know, things could blow up tomorrow as well. Where there's smoke there's fire as well, if this is happening in the IT department where else is the business taking ludicrous risks? Why are they taking these risks? Are they in financial distress? Start demanding money up front lol.

Reply

[-]

sayoonarachu@reddit

Have Cisco Duo as a requirement, most users will give up at 2fa. >.<. Jokes aside, time to find a new job.

Reply

[-]

Catchy_Username1@reddit

Just bring in cybersecurity insurance auditors. They'll fail the new policy instantly haha

Reply

[-]

AxiomStatic@reddit

This sounds like your CEO might fit the legit profile of a psychopath. That can't be fixed. Get the fuck out of there asap.

Reply

[-]

QF17@reddit

Wow, this thread is a textbook reason why people hate IT and why shadow IT exists. BYOD is perfectly feasible in 2023 under the right circumstances. It depends on the nature of your work, the general competence of your staff and your cloud maturity for information protection and monitoring. Are you on a factory floor where computers support the organisation? Then maybe it’s not a good idea. Are you dev shop that works remotely with proper controls in place to protect data? Then why not let devs use what they are comfortable using. Production access could be locked behind a corporate laptop with an always on vpn for those that need it, or you could set up a VDI with additional security controls.

Reply

[-]

FullPoet@reddit

As a dev who's experienced insane people like op, thank you for being the voice of reason.

Reply

[-]

uid_zero@reddit

>BYOD is perfectly feasible in 2023 **under the right circumstances**. A CEO that shitcans all of infosec and then demands BYOD is anything but the right circumstances. >Moving to byod means you just move the trust boundary from the endpoint to the things that the endpoints connect to. You're not wrong, I just don't see how this gets implemented successfully in this case. Granted, we have very limited (and no doubt biased) info about the environment, but this sounds like a no-win situation.

Reply

[-]

lost_in_life_34@reddit

I'm in a secure environment and we do BYOD with intune and MFA. for laptops and computers only company assets can access company resources directly. BYOD laptops go through citrix  it's been done for years

Reply

[-]

uid_zero@reddit

It can be done, and it can be done well. **Under the right circumstances.** I'm certainly not arguing that it can't be done, but it has to be done well.

Reply

[-]

ThatITguy2015@reddit

Yup. I do *not* see this being anywhere close to the right circumstances from what we’ve been told so far. This is full on yikes on bikes to my understanding.

Reply

[-]

QF17@reddit

>A CEO that shitcans all of infosec and then demands BYOD is anything but the right circumstances. As you say, we're only getting half the story. It could be that the previous administration was overly paranoid about security and the CEO wanted to relax some of the measures (maybe for good reason, maybe not, it's hard to say). When they were unwilling or unable, the CEO moved them along. I've worked in an environment that was completely cloud-phobic. They use ADFS in front of M365 because "Microsoft have outages" yet they forgot to renew the VPN certificate and caused their own outage. There was a level of paranoia that was very much misguided for the work the organisation did. I just don't think it's healthy for any of us to be advocating one position or the other without knowing more details. It creates a dangerous workplace culture that either risks too much information, or risks alienating staff and making their jobs more difficult due to unnecessary hoops based on some random sysadmin's perceived thoughts about security.

Reply

[-]

uid_zero@reddit

>I just don't think it's healthy for any of us to be advocating one position or the other without knowing more details. Agreed. We have one small part of the story, and we're filling in the rest of the details with assumptions.

Reply

[-]

PoniardBlade@reddit

This is a policy issue, handed down from up top. Best he can do is mitigate some, but when the eventual issue finally crops up, it's not IT's fault (although it will get blamed).

Reply

[-]

Fatvod@reddit

Seriously I'm baffled by the power trip it seems people are on in here

Reply

[-]

ImpSyn_Sysadmin@reddit

Not that it takes away from the rest of your post, which I generally find agreeable, but local admin rights aren't safe because people "know what they are doing". Presenting the vulnerability as only a stupid user installing legacy software is a blind spot that belies an ego people shouldn't foster.

Reply

[-]

QF17@reddit

Sorry, I certainly didn't intend it like that. I've worked in organisations with three different levels: 1. No local admin, no PAM. Everything goes through IT (these places are painful to work for) 2. Local Admin via PAM. The app is installed on your machine and you can get local admin rights no questions asked for 1 hour 3. Local admin on request, or a secondary local admin account for your workstation. \#3 was really only granted to power users and was on a needs basis. If you could demonstrate that you had a valid need for local admin rights and you knew what you were doing, you could be trusted to make changes to your own machine. The LA accounts didn't have internet access, and were generally given to analysts and developers (and didn't want to hassle IT each week for new software to be added to SCCM). For reception staff? No local admin access at all. They had everything they needed via SCCM and if not, they'd open a ticket and we'd configure it for them. The point I was trying to make though is that if everyone has local admin by default, then your endpoints (at this point) are just as trustworthy as BYOD. If you don't have reasonable assurances that your machines aren't compromised by a dodgy install of Firefox, then allowing BYOD is the least of your worries. In that case, moving to BYOD and allowing users to have local admin on their own personal devices is okay, because you should be securing your network and systems at a higher level, and (in theory) a BYOD machine compromised with ransomware shouldn't be able to impact the rest of your network.

Reply

[-]

bi_polar2bear@reddit

Have the RSA token expire on BYOD devices (10 minutes) along with MFA, or you could experience what Linus Tech Tips happen. Also, get something to scan any incoming documents before opening. If you make BYOD devices so overhead heavy, as in taking a lot of time, it'll push people to use safer methods. All you can do is manage the situation and use malicious compliance. No security people are guaranteed failures. Since I've moved into IT Security, it's a whole new world and much different than IT, with a whole new set of acronyms. Get Yubi keys for each person, and then you can control it if they leave. There's a lot you can do, though I'd stick to slowing people down if they use BYOD, and play dumb with the wannabe CIO because non corporate builds have too many installed programs to be efficient.

Reply

[-]

synicalx1@reddit

BYOD for phones isn't uncommon and for any modern organisation it shouldn't be an issue. Most MDM's make it trivial to self-enrol your device and have varying levels of security features enabled such as mandatory patching, passcode/word length and complexity, data segregation, blocking jailbroken and rooted devices etc. I would suggest looking into an MDM, such an Intune if you're an MS house, and making users enrol their phones. A lot will just do it and then *you* control their devices, and a bunch will probably refuse and thus not be a problem.

Reply

[-]

drcygnus@reddit

make sure you have a paper trail and just let it all happen. screw em its not your company. i would just do as he says and watch the ship sink

Reply

[-]

xwinglover@reddit

Quick, download this file onto your server and execute it, and the security policy will be locked down. Thisisnotavirusjustsomeprettyfireworks.exe

Reply

[-]

ThisGuy_IsAwesome@reddit

I would put in an MDM and crank up every setting to where you basically own the phone and can do whatever you want. Wipe a phone or two for "suspicious" activity and no one will want to do it. Hell, wipe the CEOs phone.

Reply

[-]

ericneo3@reddit

> How do I make the policy so tight that no one will want to use a personal phone First take a deep breath infosec is not your monkey don't carry it and don't pick it up without a substantial raise and promotion. Your standard answer for infosec duties should be, "Sorry that is not one of my duties, that is a duty of infosec." > The boss in question was hacked previously and still wants to go ahead with this is, and he tends to blame whoever he can even if they have no involvement in an issue. Prepare your CV and start looking, it's only ever a matter of time. > I’ve chosen to stop saying no directly to him because I’ve realised I could have been fired for this after seeing they way he has treated other staff and of course Facepalm, you picked up the monkey. There is no scenario where this ends well for you, if you stay you will be their scape goat now if ANY thing goes wrong. > just in case I stay I want to have a plan B. Unless you have bags of money to defend yourself in a lawsuit from them you need to get out. Because when they get hacked these types of people will be malicious and will blame you. Don't risk it, get out.

Reply

[-]

KadahCoba@reddit

> How do I make the policy so tight that no one will want to use a personal phone I kinda feel the impression that this guy will just become personally annoyed by such policies and make you change/remove them anyway. Though if that is the case, it only adds to the amount of boneheadedness he's done to make the holes in the swiss cheese larger and with fewer layers.

