Home
Join

85 Replies

  • yeah Id be concerned with the lack of communication with bringing in any outside devices.  What do your company policies say? 

    Things like this are why I created a policy for IT use.  No misunderstanding when its in black and white.

    They do not need to know why its not allowed, just that its not.

    DKX

    Edit: Managers don't think of things like this:

    Each printer has network connectivity and they support firmware upgrades. If the firmware is not signed or signing material compromise or vulnerability In that area, it can help a attacker push malicious upgrade which can have virus inbuilt. This has happened for all digital photo frames by a company which had virus disguised in compromised factory shipped firmware. This Compromised printer can push virus to other computational devices in network
    Spice (10) flagReport
    1 found this helpful thumb_up thumb_down
  • I would consult your company's standard operating procedures regarding non-IT-deployed equipment in your organization. Since it is likely that hasn't already been mapped out, I'm guessing, I would pass the matter up to your boss who should pass it up to theirs and so on until the lowest point of common authority is reached between your department and the employee's department. In other words, the lowest person who has official authority over both groups involved should make the call here. 

    Spice (5) flagReport
    1 found this helpful thumb_up thumb_down
  • Slippery slope!

    When you let one person do it, where does it stop?  First a printer, next it will be laptops and tablets.  Would be a flat out no from me unless my boss (business owner) said "Do it".

    Spice (15) flagReport
    1 found this helpful thumb_up thumb_down
  • Yup, follow the chain of command. If you are not that person to decide, politely say you need to run it by person, and get them to approve or not.

    Spice (6) flagReport
    1 found this helpful thumb_up thumb_down
  • You could unhook the PC from the network and connect the printer via USB and she can print. I have a feeling you are going to be pressured into making this happen.

    Spice (10) flagReport
    0 of 2 found this helpful thumb_up thumb_down
  • Ensure you have documentation showing that somebody higher up on the food chain than you has approved this and then ask them once more "Are you sure? This is a considered a security risk." and CC your boss. If they're sure, then do it. If it bombs out, it's on them.

    A printer is a much smaller risk than a personal computer. If someone wanted to come in with their own PC and get it on the domain or something, we have a policy strictly forbidding that. Even if we didn't, I'd go above the approver's level to their boss and let them know what a massive security risk their staff is attempting to grace us with.

    Spice (3) flagReport
    1 found this helpful thumb_up thumb_down
  • Suggest this.

    https://www.shutterfly.com/cards-stationery/affordable--christmas-cards

    Mention that the salaries of the people involved, not to mention the IT staff time, far exceeds the value of the product.

    Spice (22) flagReport
    2 found this helpful thumb_up thumb_down
  • What kind of printer. A basic print only product will be more secure than an multifunction.

    Spice (2) flagReport
    1 of 3 found this helpful thumb_up thumb_down
  • I think the problem here is less that the printer is a security risk (even though it is) and more that IT was completely bypassed for any kind of say in what is connected to a secure network.  As mentioned above, I would check with her manager and get written or typed(email) proof that the OK was given, and then let her do it.  Anything happens, it wasn't your fault, you weren't consulted.

    Spice (5) flagReport
    Was this post helpful? thumb_up thumb_down
  • Hospital?  

    Hell to the no is the answer, the cons outweigh the pros by a long shot.  

    If they want to use their budget to have IT purchase a printer to configure for the user, that's another story but someone bringing in some unknown outside devices that may or may not have been attached to other networks is not worth the risk.  

    Spice (11) flagReport
    Was this post helpful? thumb_up thumb_down
  • straight flat out NO from me 

    but as has been stated, if it isn't in your pay grade to make the call, pass it up, and ALWAYS CYA

    I wouldn't even allow them to USB connect either, a NO MEANS NO policy has to be the best, as again, as stated, where DOES it stop :o(

    Spice (5) flagReport
    Was this post helpful? thumb_up thumb_down
  • Strange that her manager is okay with her making Christmas cards on the clock... Unless that is her job.

    Spice (9) flagReport
    Was this post helpful? thumb_up thumb_down
  • benjohnson25 wrote:

    Hospital?  

