An increasing trend is for companies to allow employees to “bring your own device” (BYOD) to work. This along with an increase of remote workers and virtual offices has led to more and more instances where employees are using their personal computers as their work machines. While this can be more convenient for the employee, and (debatably) cheaper for you the employer, there are a number of new issues that should be considered before adopting this strategy:
Who is going to have access to the machine? Often use of a personal device is shared with family and friends. If that personal device is storing your data and credentials, how do you ensure that anyone else who uses that device doesn’t also gain that same access to your company data?
How will you enforce security restrictions? How will you monitor and control what software is installed on the machine, and ensure that every user account (even those of non-employees) is protected by a strong password that abides with your company policy?
Who has administrative rights on the machine? Limitation of user privileges is an effective security measure and is strongly encouraged. If you take away their administrative rights, how do you explain to them that they are not allowed to have administrative control over their own computer? If you allow them to have those rights, they can create users, install software, and make any configuration change without your knowledge. How do you reconcile the inevitable vulnerability this creates in your technology environment?
What happens if the user’s personal use of the device leads to a breach? The user may download a game that turns out to be spyware or malware, or they may lose the device while taking it on vacation with them. How is the investigation handled and who is liable?
What happens when the machine suffers performance issues or malfunctions? Who is responsible for getting the machine fixed, and who foots the bill? How much more will it cost for your IT staff to diagnose and troubleshoot a personal device versus a company device that is maintained within a strict approved configuration?
Will the machine be managed or unmanaged? Management means that you and/or your IT vendor have full access to the machine, including all data and histories. If the device is managed, is the employee aware of the full implications of what this means for their privacy?
Is use of personal devices for work purposes a compliance violation? If the device in any way could be used to access PII, PHI, or PCI data, the simple fact that device is outside of your facility, is not owned by you, and is beyond your ability to completely secure and control control could be an irreconcilable violation of your company’s compliance, putting the entire business at risk. Especially if you are subject to PCI-DSS or HIPAA, this is something worth looking into.
How do you ensure the physical security of the device? Your place of business has controlled physical access, maybe even alarm systems and cameras, how do you ensure that same level of physical security with a device in someone’s home?
What happens when the employee no longer works for you? Since you don’t own the device, how do you ensure that all of your data has been securely wiped from the device following a separation?
How do you properly monitor your employee’s activity without violating the personal privacy of them and their family? Many organizations log all websites visited, log usage of different applications, and even allow for their IT staff to remotely access the machine 24/7. If you continue this mandate with the employee’s device, how do you deal with the possibility of an inadvertent privacy violation?
Is your Information Security Policy properly developed to handle this kind of situation? If a personal device is used, at minimum there should be written agreements with the employee (ideally part of an overall Information Security Policy) which lays out strict ground rules. Some examples:
Nobody else should know the password for the computer aside from those authorized in the information security policy.
The employee must immediately report any known or suspected theft, loss, compromise, suspicious behavior of the device, etc.
The device should be required to utilize full disk encryption.
All work should done exclusively on that machine, and no data can be transferred to any other device or printed in physical form unless done so within the bounds of the policy.
- If you prohibit employees from using their personal computers for work purposes and instead issue them all corporate devices, what about their mobile device? Often times the benefits of adding corporate email to personal mobile devices outweighs the downsides, but the downsides still exist. If your organization is flexible for certain types of access to certain resources, is this all clearly defined and communicated to your employees?
These are just some of the common questions and issues that we discuss with clients when they are considering a BYOD program at their business. In reality, the variables and concerns are unique for every business, which is why it is so important to consult with someone who can help you approach this decision in a way that suits your business.
The NorthSky Technology team includes experts who have veteran experience serving as CTO overseeing information security for a variety of small and midsized companies. We have been through decisions like this before and can provide a valuable technology and security perspective that takes into account the realities of your business.
As a Managed IT and Security services client, you have access to these strategic resources whenever you need them. Our perspective, knowledge, and experience ensures that you understand the full picture before you make a decision. We can help with policy development and strategic planning and connect you to trusted partners when the conversation goes outside our areas of expertise.
For more information on becoming a Managed IT services client, please contact us today!