Reply

[-]

tbochristopher@reddit

Here is how I learned to handle situations like this. It starts out with understanding that it's not our job to protect the company. It's not our job to keep things running. It's not our job to make any decisions about the I.T. in any way. We are merely operators that do what leadership wants. If leadership tells us that our job is to think, THEN we think. If leadership tells us that it's our job to keep stuff up and running, THEN it's our job. If leadership tells us to create an environment that goes against our professional recommendation, it's our job to do what THEY tell us to do. To avoid situations like this, get used to feeling like you don't own anything and you will do what they ask. But then, to protect yourself, make sure that everything they ask is formally documented and integrated with the business in the form of an approved I.T. policy. Establish an IT steering committee and then write an IT policy. The leaders will feel super special if you call them a steering committee and they will LOVE the idea that you are putting them in a "superior" governing position. Hopefully you can get three people but if there's only and owner then that will do. By calling them the steering committee they will feel super special. To get this started, write an initial I.T. policy, a starter, and then email it to leadership and tell them that you would like to have better governance over what you do and request that they identify people to be a committee over you. Then have the committee agree that they want you to write an IT policy. Write down a policy with everything in it, everything. Make them sign it any time you make changes. Gleefully add anything they want to it. Create a line in the policy that says that the policy is all encompassing and you shall not deviate from or expand on the policy without approval from the committee. Then when you're in the hallway and someone asks you to do something stupid, tell them that you'll be absolutely happy to but it doesn't currently comply with policy and the policy says you can't go outside of policy. If they tell you that they want to host movie torrent servers inside your server room, just say yep, ok, happy to, we'll have to update the policy then I will do it. By simply having the policy and the bureaucracy around it you will be insulated from a lot of adhoc changes and heartache like the above. And then when they see that they have to legally sign and document themselves doing things that might get them put in jail, they'll question a second time. Once you have that done, you just have to stick to the policy and being willing to quit over it. This is where you fight. You don't fight over your opinion of what you think good security is. We always lose when we try to enforce out technical opinions against business direction. When leadership asks you to do something, stop fighting it. Only fight if they want you to violate the written policy. Story time: I had done the above. One night, I had a CEO bring in an "auditor" at the end of the day after the CO went home. He asked me to reset the CFO's password so that the auditor could login to the financial system. I said yep I'm happy to, but it requires an update in policy (because the policy required that I secure things and not share passwords) so if he could call the committee together real quick to update the policy then we could make it happen. He didn't want to do that. So I offered that instead of doing what he asked which would require a policy update, I could just create a brand new account for this person and give them access to the financial system; but no, they didn't want that. The CEO yelled at me and told me that it was urgent and I needed to be cooperative and he took verbal responsibility for this action. I told him that under no circumstance would I ever violate the policy signed by the committee and that the only way for him to make things happen immediately would be to fire me on the spot and I would have over -my- username and password and he could do whatever he wanted to with it. He yelled at me. I yelled back as loudly as possible so that the entire office would hear me, "boss name" I will never violate the IT policy no matter who demands it!!! He and the auditor left. A few weeks later he was fired and I got an 18% raise. I don't know if there's a connection. No one ever said anything to me. I just followed policy.

Reply

[-]

jrichey98@reddit

Yep. I've told my supervisors straight up that I wasn't doing something because we'd been told specifically not to do it. If they wanted to do it, then they could. If my boss want's to do something shady, it's not my job to stop him, but it's going to be him that does it, not me. A lot of exceptions to policy stop when one of the higher up's are going to have their name on it.

Reply

[-]

tjwalkr3@reddit

Use some super tight MDM profile that restricts everything but a few approved resources, and run all the traffic through a proxy. For Android, there's MaaS360. It's what the Mormon church uses to lock down their missionaries' phones and snoop on all their communications.

Reply

[-]

bigfoot_76@reddit

3 envelopes

Reply

[-]

leozh@reddit

The world is moving towards BYOD, you can move with it or be left behind. Use some sort of zero trust app where possible, and also endpoint protection and device management software and it will be fine.

Reply

[-]

jrichey98@reddit

Rather than tell you you're going to be hacked if you do it, or it is dangerous, I'll give you a practical recipie to do it safely. I work for a global company that has tens of thousands of employees. If done right, BYOD is fine. With 2FA we can access OWA, SharePoint, and Teams, our Timecard/Expense sites, and a virtual workspaces remotely and from personal devices. Of course firing the only security personel seems like a really bad course of action, but many things can be done securely that some teams don't like to do simply because they don't have prior experience. A few things: - Use 2FA - Whitelist trusted clients (company domain joined and manged computers) by MAC onto an internal trusted client network, put everyone else that connects to the company infrustructer into a untrusted client VLAN with internet access, and only selected web services that are accessable only 2FA. An easy way to do this via a proxy server between the untrusted network(s) and the services being made externally available. Off premise this proxy can also be used to allow people to access these services directly via the internet. - If they can access email, teams, sharepoint, time sites, etc... that's all 99% of them need to do their job and management will probably be happy. It's not actually rocket science. You just need to make sure it's done so securely. Many (probably almost all) large companies are already doing this to some extent. It's the smaller ones with smaller IT teams and budgets that have the most dificulty. This may be something the CEO is not accounting for and needs to. Having 0 cyber security/infosec personel is more concerning to me than allowing remote access or BYOD.

Reply

[-]

bos2sfo@reddit

Feels like the old joke. "Our releases were always late because QA kept finding bugs. We put a fix in place and now push out code on schedule" "How did you solve the problem?" "We fired everyone in QA."

Reply

[-]

Zodac42@reddit

My company had a BYOD policy briefly. However due to our security requirements, if there was a data spill or issue originating from your phone, the company had the right to confiscate your phone as part of the investigation. You were not going to get it back. Once this actually happed a few times, word got around that the risk of having to buy yourself a new phone was real. People stopped using BYOD. And then we stopped offering it.

Reply

[-]

graysky311@reddit

put as many restrictive policies into your BYOD MDM profile as you can fit. When people see the warning on their phone when the profile gets installed that warns about what control they are about to give up, they may think twice. Also verbally and in writing remind them that by connecting remotely they may be subject to having their entire phone wiped / erased.

Reply

[-]

baseballgrow6@reddit

3 envelopes

Reply

[-]

michaelpaoli@reddit

1. You've got to actually have an appropriate security policy. 2. It needs be signed off by the highest levels of the organization (e.g. owner, CEO) 3. It needs to be reasonably well enforced - e.g. violators subject to disciplinary action up to and including termination and potential civil and/or criminal penalties 4. Folks need to be made aware of and sign off on security policy (typically required part of onboarding process) 5. If you lack the above steps, you typically have wishful thinking, rather than an actual security policy 6. BYOD, either 1. prohibit entirely, or 2. allow with only quite tight restrictions, e.g. most: 1. be of an approved device type 2. must have relevant security, encryption, tamper-->wipe, monitoring, etc. software installed, meet all relevant standards including security, etc. 3. may be subject to searches, inspection, civil discovery, etc.

Reply

[-]

thejokertoker05@reddit

It's time to update the resume

Reply

[-]

StalledCar@reddit

My company runs VMs for our phones trough Hypori. Maybe something similar would satisfy everyone.

Reply

[-]

yesterdaysthought@reddit

It's gonna be some level of "risky" if BYOD means you're enrolling them in your MDM vs much more so if just letting anyone access your org from a personal device without MDM enroll. The main problem that cropped up in recent years is that MFA can be bypassed with exploits that steal access cookies/tokens in the context of the user. The dark web literally has MFA tokens for sale. The defenses against this are: 1. Require corporate owned devices so at least you can enforce regular updates with a decent MDM. You can't enforce updates on personal devices even apple has had 2-3 zero days a year recently. 2. Require "compliant devices" to access your org over the internet. This means MDM enrolled, up to date, AV running whatever. Important here is that if an MFA token is stolen somehow the attacker should be blocked if they attack from a random device. If you're using Azure, put in Conditional Access policies that require compliant devices and just crank up the device compliance for the personal devices.

Reply

[-]

sad0panda@reddit

Remind your users, in big red letters, that if they are using their personal devices for work, those devices can be potentially be used for discovery in a lawsuit. Like your device and don't want to potentially be without it for weeks/months while a lawyer cracks into it to download your employer's data? Don't use it for work. Not to mention remote wipe capabilities, etc.

Reply

[-]

xDroneytea@reddit

We have a BYOD Intune profile and compliance policy so that devices aren't marked as compliant if they're not over a certain OS, are jailbroken / rooted, not encrypted and so on. Then a conditional access policy which blocks all android and iOS devices from signing into any 365 apps unless their device is marked as compliant. Only with the Intune enrollment apps added as an exclusion.

Reply

[-]

UncannyPoint@reddit

Do you use Company portal for checking the status of the device or something else?

Reply

[-]

xDroneytea@reddit

Company portal for enrolment and endpoint manager to check compliance

Reply

[-]

Ciderhero@reddit

My two cents worth - Intune (assuming you're in M365), setup a mobile conditional access policy that basically says "no Company Portal registration, no access", put MFA on for all accounts, and a BYOD policy that says don't share information on non-company apps. File shares, VPN, or non-MS sources - MFA as much as possible, SSO on systems, and limit access to shares so if you get a crypto locker then it's limited. And check your backups to plan for a mass restore. Also, check to see if you have cyber insurance. They can provide support and tools to support your predicament, even if you're not that "compliant". Finally, see if you can reach out to a cyber security company and, at the least, keep them on standby to assist if you get hit with anything.

Reply

[-]

IronHitmonlee@reddit (OP)

Thanks I’ll look into it

Reply

[-]

diffraa@reddit

You need to get in writing that you oppose this change, and are being overruled. Now.

Reply

[-]

housepuma@reddit

At my job we have a BYOD policy and use my own phone because the one the company gives me has a giant dead zone at my house. In return for using my own, I get a 40 dollar a month stipend which actually pays my cell bill completely. We have to install the Microsoft Company Portal on our phones but I am perfectly okay with that because I don't keep anything of a personal nature on my phone anyways so if they decided to remote wipe it, no big deal other than the inconvenience of having to reinstall my apps.

Reply

[-]

Am0din@reddit

Hope you got what he is directing you to do in writing, because when it falls flat on its face, guess who is going to feel the brunt of the landslide.