    Hell to the no is the answer, the cons outweigh the pros by a long shot.  

    If they want to use their budget to have IT purchase a printer to configure for the user, that's another story but someone bringing in some unknown outside devices that may or may not have been attached to other networks is not worth the risk.  

    With HIPA, PII, etc. you don't want anything on your network that's employee's personal stuff.  

    How does she have a printer, but no computer at home to print it?

    What software is she using to print these cards? Was it on the approved software list?  There are a lot of things that smell bad here.

    Spice (6) flagReport
    Was this post helpful? thumb_up thumb_down
  • Why was IT bypassed? : / I'd need approval from IT before an install were to take place. 

    Spice (2) flagReport
    Was this post helpful? thumb_up thumb_down
  • essjae wrote:

    benjohnson25 wrote:

    Hospital?  

    Hell to the no is the answer, the cons outweigh the pros by a long shot.  

    If they want to use their budget to have IT purchase a printer to configure for the user, that's another story but someone bringing in some unknown outside devices that may or may not have been attached to other networks is not worth the risk.  

    With HIPA, PII, etc. you don't want anything on your network that's employee's personal stuff.  

    How does she have a printer, but no computer at home to print it?

    What software is she using to print these cards? Was it on the approved software list?  There are a lot of things that smell bad here.

    Found out the user was not being truthful in what she told me. she isn't making holiday cards. she is just being lazy because she doesn't want to walk 10 ft to the large copier. I'm assuming she has her own personal computer at home but she needs to leave that stuff at home and not at our facility. software wise, nothing I don't know where she got this idea. nothing was approved by anyone nor was the boss okay with it, the boss was just being a pushover and didn't want to tell her no (which annoys the hell out of me).

    Spice (14) flagReport
    Was this post helpful? thumb_up thumb_down
  • I'm all for standing firm on BYOD issues, especially ones where I know I can win the battle. :-)

    However, I'd appreciate it if we can stop making up another mythical HIPAA regulation. 

    Spice (2) flagReport
    Was this post helpful? thumb_up thumb_down
  • Tylermcc wrote:

    essjae wrote:

    benjohnson25 wrote:

    Hospital?  

    Hell to the no is the answer, the cons outweigh the pros by a long shot.  

    If they want to use their budget to have IT purchase a printer to configure for the user, that's another story but someone bringing in some unknown outside devices that may or may not have been attached to other networks is not worth the risk.  

    With HIPA, PII, etc. you don't want anything on your network that's employee's personal stuff.  

    How does she have a printer, but no computer at home to print it?

    What software is she using to print these cards? Was it on the approved software list?  There are a lot of things that smell bad here.

    Found out the user was not being truthful in what she told me. she isn't making holiday cards. she is just being lazy because she doesn't want to walk 10 ft to the large copier. I'm assuming she has her own personal computer at home but she needs to leave that stuff at home and not at our facility. software wise, nothing I don't know where she got this idea. nothing was approved by anyone nor was the boss okay with it, the boss was just being a pushover and didn't want to tell her no (which annoys the hell out of me).

    Ah, yes. The old House maxim, "Everybody lies."

    That immediately becomes suspect for me and would leave me with exceedingly little desire to forgive any subverting of IT. If it's an emergency situation that requires a quick and temporary fix, I might be willing to help to a degree, but along with passing this up the chain to get direction from the higher-ups, I would be sending this along with a note that the user has been misleading about the purpose of this device, that the device is unnecessary (unless she cannot walk the 10 feet due to medical reasons or the time it takes her to walk the 10 feet results in a significant loss of time to the company), and that this is an attempt to introduce shadow IT into the organization.

    Spice (4) flagReport
    1 found this helpful thumb_up thumb_down
  • From what you have written you must have policies in place about this, since she was trying to bypass or get one over on the Boss. Whilst her actions are bad they raise an interesting issue in that she may be able to improve her efficiency by having a more handy printer. Since it is for personal work use then it should use the USB interface and would need your sanction for use. Rather than fight such introduction of equipment and drive it undercover, why not have a policy that allows it provided you have oversight of it. 