Reply

[-]

IronHitmonlee@reddit (OP)

Thankfully I do, someone here said I should also apply a litigation hold so they can’t delete the original data.

Reply

[-]

Exfiltrate@reddit

Tell me you don't even know MAM is a thing without saying you don't know MAM is a thing... For a second I thought I was in /r/shittysysadmin

Reply

[-]

IronHitmonlee@reddit (OP)

So you’re just going to ignore the missing infosec people? I know the message isn’t clear and doesn’t show everything which has happened. But don’t undermine me or anyone here. No one would be able to implement a good MAM within a week for a company which was focused on not having personal devices. It also includes laptops. Keep your spiteful comments on that other sub.

Reply

[-]

Exfiltrate@reddit

Is BYOD access blocked presently? You can take the time to implement MAM, and keep it the way it is for the time being. Tbh this post just read like someone inexperienced with communication and technical implementations, no spite towards you at all.

Reply

[-]

IronHitmonlee@reddit (OP)

I’m not buying what your selling, you’ve posted at least twice in this post. Most other people understood the general message I was trying to put across and the requirement to implement this in a short timeframe. If you didn’t want to be spiteful you wouldn’t of posted that sub in my comments. If you want people who agree with you go over there.

Reply

[-]

Exfiltrate@reddit

Since you think I'm a salesman, your post is actually doing really well over there! [https://www.reddit.com/r/ShittySysadmin/comments/123mt34/how\_do\_i\_annoy\_my\_users\_so\_much\_they\_give\_me/](https://www.reddit.com/r/ShittySysadmin/comments/123mt34/how_do_i_annoy_my_users_so_much_they_give_me/)

Reply

[-]

Exfiltrate@reddit

Not selling anything other than best practices homie

Reply

[-]

teemark@reddit

Props just for proper use of "loose" Sorry about your network.

Reply

[-]

ThreadRipperPro@reddit

this is against security protocols on many different levels... so who is the idiot risking customer information??? I'd like to know so I dont do business with them...

Reply

[-]

ZaxLofful@reddit

Quit and find a new job

Reply

[-]

robbzilla@reddit

Fix your situation by moving on, not by fighting management in an uphill battle. Not worth it.

Reply

[-]

virtualadept@reddit

Can confirm. Your rep is more valuable than that company.

Reply

[-]

ragdoll-cat@reddit

Require long complex passwords. Set phone screen timeout to 1 min. Require long passcode for Apple Watch. That’s enough to annoy me, I’m sure there’s more.

Reply

[-]

PabloEdvardo@reddit

what exploits are you worried about coming from a BYOD phone? curious what malware on phones you're worried about exactly sounds like a "what if" more than a real risk

Reply

[-]

scootscoot@reddit

Lotta session keys to grab and use elsewhere.

Reply

[-]

IronHitmonlee@reddit (OP)

So the issue is the person who was hacked before was hacked by one of his friends. He is also the one pushing this policy so it makes it a when. They just want to use their personal devices even those which are out of date and old and I can’t support that.

Reply

[-]

apumpernickel@reddit

Why even worry? No matter what, someone else is going to be liable for the bosses policy mistake. If you're well off, CYA all the bad decisions, let them terminate you, find a lawyer and sue them for wrongful termination and the minimum is they settle with you. If the CISO for Uber can go to jail, anyone can go to jail over pure negligence.

Reply

[-]

GardenWeasel67@reddit

Any technical mitigation steps you want to take against BYOD are going to require dollars and contracts, which I assume your boss controls. (MFA for external access, NAC, Conditional Access to block personal devices, etc.) Get out. Get out now.

Reply

[-]

Exfiltrate@reddit

Why not just turn on MAM? Ez to setup.

Reply

[-]

0b5scur3@reddit

Unprotected BYOD phones are a huge risk for your company. Consider using a mobile security solution to make sure BYOD devices have secure configuration and enforce it using conditional access. A Security Services Edge solution can be used to secure access(block or limit) from insecure devices in cases where no Conditional Access is available.

Reply

[-]

mcnos@reddit

What’s your company name, asking for a friend

Reply

[-]

povlhp@reddit

BYOD should not have VPN to server networks which should be segmented away from user LAN as well. Maybe a few port openings. PVLAN on BYOD network. Demand encryption. Complex password requirements on phones. No jailbreak. And all the MFA you can get.

Reply

[-]

3percentinvisible@reddit

So you say you're going to be hacked because of a loose byod policy, but go on to say that _you're_ creating the policy and want to make it so tight it won't be used. Sounds _suspiciously_ like you don't want to do your job and have to deal with byod. Why aren't you coming here and saying "I've been tasked with creating a byod policy. I'll be honest and say I'm uncomfortable with the concept but realise that there are tools and procedures now to make this an effective strategy. Any advice?"

Reply

[-]

zerosanity@reddit

Do you have cyber insurance? If not add that to the cost If you do, see how that will effect your rates Add a requirement for the minimal OS version, require a full wipe of the device down to factory reset, then lock the device to a corporate account with restrictions on what they can do. Device gets remote wiped if they leave the company. Most people would never agree to that

Reply

[-]

Local_admin_user@reddit

Realistically more likely to have a data breach than be hacked in the short term, whether that's reported to authoritises is another matter. But any BYOD adoption should be carefully planned so this does seem like a daft idea given the lack of specialist staff to consider issues, risks and come up with mitigations.

Reply

[-]

IronHitmonlee@reddit (OP)

I gave them a map of how much staff we should have roughly including InfoSec, head of infosec etc… then I was told me a month later “all of our infosec have resigned effective immediately and we don’t need them.”

Reply

[-]

Lee_Ars@reddit

This company is going to fire you at some point. They'll either fire you when they decide they don't need you, or they'll fire you when the BYOD rollout has problems, because in their eyes that'll be your fault. As others are saying, _run._ Run before they fuck you. And the fucking is _absolutely_ on the way.

Reply

[-]

oopsthatsastarhothot@reddit

EJECT! EJECT! EJECT! Pull them handles and run like hell. You do not want your name attached to what's about to happen.

Reply

[-]

Local_admin_user@reddit

Something similar is happening at a friends team (not in my employer). The team have gone from 11 staff to 3 since Christmas because the manager who was well respected handed his notice in after being ignored for one too many years. The good staff have jumped ship while he was working his 3 month notice. From drunken discussions with him it turns out he just couldn't put up the constant kicking the can down the road attitude.

Reply

[-]

ImpSyn_Sysadmin@reddit

When everybody else is fleeing, don't be the one running toward the danger. Unless you're emergency services. Firefighters and EMTs are heroes. But for this situation? Run.

Reply

[-]

PerviouslyInER@reddit

"resigned"

Reply

[-]

archiekane@reddit

ROFL. Run, Forest, run!

Reply

[-]

AtariDump@reddit

Run.

Reply

[-]

FullLockDown@reddit

You work at Twitter man?

Reply

[-]

IronHitmonlee@reddit (OP)

Yup getting ready to live in twitter city

Reply

[-]

sparkleshark5643@reddit

Require MDM agents on all mobile devices, with remote wipe capabilities, and put it in the contact employees sign when they're hired. It's an industry standard (I think SOC2 requires it) and outraged users may demand company issues devices.

Reply

[-]

mrkmtt@reddit

devil side: - randomly print a pdf with „PCL error“ messages , when private device are connected - randomly wipe mobile phones - send large e-mails and files to the user, that their device storage gets full - lower the dhcp scope, that not all device get an ip address - change wifi password weekly, because its leaked - configure a website blocker for adult and other unwanted site, make a error message when they get blocked - ask chatgpt - install a firewall with reports for most used websites the other side - create a master image and deploy it as vhd on byod device for vhd boot - wifi password is not secure anymore, because unmanaged devices share wifi with unknown users - configure MPSK for wifi device - enable country blocking on your firewall - check log configuration on your devices - install pi-hole or something similar

Reply

[-]

DrDufmanKnows@reddit

You’re worried about people using their own phones (Android or iOS) for what exactly? Accessing company email? If the app protection policies and conditional access are setup correctly, you shouldn’t have much to worry about. If those things are not in place, and you’re doing something like active sync without modern auth, then….yeah, bad.

Reply

[-]

zerocoldx911@reddit

Penny wise, pound fool

Reply

[-]

Caygill@reddit

How did the boss become hacked? By clicking on a phishing link and giving away their credentials or by using a BYOD device ?

Reply

[-]

IronHitmonlee@reddit (OP)

No password on users device… device not locked

Reply

[-]

thortgot@reddit

You can enforce a screen lock in either Exchange or an MDM. How are your corporate devices more secure than than your BYOD ones?

Reply

[-]

mjmacka@reddit

You should be using a zero trust software and a software similar to Citrix to limit access to resources.

Reply

[-]

finnjaeger1337@reddit

Zerotrust - just via teradici all remote desktop, no vpn - no company software of any kind on any byod device, problem solved? thats how I would do that 🤷‍♂️

Reply

[-]

adamcoleisfatasfuck@reddit

Just leave, get another job, sounds like a sinking ship by firing your infosec team. And only having 2 members of an infosec team? If you are an SMB or even slightly bigger, I'd get the fuck out. It's not an if your org is hacked, it's when you find out.