    Spice (1) flagReport
    Was this post helpful? thumb_up thumb_down
  • Hand the person a USB A to B cable and then walk away. 

    Spice (1) flagReport
    0 of 5 found this helpful thumb_up thumb_down
  • "Why do you need to connect the printer to the network? WHY?" 

    Ask them those two questions in a row. Then, no matter what they say, answer with: 

    "That is not only a security risk according to the Acceptable Use Policy that you signed, but you can print at home. Or you can plug directly into the printer and print. I don't want any hospital equipment plugged in to or connected to an unknown device."

    If you're feeling particularly sassy, add:

    "Why were we not asked about this? Would have saved you the trouble of bringing it in, cause you have to take it back now."

    Honestly... some people man. Will call us for something totally unrelated to us, but neglect to fill us in on potential breaches.

    Spice (6) flagReport
    Was this post helpful? thumb_up thumb_down
  • I might be the odd duck here but how did this get approved?  if I were this person's boss I would be wondering why on earth you want to bring a printer from home to the office... to print holiday cards.  I have to assume that these cards are for part of her job, like the amazing holiday cards that Spiceworks send out.  if not, well that opens a ton of additional questions like what on earth makes you think you can print them here while on the job, rather than printing them at home?  Are they made already?  if not, are you billing me time to make your holiday cards?

    So let's assume that these are for her job or she should be unemployed... how is she doing her job without a printer?  Why doesn't she send the file to IT and ask IT to print it?  Surely IT has access to more print devices than she does?  But maybe she has some special perforated paper that requires a cheap desktop print device?  Well these pages are expensive, and if the cards are for work, who is approving all this?

    At this point, you have spent more time and money thinking about this problem than it would have cost her to print the cards on vistaprint or something.  Send her a link and tell her that they can have cards delivered in a couple days.  #WinForIT #EliminatingIOT

    Was this post helpful? thumb_up thumb_down
  • SlottyBotfast wrote:

    Hand the person a USB A to B cable and then walk away. 

    This can still be a huge security risk with some print devices.

    Spice (3) flagReport
    Was this post helpful? thumb_up thumb_down
  • Let the IT Manager deal with it.  I wouldn't do it without something in writing from IT Manager because of HIPPA/PHI risks.  In my shop something like this would have to be vetted first by Security and Privacy Officers and we're SMB, let alone a HOSPITAL... yikes

    Spice (1) flagReport
    Was this post helpful? thumb_up thumb_down
  • Show them the "The Wolf" videos from HP  

    • local_offer Tagged Items
    • hphp
    Spice (8) flagReport
    Was this post helpful? thumb_up thumb_down
  • I would explain both the security risks as well as the support concerns associated with allowing non agency hardware to be not just used at work but connected to the agency network.

    Spice (1) flagReport
    Was this post helpful? thumb_up thumb_down
  • Hospital network. The answer is NO.

    Spice (2) flagReport
    Was this post helpful? thumb_up thumb_down
  • Beyond the hardware itself, what type of software did they plan to install to make all these cards, anyway?

    I guess I'm lucky to be in the type of environment to just be able to say "Yeah, NEVER gonna happen." and it be a perfectly acceptable answer.

    Spice (2) flagReport
    Was this post helpful? thumb_up thumb_down
  • Tylermcc wrote:

    essjae wrote:

    benjohnson25 wrote:

    Hospital?  

    Hell to the no is the answer, the cons outweigh the pros by a long shot.  

    If they want to use their budget to have IT purchase a printer to configure for the user, that's another story but someone bringing in some unknown outside devices that may or may not have been attached to other networks is not worth the risk.  

    With HIPA, PII, etc. you don't want anything on your network that's employee's personal stuff.  

    How does she have a printer, but no computer at home to print it?

    What software is she using to print these cards? Was it on the approved software list?  There are a lot of things that smell bad here.