Reply

[-]

RikiWardOG@reddit

I mean there are plenty of MDM tools that allow for proper app control policies to restrict what a user can do with company data. But yeah, definitely need to have the controls in place and properly tested and also make sure that it's a written policy that allows the company to put these tools on the device.

Reply

[-]

JacerEx@reddit

What's the issue with the policy? BYOD is fairly standard for mobile devices, there are multiple ways to sandbox/secure your data. Insisting that everyone uses a company issued mobile device is an antiquated ideology.

Reply

[-]

1z1z2x2x3c3c4v4v@reddit

> How do I make the policy so tight... Whats the point? The CEO will not approve or follow any such policy. > The boss in question was hacked previously and still wants to go ahead with this Again, you see where this is going... Not sure why you want to try so hard. Your skills are being wasted here. Go find a company that will value your skills and work ethic and probably give you a raise too.

Reply

[-]

MattWey@reddit

Well you got a bunch of good advice already. Here is some bad advice. Do it as they want it and enjoy the fireworks. Obviously insure yourself from any fallout by saving any emails you received regarding these mandatory changes, reconfirm few times and outline RISKS. So again, in case of bad stuff actually happening you can be like "Yes, I mentioned a high chance of that happening in THIS email here". Of course look around for different job, but I saw you mentioning they paying good money and still experience of handling a really difficult situation. Based on your replies I think you would feel better if you give yourself a chance to handle it than just leaving.

Reply

[-]

Garegin16@reddit

And there is a good chance that those fireworks don’t happen. The reason people are reckless is because not all risks are high. The nature of the risk might be severe, but not the probability.

Reply

[-]

EugeneKrabs1942@reddit

Depends on what apps you are using. Intune/Endpoint will do a grand job of keeping things separate in a Personal/Work separation with various policies. If you want to run virtualized apps (x86 or x64), look into Azure Virtual Desktop. It will allow you to run apps virtualized in an enclosed environment via mobile, laptops or desktop BYODs.

Reply

[-]

srbmfodder@reddit

I implemented a flavor of EAP that required a cert to be on the wifi. If you wanted your phone on the wifi, you joined the guest network. They still got email and whatnot/access to O365, but they couldn't touch the internal network. Non domain/sanctioned computer couldn't join the wifi even with a known good account. I think I only had 1 guy that had an issue, a senior programmer, and he wouldn't complain to my face.

Reply

[-]

Pomerium_CMo@reddit

....how good is your device management system? Can it check device posture and device state? Better yet, can it enforce that?

Reply

[-]

Keats81@reddit

Push for a good mdm that end users are required to install. Most end users balk at restrictive MDMs on personal devices. Plus it might actually cover some of the risks you are being forced into with byod. Win win.

Reply

[-]

JahMusicMan@reddit

If you have Meraki access points, you can blacklist/exclude iOS and Android devices.

Reply

[-]

GWSTPS@reddit

Is he the CEO, or is he friends with the CEO? Your post says both which leaves me someone skeptical

Reply

[-]

fredriv_2020@reddit

OMG, do you work at my company? Bad IT decisions made by non IT people, forced into practice by only hiring yes people, and firing those who know what they're talking about. Sounds like a big corp company to me!

Reply

[-]

zimage@reddit

Whose head will roll if the company's data does exfiltrate? If not yours, then send the email to CYA, then let the CEO take the fall when it happens. That's capitalism.

Reply

[-]

Palaceinhell@reddit

If he's your boss, advise against it, but still do what he says. He's the one who will get in trouble when the company gets hacked. Let him deal with it then. Stop trying to care so much about the company you work for. Just do your job, and when idiots in positions above you tell you to do something stupid. Just do it. Who cares?? It wasn't your decision and you advised against it.

Reply

[-]

Jaereth@reddit

So in paragraph 1 you say the CEO is making these changes. Then in paragraph 3 it switches to a "boss in question" who is friends with the CEO?

Reply

[-]

IronHitmonlee@reddit (OP)

Sorry typo I meant to say wannabe

Reply

[-]

xndpxs@reddit

If you go byod you better go remote...

Reply

[-]

IronHitmonlee@reddit (OP)

Why go remote… when you can force everyone back in the office because like “Elon Musk is doing it to save twitter”

Reply

[-]

xndpxs@reddit

Just imagine, BYOD but you have to stay in the office, if you don't have money for good devices you can GTFO

Reply

[-]

Total-Cheesecake-825@reddit

Step 1: Get everything in writing Step 2: Be a good employee and do as you are told. Step 3: buy a lot of short options Step 4: sit back and relax Step 5: take your profits and resign Are we WallStreetBets yet?

Reply

[-]

MigraineWhiskey@reddit

>Are we WallStreetBets yet? Feels like /r/IdiotsInCars/ lately

Reply

[-]

FluffyResource@reddit

Hey guys, just looking for a place to plug my 54G in.

Reply

[-]

BeanerAstrovanTaco@reddit

Follow the CEO's orders to the letter and let it all burn down.

Reply

[-]

Acrobatic_Painting59@reddit

BYOD is wonderful for productivity sake, so depending on what type of business the company is in it might not be that bad. The important thing is that the company segments critical from non critical functions to support this scenario. Example case from place i've been to they allowed BYOD for access to cloud based collaboration tools and email and some less critical production systems. But the most important production order system was locked down to just a few people who took security serious.

Reply

[-]

SpeculationMaster@reddit

Include this disclaimer in it "you agree that the device may be completely, remotely wiped/formatted by IT for any reason, at any time" Make sure you point that line out to anyone who asks, and make them sign it. This dissuaded a ton of people at my org.

Reply

[-]

MNGrrl@reddit

> I want to have a plan B. Smile, agree with everything they say and that you're working on it. Continue doing nothing. In military parlance this is called a *delaying action*, and it's just as applicable for office politics.

Reply

[-]

PokeT3ch@reddit

In my experience, if you communicate what IT can do and see with management software/policies people tend to change their tune real quick.

Reply

[-]

Turdulator@reddit

Are you ms365? Only let BYOD laptops access office.com, disallow office desktop apps, web version of office only, no downloads.

Reply

[-]

prepossession@reddit

Start updating your CV :) With kamikaze kind of CEO that is always good idea, soner or later you will be doomed. What could you do? Cisco ISE has a very nice solution for BYOD that doesn't allow device to be on boarded if certain criteria doesn't match such as: min. OS version, virus scan...

Reply

[-]

spikerman@reddit

Windows 365?

Reply

[-]

herefortechnology@reddit

What's loose about the policy? Containerization and conditional access are standard with BYOD programs these days.

Reply

[-]

jwrig@reddit

BYOD means you're gonna get hacked? Someone tell every major company and government!!!! If you can't figure out how in 2023 on implementing BYOD in a secure manner, you shouldn't be in this role.

Reply

[-]

mikeyb1@reddit

Exit through the gift shop.

Reply

[-]

pentangleit@reddit

Do you mean CIO rather than CEO? because "he is friends with the CEO" sorta makes no sense otherwise...and if so, have you considered having a quiet word with the CEO in a one-to-one to air your concerns? I recognise this is a risky move from your perspective, but if you may leave soon then you may want to let the CEO know about his friend's ideas given he appears hell-bent on some changes and the CEO might support the rationale behind your opposition.

Reply

[-]

IronHitmonlee@reddit (OP)

No the CEO and him are long term friends which makes it harder to speak to him about this.

Reply

[-]

ev1lch1nch1lla@reddit

Create a policy document with your suggestions for securing the network with byod. Submit that to them through email, get their denial in writing. Once they email back to confirm they are leaving themselves open, save a copy of that email. Your going to want that as proof that anything that happens is because of their negligence. They'll still blame and fire you for it so be ready, but it will protect you from them coming after you after the fact.

Reply

[-]

sturmblast@reddit

vlans work wonders

Reply

[-]

IronHitmonlee@reddit (OP)

If I told you about our network infrastructure. You’d be sick.

Reply

[-]

woemoejack@reddit

Please, sicken me.

Reply

[-]

IronHitmonlee@reddit (OP)

hahahahaha sorry my paranoia says limit the amount of information in case they find out I was here complaining about them.

Reply

[-]

railwayrookie@reddit

Make me sick!

Reply

[-]

malikto44@reddit

In cases like this, I really wonder if options or short selling is involved. If they get hacked, a short sell could bring C-levels a windfall, and it could be easily done by proxy so that the SEC wouldn't get wind of it. If this is a public company, I'd consider quietly notifying some people. Yes, in general, I keep to a rule, "snitches get stitches", but in a case like this, being able to state that you did do something can keep you out of the Federal or state prison systems. You really don't want all this crap blamed on you, and those C-levels will be throwing the blame on your shoulders the second they finalize their short sale and make a commission for their latest yacht. I'd go full BOFH on the BYO stuff. 16 character unlock PIN, changed every 30 days, access denied unless the OS is 100% at the latest version, no access unless the device can be 100% managed via an administrator profile, camera disabled, apps like Facebook and Tik-Tok disabled, and so on. For company owned stuff, because it is a known quantity, you can be a lot more generous with the restrictions, just as a carrot to get people to use that. As for laptops and such, time to get the C-levels to approve a VDI or Windows 365. That way, at worst, the endpoint can be infected with a RAT, so throw in some 2FA encryption in efforts to mitigate that, and that might be able to stem the tide somewhat.

Reply

[-]

TheBigBoldLlama@reddit

You should enact an MDM system of some type that allows for remote wiping. Make it so that if they want to use their personal device then they have to accept the risk that if you see anything out of sorts you'll need to wipe it.

Reply

[-]

MotionAction@reddit

This does give you experience for your next job to ask questions about how their stack is run, or you somehow convince management through many miracle situations to implement and enforce processes that make your job easier.

Reply

[-]

IceCubicle99@reddit

Any networks that we allow personal devices on are restricted by way of network ACLs or firewall rules from communicating to company systems. The only exceptions are company systems that are otherwise publicly available. Phones/tablets must also be registered with our MDM. This deters a fair number of people from choosing to use their personally owned devices out of pure paranoia.

Reply

[-]

FriedAds@reddit

You know you can have control over BYOD devices using Mobile Application Management?

Reply

[-]

thortgot@reddit

Many large scale organizations have BYOD programs. Handled properly they can be fine. Your network just moved to the Zero Trust model. Congratulations. What specifically are your concerns on security? That unpatched devices connect to your core network? Solution: don't do that. BYOD doesn't mean anyone can bring anything and you have to support it. You outiline a Device Policy that includes: installing an MDM, patching devices, using DLP solutions etc. that meet your security requirements. Telling a CEO no is the wrong solution. Giving them a solution that accomplishes their goal but meets your needs is the solution.

Reply

[-]

miscdebris1123@reddit

Point out that Lastpass was just massively hacked through a BYOD.

Reply

[-]

ILikeFPS@reddit

Something tells me you can't reason with stupid.

Reply

[-]

IronHitmonlee@reddit (OP)

![gif](giphy|1gEr3HMQOPNkl79lDv|downsized)

Reply

[-]

hoboninja@reddit

By BYOD are you talking just cell phones/tablets, or other devices such as laptops? If it's just phone/tablets, I'd just put them on a completely separate guest network that they can't reach corporate data from.

Reply

[-]

Cairse@reddit

Here is a good life lesson for you. You're job isn't to make the world an impenetrable tech fortress. Your job is to manage the systems of the company you work for and provide professional advice along the way. All you can do is, put it in writing why this is a bad idea, make your final pitch on why this shouldn't be done (again in writing like an email), and then you do your job. As systems administrators (and really anyone in the SecOps space) our job is to mitigate risk, not eliminate it. Wasting time dwelling on this and posting on the internet is hurting your mental health (whether you know it or not). Put it in writing why a BYOD policy is a bad idea and explain potential consequences and then do yout job. After that go home, put on a good show or play some video games, and call it a good day. Do you think the boss insisting on this policy is sitting at home thinking about you? The answer is no they're not.

Reply

[-]

Reddywhipt@reddit

It's insane that such a fucking moron could be running a whole company and likely making a six figure salary plus bonuses. I wish you luck finding a job at a company not skippered by a smooth brain idiot.

Reply

[-]

ITMANAGERIT@reddit

If your CEO wants to do BYOD and you want to make it impossible for someone to use... you will be next in line to get fired.

Reply

[-]

attacktwinkie@reddit

Make the policy that you can remote wipe personal device and you can read all messages sms etc. Basically you'd own the personal device. Prevent side loaded apps. So draconian that no one will use own device.

Reply

[-]

TravellingBeard@reddit

Did you tell him it was a terrible idea in writing? Also, we use BYOD, but it also has some restrictions (in our case, Microsoft InTune) to access Outlook and Teams.

Reply

[-]

Droghan@reddit

Another vector you could try is the compliance or digital insurance angle? Do you have any PCI or data compliance standards you have to meet and maintain or some level for your companies digital insurance you have to prove you are secure? BYODs could drastically impact an audit and raise your rates for insurance (if applicable) depending on the industry you are in.

Reply

[-]

night_filter@reddit

I don't think BYOD is inherently so insecure as you're making it sound. The key is, you need to require that the BYOD devices are also enrolled in some kind of management, at least enough to have an agent of some kind that can verify things like: * The device has your chosen antivirus installed. * Ensure that your chosen web filtering agent is installed and working * That antivirus is not reporting that the machine is compromised * There are proper security settings in place Phones are generally not very hard to secure with a few MDM policies. You can set app-level protections that prevent data exfiltration to other mobile apps. I would work on security policies tight enough that you feel assured in the security of the devices. A lot of people won't like those security policies on mobile devices, and won't like having an agent installed that allows the company to monitor activity on their personal devices, and so will opt out.

Reply

[-]

Ok_Adagio3465@reddit

Set up your BYOD policy to the user understands the business has the right to alter the device to install or uninstall software and to remotely wipe their device upon employee termination or if the device is lost or stolen.

Reply

[-]

CelticDubstep@reddit

Isolated vLAN & 256 Kbps Bandwidth Limit per device.

Reply

[-]

me_myself_and_my_dog@reddit

Just put a notice that IT will be able to see EVERYTHING that happens on the device.

Reply

[-]

devBowman@reddit

Do they know BYOD stands for Bring Your Own Disaster ?

Reply

[-]

RaNdomMSPPro@reddit

Can you explain data owner risk to the boss? While some of the posts are focused on getting blamed when the bad thing happens, none discuss the absolute nightmare this will be for the C suite. Does the C suite have any idea what their risk is as the data owners? I don't know what sort of data your company processes and stores, but this is the stuff that gets the boards attention as it forces the conversation to happen. If this is publicly traded company, there is supposed to be some sort of risk management/compliance committee that this "risk" should be provided to for the board to discuss and get approval to accept/mitigate/reduce.

Reply

[-]

IronHitmonlee@reddit (OP)

They are aware and think nothing will happen. Going above them to other stakeholders is extremely risky and I don’t think it’s worth it. They don’t seem to care about the business enough.

Reply

[-]

Frosty_Protection_93@reddit

Run, and run fast.

Reply

[-]

lemon_tea@reddit

Block Facebook, Twitter, YouTube, Instagram, Whatsapp, Telegram, and Reddit on all BYOD devices. 99% of BYOD activity on your network will cease.

Reply

[-]

SXKHQSHF@reddit

Frankly this is a situation where I would go over the boss' head and express concerns to senior management. If this were a television show, your boss is on payroll with a competitor and preparing to sink you all. This is not a TV show, and I don't have all the facts, but it's not paranoia if someone is really out to get you.

Reply

[-]

Whereami259@reddit

Deploy MDM software and start a rumor that you can access all of their data. Oops, sorry, I tought this war r/ulpt.

Reply

[-]

Garegin16@reddit

What’s ulpt

Reply

[-]

Turbulent-Pea-8826@reddit

I don’t get people in this sub. It’s not your company. You are an hourly employee with no stock or ownership stake. Hey do a good job when management is making a honest effort but when you have some ass clown like this CEO why bend over backwards to save them from their own stupidity. Do your due diligence and send a professional email about why this is a bad idea for <reasons> with a preferred plan to go forward and when they ignore you kick back and collect your paycheck. Do your 40 hours and not one minute more. Start looking to get off this sinking ship before you are forced off.

Reply

[-]

Garegin16@reddit

I’m gonna be a good guy and warm you about a stupid decision. But I’m not your mother in law. If you wanna keep ignoring industry practices and be a dipshit, I’m not gonna get into a fist fight “for your own good”. I do hate however passive aggressive malicious compliance assholes. Again, I’m gonna say my word. But I’m not gonna get on my knees and beg you. Again, not your mom.

Reply

[-]

TheBoatyMcBoatFace@reddit

Counter point: My company does digital services for the government. Depending on the contract we are working on, we may have a govt laptop. Our primary machine is personal. All tools are web based, YubiKeys are provided and required, and all the security procedures are followed. The company is fully remote, doesn’t have an office and has around 150 people. I’ve been at some companies that provide devices but are way way way less secure. That being said, we are a tech company and everyone here is knowledgeable or knows to ask for help. I know most companies aren’t like mine, but Byod is very possible to have a secure environment.

Reply

[-]

win10bash@reddit

If you guys have intune you can build an intune work profile that is pretty safe for phones. For desktop and laptop BYOD, you can setup various forms of remote desktop access for these users and disallow copying things through RDP. BYOD isn't inherently insecure but considering your company doesn't seem to be interested in making investments in info-sec it will be hard to get the right controls around the BYOD devices.

Reply

[-]

_mews_@reddit

Meh we managed this at my last company with MFA, and georestriction/conditional access. Not really a huge deal having Teams + Outlook on your phone. Haven’t had any one get hacked, but did have a few people that fell for the ole “hi I’m the CEO and need $1000 on Amazon in gift cards” routine, and they do that on company devices too.

Reply

[-]

bastardofreddit@reddit

> Not really a huge deal having Teams + Outlook on your phone. Provide me a company phone. I aint putting work crap on personal devices.

Reply

[-]

Angrymilks@reddit

I got domain admin from a raspberry pi someone had brought from home and was mixing their work credentials with the Pi.

Reply

[-]

Columbo1@reddit

If you want to discourage BYOD, it’s easy: HTTPS inspection. Every device that uses my WiFi must install my cert and have all of their HTTPS traffic intercepted and inspected. Not many users can figure out how to do it, very few come to see us about it, and even fewer agree to it after we’ve explained what it does. It’s installed on every corporate device before it’s issued to a user, but barely any users are willing to have it on a personal device.