    Found out the user was not being truthful in what she told me. she isn't making holiday cards. she is just being lazy because she doesn't want to walk 10 ft to the large copier. I'm assuming she has her own personal computer at home but she needs to leave that stuff at home and not at our facility. software wise, nothing I don't know where she got this idea. nothing was approved by anyone nor was the boss okay with it, the boss was just being a pushover and didn't want to tell her no (which annoys the hell out of me)

    This would be a 100% no go in most medical settings.  The printer is likely not secure and anyone who can get on that staff's PC could print a cornucopia of private medical records and walk off with them without anyone ever knowing.  Your organization could lose accreditation over something like that at audit time

    Spice (2) flagReport
    Was this post helpful? thumb_up thumb_down
  • This is unacceptable. This does show a breakdown of upholding policy or lack of policy. The bad part - you are placed in the position in the middle. Is there an IT Manager or Director you could bring this to who would defend your position?

    Spice (2) flagReport
    Was this post helpful? thumb_up thumb_down
  • Denis Kelley wrote:

    Yup, follow the chain of command. If you are not that person to decide, politely say you need to run it by person, and get them to approve or not.

    In my organization they cannot proceed with this without approval from my manager and their manager. I would bring it to my manager. If they need a printer we provide it if it has to connect to the network. If not we let them know what they should purchase. That way we know what they are getting since we will end up having to support it anyway. A personal printer is a no no.

    Spice (1) flagReport
    Was this post helpful? thumb_up thumb_down
  • There should be a written policy dealing with the use of personal equipment and software. If such a policy does not exist one should be quickly prepared. Ultimately it is up to the senior IT manager and HR to enforce said policy. 

    In a HIPAA or ITAR environment the use of personal equipment should not be allowed. But it should ultimately be enforced by management.

    Was this post helpful? thumb_up thumb_down
  • Bringing in a printer from home? It's hard to even fathom why someone would want to do that. But the idea was pitched and approved by a manager. The fact that IT is the last to know is not new. They should have known better. But that's another discussion.

    The IT manager needs to make the call on this one. Chances are there will be some work-around to make this happen. It really depends on how much influence the manager has with higher ups and how important their Christmas Card project is.

    To be safe I would offer hooking this printer to some off the network PC via USB cable and let them print from there.

    Was this post helpful? thumb_up thumb_down
  • Tom6018 wrote:

    This is unacceptable. This does show a breakdown of upholding policy or lack of policy. The bad part - you are placed in the position in the middle. Is there an IT Manager or Director you could bring this to who would defend your position?

    Made sure to verify with my supervisor who was never asked about the said printer. He shot it down. per our policies, all devices and software must be verified and installed by IT Department.

    Spice (3) flagReport
    Was this post helpful? thumb_up thumb_down
  • I would and have told some of our staff no to personal laptops and printers on the network. I had to explain to a maintenance friend of mine that I am not allowing him to attach his laptop to the network just to print files off. He didn't see any risk in it and told me I've never been hacked because of the 76mb firewall he has (it's windows 10 with no firewall (other than the built in one) and has video games installed. I was like yeah that makes zero sense, nothing like that exists and, still no. He tried to go to my boss who told him f*** no.

    Spice (3) flagReport
    Was this post helpful? thumb_up thumb_down
  • "Nope" with a side of "no way jose". Like others have said, slippery slope and policies!

    Was this post helpful? thumb_up thumb_down
  • Definitely a no! It's easy for users to understand the risk of bringing their own device onto a network as they see the security implications. What people don't understand are the security risks of printers on a network. If it's connected to a network and gives malicious individuals a way in, they'll find it. I think that it's a good thing this was caught before they did some serious damage though!

    Was this post helpful? thumb_up thumb_down
  • Wow so she lied about wanting the printer in the first place. The answer here would be no even if it wasn't a lie. For one thing it's a consumer printer which you know is crap, they all are. Drivers and firmware are terrible full of bloatware and prone to virus infection. And the minute that POS quits working you will be expected to support it. It's probably ink jet too, even worse. Consumer devices have no place in any business let alone a hospitals enterprise network. That user and her printer need kicked out the door.

    Was this post helpful? thumb_up thumb_down
  • I would refer this back to management detailing the security risks involved, lack of communication and no approval from IT. It seems the management team(s) could benefit from ITIL training?