Reply

[-]

IronHitmonlee@reddit (OP)

I’ll keep this in mind also.

Reply

[-]

winsyrmatic@reddit

In my personal experience, viruses were never the problem. Data exfiltration however, that was a complete hot mess. Coupled with refusal to pay for tiers which offer proper DLP, absolute fail. =(

Reply

[-]

Mystery_Guest_2050@reddit

On mobile and didn’t get to scrub all previous replies, so my apologies if these points have already been stated: in addition to other suggestions, I’d recommend looking at a lite* zero trust implementation. CloudFlare Zero Trust for example is free for under 50 users and then has paid tiers above that. You can’t get far more sophisticated with integrating it with third party tools like crowdstrike, but can reasonably (note: not exhaustively) insulate your org from some cyber risk using their built-in functionality. It would require users to install CloudFlare Warp client - one app, that’s it, and from this app you can require uses to have to toggle it on to access any org resources and in doing so traffic is encrypted to CloudFlare and you control things like dns filtering and resolution. The warp client also can validate on phones and laptops if certain attributes such as drive encryption, firewall enabled, and particularly OS versions or higher are present. It’s not a 100% resolution, but it mitigates some of the risks.

Reply

[-]

VoyageursWitch@reddit

After reading some of your comments it's clear you need to find a new job, just remember when you're interviewing when they ask why you left you say nothing but nice things about this place and that you wanted to focus on growth of a skillset that this place doesn't offer.

Reply

[-]

terriblehashtags@reddit

Do you have any budget for endpoint management and controls to facilitate a BYOD policy? Cuz yeah, enforcement of policy is gonna be a *bitch* even if you stick rules up in the breakroom...

Reply

[-]

uniitdude@reddit

you need to think about this logically, it's seems to be a bit scattergun at the moment how are you stopping accidental or intentional downloading of data now? Why will BYOD make this easier? How will you be 'hacked'? If the CEO wants a BYOD setup, how will your policy change anything or be enforced?

Reply

[-]

5k4nda1@reddit

Additionally, how do you harden security behind the front door? If someone does have a infected device how do you detect it? Start building additional layers for these senarios. Security is like onions or ogres.

Reply

[-]

DiseaseDeathDecay@reddit

>Security is like onions or ogres. Defense in depth.

Reply

[-]

zekrysis@reddit

also cakes! cakes have layers and everybody loves cake

Reply

[-]

Encrypt-Keeper@reddit

You know what else everybody likes? Parfait

Reply

[-]

archiekane@reddit

I prefer onions

Reply

[-]

Scratchnsniff0@reddit

What's your stance on parfaits?

Reply

[-]

ch0pstyx@reddit

Nothing's perfect in IT, so no.

Reply

[-]

alcimedes@reddit

Ok. Let’s compromise. Onion cake, now everyone should be happy.

Reply

[-]

i_am_voldemort@reddit

The cake is a lie

Reply

[-]

Rocky_Mountain_Way@reddit

There is no spoon

Reply

[-]

PeacefullyFighting@reddit

Everywhere I've worked has had a bring your own phone policy. If it extends to laptops that's a different story.

Reply

[-]

Jwillett17@reddit

I’d be curious to know if the company has a user agreement at which point your own device becomes a company device when it needs to be confiscated for “investigative reasons”. *plays USSR Anthem in the background*

Reply

[-]

Turbojelly@reddit

Separate BYOD WiFi with a large disclaimer asking users to accept response nsibiliry for all security on their device. Make sure to list all the security concerns you have. This way, when shit goes sideways, it'll be slightly easier to push some of the blame on the users.

Reply

[-]

etzel1200@reddit

Just use intune MDM. Turn on reasonable policies. For android if not blocked have really draconian OS version requirements.

Reply

[-]

griphon31@reddit

If you want to make sure no one uses their on device, just make it clear that their web usage will be recorded on HRs servers to be used as a part of year end reviews.

Reply

[-]

CeruleanDragon1@reddit

I’m not going to lie to you OP. I’d quit on the spot, (no notice if things look like they won’t last 2 weeks). This whole things sounds like a shitshow that could get you sued, and if you avoid that, will not be healthy for your reputation.

Reply

[-]

drekiss@reddit

I can’t believe they let the guy that got hacked make the policies. You probably need some kind of mobile device management, where you can wipe it remotely, and prevent log on anywhere except the company device/network. We use Microsoft's Intune and conditional access. depending on your Microsoft licensing, your users may already be licensed for it. Fwiw - most cyber security insurance companies frown on BYOD policies in general, but especially without some type of access control.

Reply

[-]

bstevens615@reddit

Remind the CEO, that it violates you cyber security policy. And make sure you get it in writing so they can’t throw you under the bus when insurance denies the company’s claim.

Reply

[-]

firedrow@reddit

This is actually a very good thing to look into. I've had customers in the past who wouldn't pay for security-related items, and nothing we brought them would convince them otherwise. Lo and behold, once their Cyber Security Insurance policy says so, they can't get you to implement it fast enough.

Reply

[-]

Barabulkas@reddit

BYOD/MAM devices are more then fine practice even in big corps. We are using it for last 3-4 years. Used to provide access to corp apps on personal phone. But we have a lot of policies there.

Reply

[-]

GreekNord@reddit

usually the best way is to make people think that you're tracking everything they do on those devices, even if you're not. At an old workplace, I had an entire department refuse to download the RSA app for MFA because one of them convinced the rest of the department that this would mean the company would watch everything they did and would have access to their pictures and files. ended up having to buy hardware tokens for the entire department because they wouldn't do software MFA under any circumstances after that.

Reply

[-]

gurilagarden@reddit

This is like reading a /r/relationship_advice post where the husband writes "hey, my wife drained all our bank accounts to take a tropical vacation with her boyfriend and now she's pregnant and hooked on heroin. How do I save the marriage?"

Reply

[-]

relaxedtoday@reddit

First, I propose to document the requirement and it's source, to avoid post-incident amnesia. Give them a WiFi VLAN from which only HTTPS is allowed (especially block all Windows stuff) and optionally through a proxy. Windows passwords may remain a problem if used by any web services, so require 2FA.

Reply

[-]

truedoom@reddit

>How do I make the policy... Well, if it was me I'd be doing up my C.V. and jumping ship asap. This company is gone. The CEO is sitting in a pool filled with gasoline while playing with matches. He will burn everyone around him.

Reply

[-]

TaliesinWI@reddit

Why would the BYOD devices be anywhere but a "guest" wireless/VLAN that can only see the open internet?

Reply

[-]

Gummyrabbit@reddit

Document everything they ask you to do. If they want you to do something that is risky, email your concerns and indicate the risks of implementation to get a record. Send a copy to a personal email box.

Reply

[-]

Arts_Prodigy@reddit

You gotta start looking for another job, what’s the company name so I know to stay far away at least until this clown of a CEO gets replaced. You’re not going to want to be around if/when they get hacked not for the post mortem, or inevitable finger pointing.

Reply

[-]

random869@reddit

Can’t do much but document the risks and have him approve it..

Reply

[-]

Nosa2k@reddit

Use Citrix. Everyone logs on to a virtual interface so they inherit all your default security policies. They only difference is that they are using their personal devices. As an extra security measure set up 2FA. It is possible, as an IT professional, you should be open to possibles not stifle them.

Reply

[-]

Foodcity@reddit

Oh no, bad connection causing a poor user experience in something OP doesn't want them using in the first place /s

Reply

[-]

Foodcity@reddit

N00b here as far as cybersecurity goes, but is there anything that can be leveraged insurance-wise to force a more secure setup? I'm assuming that they probably won't allow you to read their policy of course (because shitty bosses who refuse security), but just some standardized policies maybe?

Reply

[-]

awetsasquatch@reddit

BYOD devices on their own VLAN with no access to any critical data is probably your best way to go

Reply

[-]

Themasdogtoo@reddit

Make a separate Phone/Guest Wi-Fi SSID that doesn’t have access to your local network and change the password on the main one? An I overthinking this?

Reply

[-]

daygo448@reddit

The only quick thing I can think of outside of a new job is network segmentation. Create a guest network for wireless and maybe even for wired BYOD devices. I’d lockdown servers as tight as possible and segment them via ACL’s for only ports needed. I doubt you’ll get a MDM solution, but you might be able to see about getting virtual desks, but I doubt that would happen for you as well. Behind the scenes, that’s probably your best layer of protection.

Reply

[-]

JeroenPot@reddit

If on O365, for mobile: deploy app protection policies and require a minimum OS level. For computers, require them to be Intune compliant and lock them down.

Reply

[-]

IronHitmonlee@reddit (OP)

InTune compliance is something I wanted to do slowly but effectively, that was my trump card to allow users to use their personal phones… and have Intune say no. Only 2 people have company phones (me being one of them) because company phones are terrible and they will not increase the budget for it.

Reply

[-]

FruitGuy998@reddit

This is the way, app protection policies. Open outlook and you can only copy and paste data between other work apps. Try to paste into iMessage is a no go.

Reply

[-]

JeroenPot@reddit

More important: app protection apps require re-authentication and have an extra layer of encryption!

Reply

[-]

ghosthak00@reddit

Is your company paying for byod? Most employees will not use their own device. Cough cough 5.0

Reply

[-]

Yankee_Fever@reddit

What kind of firewalls are you using. You can create an outbound any any rule that will allow byod to browse the internet. And then you can create another policy above it for "known user" essentially Id based on your credentials with your VPN client which will allow you to access whatever resources you need. If a user is not on VPN they will be able to browse freely. And when they are on VPN they can access their resources. You can also have a compliance check where the VPN client will not establish a tunnel unless you meet the requirements of the administrator. On Palo Alto they call this a HIP check

Reply

[-]

FatBoyStew@reddit

If they start doing BYOD laptops and connecting them internally to AD servers then don't even try. Even if you can't get another job -- leave now. If that is absolutely not an option then make sure you have multiple paper trails of every single piece of communication with your execs talking about this being bad and record all attempts to batten down the hatches.

Reply

[-]

midgetlotterywinner@reddit

I haven't read through all the responses, but I'll answer this question: > How do I make the policy so tight that no one will want to use a personal phone (I know some still may try without adhering to it but at least that way it’s their fault for not being complaint). You don't. The CEO fired the infosec staff...there's no executive buy-in for organization-wide security. Your workplace is hosed. If the C-level doesn't believe in security then there won't be sanctions enforced when policies are violated. Why even waste your time? (But if you want some policy templates for AUP and BYOD go ahead and DM me; I will be happy to charge your company for policies that they won't follow). Best of luck getting a new gig. It's a pretty hot market right now for people with legit skills, so you should have a plan B and C before too long with a bit of effort.

Reply

[-]

rickAUS@reddit

guest network throttled so slow people would rather use 4g/5g?

Reply

[-]

HerrowPries@reddit

I’m not trying to call you out but, are you a junior admin? “if they have viruses on their phones they can infiltrate the company?” Most companies are BYOD now in terms of phones. BYOD workstations is another story. Just get an MDM solution for the phones and make sure the appropriate networking security is in place (separated guest wireless network, firewall ACLs, etc).

Reply

[-]

BenCisco@reddit

![gif](giphy|13HxGuhPUVL5ra|downsized) You know what you need to do...

Reply

[-]

FootballLeather3085@reddit

You might wanna figure out how to do BYOD the way they want or you might be out of the JOB

Reply

[-]

pibroch@reddit

Find some line in your insurance policy that requires something specific and say it requires your BYOD security policy to have XYZ enabled. If they call bullshit, just say you were being extra cautious and find some articles that reference malware being used on a personal device to compromise company devices.

Reply

[-]

dangil@reddit

Wi-Fi vlan without access to anything

Reply

[-]

HallFS@reddit

You are wasting your precious time in this company. If possible, look for something else and quit...

Reply

[-]

Sin_of_the_Dark@reddit

Did we just find the Reddit account of the last Twitter IT employee?? In all seriousness, with the right MDM solution BYOD is definitely not end of the world. One of the biggest points you need to stick to is separate networks for BYOD devices, with no access to corporate network.

Reply

[-]

pibroch@reddit

He’s not replying with a shit emoji to every comment, so he can’t be Twitter IT.

Reply

[-]

IronHitmonlee@reddit (OP)

No Twitter have no IT staff according to my friend who fled the birds nest. Issue is time and IT peeps which they don’t want to pay for, I can’t do all of this in one day.

Reply

[-]

Sin_of_the_Dark@reddit

It was only a rib at Twitter firing pretty much all their staff, even the PR department And of course you can't do it all in one day, friend. Even Sysadmin Rambo couldn't. But what you can do is sit down and come up with a project plan to present to your boss. I would think about these things in specific: * If a user wants to take advantage of BYOD, they must meet minimum security requirements (generally, a valid commercial anti-virus at least, some places also make firewall changes) * There needs to be a specific policy for the BYOD plan and users who wish to BYOD must read and sign it, just like a WFH plan * Segregating BYOD traffic to their own VLAN (if they don't want to do this, then insist on strengthening security requirements in no. 1)

Reply

[-]

IronHitmonlee@reddit (OP)

Yea. The minimum requirements are going to be a very high bar.

Reply

[-]

ghosthak00@reddit

TWTR that broke to give me a free iPhone for work?

Reply

[-]

habitsofwaste@reddit

We have a special image for all client laptops, so any BYOD has to be wiped and we don’t allow dual booting. The wiping might be enough to dissuade most people. As for phone devices, we don’t allow them on the corp network. We have an mdm on them and they’re subject to remote wiping which can also dissuade people from using it.

Reply

[-]

TumsFestivalEveryDay@reddit

*"Say the line, /r/sysadmin!"* Find a new job.

Reply

[-]

pibroch@reddit

“YAAAAAAAAAAAAYYYYYYYYYYYYYY”

Reply

[-]

staiano@reddit

Well, to take an alternative stance, dumb policies keep IT guys employed. I agree with /u/TomBosleyExp though separate wifi for these devices and then limit what can be accessed.

Reply

[-]

TomBosleyExp@reddit

Personal devices get to connect to a segregated wifi network that has internet access, and nothing else.

Reply

[-]

GrowCanadian@reddit

My last boss was like this an no matter what you would tell him it was his way or the highway. Cover your ass and save any emails clearly stating the security risks and I’d even back them up to a personal email. Sadly this is a ticking time bomb waiting to happen so if I were you I’d brush up my resume and start shopping around for a new job. It’s not if you guys get back but more of a when. Even my secure organization has fallen to well hidden phishing emails bud luckily our systems caught it and isolated before it spread.

Reply

[-]

aptechnologist@reddit

Can't you just secure personal devices with MAM solutions?

Reply

[-]

ZaMelonZonFire@reddit

First thought is that you should put in writing your disagreement and state all your reasons why. State what you think will happen. That way you have a time stamp to point back to. Trouble is, they are the boss and you have to build what they ask. Stupid or not. I run a k12 district that is rural with almost no cell coverage. We have a separate SSID for our staff member phones. Laptops aren’t allowed. That network has client isolation, meaning they can get out to the internet and that’s it. It’s also subject to the same filtering as everyone else. As for people downloading content. That’s more of an account issue, not networking.

Reply

[-]

lost_in_life_34@reddit

I work in a secure environment and we have BYOD with a looser policy than company phones. It can be done

Reply

[-]

World-Mushroom@reddit

Make sure to email the higher-ups with your exact security concerns. Cc your personal email as well. Then let it all burn itself to the ground during to bad management.

Reply

[-]

Miserable-Winter5090@reddit

I would start with Microsoft Intune. Then I would make sure that the laptops have no connectivity to your network unless through a VDI.

Reply

[-]

cryolyte@reddit

Sounds like malicious compliance time to me. CYA and give them EVERYTHING they want.

Reply

[-]

Rocknbob69@reddit

Don't let them on the company wifi....period. At least not a LAN connection

Reply

[-]

steveinbuffalo@reddit

document it - dont leave it verbal. "Per our discussion of so and such date, we will be implementing x, y z."

Reply

[-]

Smeggtastic@reddit

Instead of chatgpt I gave BARD a go on this one "Here are some tips on how to make a BYOD policy so tight that no one will want to use a personal phone: Require employees to sign a BYOD agreement. This agreement should clearly state the terms and conditions of the policy, including what employees are and are not allowed to do with their personal devices. It should also include a clause that states that employees are responsible for any data breaches that occur as a result of their use of personal devices. Require employees to install security software on their personal devices. This software should be able to scan for malware and other security threats. It should also be able to remotely wipe data from devices if they are lost or stolen. Require employees to use strong passwords and to change them regularly. Employees should also be prohibited from sharing passwords with anyone else. Educate employees about the risks of BYOD. Employees should be made aware of the potential for data breaches and other security risks. They should also be educated about how to protect themselves and their devices. Monitor employee activity. The company should monitor employee activity on their personal devices to ensure that they are not violating the terms of the BYOD policy. This monitoring can be done through a variety of means, such as using software to track employee activity or by reviewing employee emails and text messages. By taking these steps, the company can reduce the risk of data breaches and other security incidents caused by BYOD. However, it is important to note that BYOD can never be completely risk-free. Employees should always be aware of the potential for security risks and take steps to protect themselves and their devices."

Reply

[-]

The_Wkwied@reddit

Send an email to CYA, then start looking. If you get wind of something burning, put in your immediate notice because you *KNOW* it is going to be entirely on you to fix once the ship starts to sink

Reply

[-]

hbkrules69@reddit

Is your CEO, Gavin Belson by any chance?

Reply

[-]

iwinsallthethings@reddit

Everyone is giving advice on what to do to lockdown stuff. I would agree with most everyone, but I doubt you’d be able or allowed to implement anything due to cost. If they are cutting corners, including the security team, the company may be in financial distress. My advice is put your 40 hours in doing what your boss wants done. With no ticketing system, maybe report back via email to your boss when stuff is completed. Ask via email what should be next. If your 365 license allows, I would turn on litigation hold on my mailbox. That way there is always a record of your work when something does happen. No one will likely ever know, especially if they fired the security team. If questions arise, just testing as a free security feature. Based on what you described, it’s a really quickly sinking ship. Put double effort into finding another job. You don’t want to be the fall guy.

Reply

[-]

TheCudder@reddit

That's what I'm thinking as well. Any beneficial solution requires money that the company doesn't *have* to spend.