    Was this post helpful? thumb_up thumb_down
  • I haven't read through all the responses and this may have been suggested already. Set up a workstation connected to her super-duper printer and let her get on with it. Taking her own PC off the network and attaching her printer to it may still leave confidential information at risk. If she needs to take any data from her work PC this should be vetted by IT prior to printing.

    Was this post helpful? thumb_up thumb_down
  • Big no no, Printers can be hacked too ! 

    Was this post helpful? thumb_up thumb_down
  • Hacked to play doom as well! :P

    Doom on Canon printer

    Spice (1) flagReport
    Was this post helpful? thumb_up thumb_down
  • Yes, lets connect that printer, which will bypass the print monitoring software so you can print confidential information and take it home. Your manager should know better.

    NO, NO , NO for a host of reasons already mentioned.

    Spice (1) flagReport
    Was this post helpful? thumb_up thumb_down
  • Special monitor ok. Favorite keyboard and mouse, ok. Phone charger, why not? Network connected printer NFW!

    Was this post helpful? thumb_up thumb_down
  • Obviously this would be a hard NO, and after that it's for management to sort out.  Being a hospital I am sure you have policies and procedures in place to address this.  Trust but verify.  Never take the user's word.  Always in writing from management.

    Was this post helpful? thumb_up thumb_down
  • I've been asked to do this sort of thing multiple times in Education. Staff wanting to bring in their own kit to connect to my network, I always say no. If you let one go, it's Pandora's box.

    If there's a legitimate need for something, they can request it from Finance and one can be sourced by IT and installed by IT. Annoys me no end when people just turn up with stuff, plug it into a live network socket and expect it to work like it does at home (0)_(o)

    Spice (1) flagReport
    Was this post helpful? thumb_up thumb_down
  • You mentioned that a whole lot of rationalising of devices had gone in. Lots of absolutely correct advice on here but playing devils advocate, was she consulted about printer removal and have you asked her why she feels the need to do this - you say laziness but maybe there is a valid reason, however unlikely.

    There seems to be a lot of talking around the subject, talking to managers and supervisors going on, half truths being told etc. Why not go and ask them in a professional manner why they felt they needed to being their own printer in. Right now it seems you are seeking advice from folks on the internet, knowing there is no management support for her actions, when you could just have a conversation with the user.

    Spice (2) flagReport
    Was this post helpful? thumb_up thumb_down
  • I no way shape or form should any outside hardware/software be allowed in a hospital, medical or life science environment. This not only poses as a security risk but as a HIPAA violation and you could get hit on an audit for stuff like that. I'm almost positive any company would rather deal 1 upset employee over paying out an audit fine in the future.

    I always tell people unless it has been supplied by the company i cant touch it or support it because it poses as a liability for me. 

    Was this post helpful? thumb_up thumb_down
  • ajt35 wrote:

    I've been asked to do this sort of thing multiple times in Education. Staff wanting to bring in their own kit to connect to my network, I always say no. If you let one go, it's Pandora's box.

    If there's a legitimate need for something, they can request it from Finance and one can be sourced by IT and installed by IT. Annoys me no end when people just turn up with stuff, plug it into a live network socket and expect it to work like it does at home (0)_(o)

    Same here. If there's a legitimate use, we'll make the purchase. As much as I try to explain, they don't seem to understand the difference between a home network (well, not like a Spicehead's home network), and a corporate network. My favorite is "What's the wifi password?" Uh, there is none. "But I can see the wifi, what's the password?" That's not how it works here. :)

    Hard no on any personal equipment connected to the network, computers, projectors, etc. If you want to bring in your laptop and just use it standalone, fine.

    Was this post helpful? thumb_up thumb_down
  • Um....no. Not to mention should she be printing Christmas cards at work on company time? And why would anybody giver her the go ahead to do that, let alone bring in personal equipment?

    1 found this helpful thumb_up thumb_down
  • I agree with the boss and system admin. If its not provided by IT then it's not supported by IT.

    Was this post helpful? thumb_up thumb_down

Read these next...