Reply

[-]

gartral@reddit

this is not a problem you can solve. Bail out and go somewhere with a shred of sense.

Reply

[-]

Xiakit@reddit

Time to short those shares

Reply

[-]

spoitras@reddit

If you’re assuming your endpoints are “secure” you’re already looking at it incorrectly. With zero trust and assuming everything is adversarial is really how you should be thinking about it. For SOC2 you’ll need to prove every device has encryption, virus protection, etc. so devices shouldn’t be allowed on the network without. Personally I treat or corp network as a “public” network requiring bastion hosts to access any secure network.

Reply

[-]

Trevize_Demerzel@reddit

I would refer him to the afore mentioned Infosec staff (that he fired) and just look back with my Pikachu face. As a sysadmin I don't suddenly inherit some one else's job duties just cause they got fired.

Reply

[-]

PolicyArtistic8545@reddit

Phones are probably safe. Just use Microsoft authenticator which does some detections on if the device is jailbroken and on the latest OS. That should cover everything that’s not a state sponsored attack. Laptops are going to be more of a challenge. Try and make everything as browser based as possible and disable downloads. Require 100% MFA. Offer VDI that can be logged into from BYOD to still have control over the data.

Reply

[-]

Justtoclarifythisone@reddit

Start saying no via email, and ONLY accepting jobs via email. This is the only way to work with a bad boss. If he ever asks something from you ask him explicitly to send you that request with all the details of what he wants via email so you can work better, then reply with all the security concerns and the price and time it will take to move that project forwards. After working for 10 years for different really ignorant bosses i found this is the only way to remain safe and to not be hold accountable for their own mistakes. Also 8 out of 10 they will re-think the solution and wont go through with it when they see the numbers or requirements. Works like a charm. And will keep you out of their shit. I know it sounds like a TON of work, but it’s the only way they’ll learn no to ask for stupid shit.

Reply

[-]

protogenxl@reddit

Secure BYOD means virtualized desktops. Either server hosted or VM image on the machine itself. MDM for phones should be set up to forbid any app that is not pre approved, each app approval signed off by the ceo. Does the company have cyber attack insurance? If so ask them for a guidance meeting, if not Perdue getting it, their sales presentations are usually enough to scare a c level exec into full blown paranoia

Reply

[-]

zipcad@reddit

Seeing I knew the top 20 answers were going to be quit, BYOD isn’t bad. Containerize your stuff and have the ability to remote wipe or lock your logged in things. Up security a bit and get a signature and risk acceptance on your plan. You’ll be fine.

Reply

[-]

TimTimmaeh@reddit

In times of NoOps and Zero Trust, BYOD is not a problem anymore. It's like you are trusting internal employees more than contractors or partners/vendors with network access (NDA).

Reply

[-]

anomalous_cowherd@reddit

Sure, we'll get to those just after we implement IPv6 across the board.

Reply

[-]

kcaeic@reddit

Seriously, you all need to get a grip. BYOD phones with sandboxed O365 email is not going to bring down the company.

Reply

[-]

bukkithedd@reddit

As with everything in this regard: **get everything in writing at absolutely every turn!** I cannot stress that enough, but **CYOA to the absolute max.** When this shit goes mammaries up, that way you won't be caught in the blast.

Reply

[-]

emerican@reddit

Microsoft Intune makes it a lot more of a pain in the ass to get email on your phone.

Reply

[-]

TyphoidJaneDoeMary@reddit

One thing is company allowing, I'd never in a million years use my own devices for work.

Reply

[-]

Chaz042@reddit

If this is a publicly traded company they have an obligation to their shareholders to be secure. Talk to the other C-Levels if it’s not a stretch and explain the ramifications.

Reply

[-]

DeviousBeevious@reddit

I would just put all your concerns in writing, state your objections, methods of attack you can see this opening up etc. get him to sign it and state in writing that he "acknowledges and assumes all risks and wants to go ahead with it regardless." or similar.

Reply

[-]

IronHitmonlee@reddit (OP)

Yup, but I need a way to phrase it in writing so it doesn’t seem clear I want them to sign the risk for it. If I do that I will be blackmailed into being fired if I don’t sign, I’m looking for another job but in the meantime I don’t want my name on dangerous paper work.

Reply

[-]

DeviousBeevious@reddit

Why exactly is it that you think BYOD will take down the company? We operate BYOD using work profiles and it works just fine for us. you can disable things like screenshotting or copy pasting from the work profile to the personal one.

Reply

[-]

SevaraB@reddit

If publicly traded, BYOD is a SOX violation. Report to general counsel.

Reply

[-]

rxtc@reddit

Get out. That sounds like a toxic work environment.

Reply

[-]

wiz555@reddit

I'd bail before something happens and tries to pin it on the IT staff.

Reply

[-]

IronHitmonlee@reddit (OP)

I am but this is my plan B. If I leave and they get hacked they will call my name so I want to have as much evidence of me trying to save their company as I can.

Reply

[-]

wiz555@reddit

Save all your emails, including the ones warning about the security risks. If in the US and they try to blame you, you can pull those out and claim protection from retaliation per US department of labor. Remember also that if you leave and they blame you for the hack, burden of proof is on them not you. Not that ANYONE wants to get drug through the courts.

Reply

[-]

myrianthi@reddit

If you plan on staying, I would roll out conditional access policies, DLP, 2FA, and EDR antivirus asap.

Reply

[-]

DumbshitOnTheRight@reddit

>How do I make the policy so tight that no one will want to use a personal phone (I know some still may try without adhering to it but at least that way it’s their fault for not being complaint). You don't, not without the CEO's backing. Without that piece you'll have a great policy with no teeth.

Reply

[-]

warpedkev@reddit

Do you have a pure AD network, or do you leverage Azure AD at all?

Reply

[-]

IronHitmonlee@reddit (OP)

All users are on AAD we do not use traditional AD.

Reply

[-]

warpedkev@reddit

I think a chap above has just mentioned but you want to look into Purview Information Protection (formerly Azure Information Protection, thanks M$). This gives you the ability to classify and remediate access to certain data types, etc. Couple this with Date Loss Prevention and you can at least secure how your data is handled, such as locking down printing, copying and paating? Etc. I would potentially looking at your security posture as well from this move and how your insurance works especially if you're ISO or Cyber Essentials certified. Opening up holes like this might effect your current or future premiums, something which your boss might actually care about... lol!

Reply

[-]

IronHitmonlee@reddit (OP)

I’ll look into it, C-Level users will not pay more for “protection we don’t need” they have been informed years ago that “we do not presently posses the capacity to ensure: personal devices are secure and meet the cyber essentials and ISO requirements minimum requirements. Thus we will need to ensure all devices used for work activities are corporate owned devices”. I think this may have increased tensions between Infosec and IT (dubbed the police) and C-Level users. In short they don’t seem to want me to lie to our future auditors which I will never be doing.

Reply

[-]

ToShibariumandBeyond@reddit

For this, I'm assuming no CISO in the org? But for C Level Suite, change the conversation to risk appetite, and which position is accepting the risk of not meeting ISM / ISO requirements, and watch them change tact.

Reply

[-]

IronHitmonlee@reddit (OP)

There is no CISO, CTO or anything like that. I have, they are still going ahead with it. I am fearful they want me to sign it which I’ve said I will not do. I think they have convinced themselves we can meet all ISO requirements if they shout hard enough

Reply

[-]

warpedkev@reddit

I have to agree with ToShibarium above. Changed the conversation is one way of approaching this, I think you're going to have to try and be aggressive and if they're simply no receptive, you've heard everything you need to reinforce brushing up your resume. I'm a Solutions Architect and have worked with plenty of companies who give a sh*t about their security, data, risk, and compliance. Don't for people who don't work WITH you. It's not worth the stress and lack of sleep.

Reply

[-]

mnoah66@reddit

Conditional access will be your friend here. We don’t require Intune/enrollment of byod computers. Instead we use CA and lock down sharepoint/OneDrive to browser only. No sync, no download. Also no persistent sessions and re-require MFa frequently.

Reply

[-]

Ifuqaround@reddit

Policy won't stop them from 'wanting to use a personal phone.' Almost every employee I've worked with has wanted to carry their personal phone and personal phone only. They do NOT want to carry 2 phones around. I've literally never had a single employee say they actually wanted a work phone. I don't think a 'tight' policy will change that.

Reply

[-]

IronHitmonlee@reddit (OP)

Sorry for not responding to everyone my head is moving at 1000 mph with regret and the sad realisation that I’ve been conned into a job.

Reply

[-]

8008seven8008@reddit

2FA and migration to the cloud is your friend here

Reply

[-]

beetcher@reddit

Is your concern just phones? Isolate all personal phones on a guest wifi.

Reply

[-]

IronHitmonlee@reddit (OP)

A lot of people work remotely. Users won’t be able to use the main WiFi in their phones.

Reply

[-]

Murphy1138@reddit

Put together a pros and cons. Questions like, how do you ensure right now that with corporate owned phones and laptops you cover the concerns that you have? how will a BYOD be covered under that? what won’t etc.

Reply

[-]

MajStealth@reddit

kill anything not known to be used at the firewall, block anything not known at dns-level open wlan only in a seperate vlan wifi "whitelist starts now"

Reply

Reply to Post

641 Comments