Are you or your employees using a personal laptop, mobile or tablet for work? Recognising the threats this can pose to your business helps introduce the policies and practices you can put in place to mitigate these risks.
Whilst many of us have been working from home for years, it now seems everyone’s doing it. It’s finally justified, mainstream, and no one puts inverted comma air fingers up around ‘working from home’ anymore.
Throughout the Coronavirus pandemic, even more of the workforce are not in their usual workplace and, instead, are following Government guidelines to work from home, or, a combination of work and home. As a result, even more employees are using their own laptop, tablet or phone for work purposes whilst enjoying the extra degree of flexibility home working provides.
A serious issue to flag up for all those businesses that allow employees to use personal equipment for work purposes, is the risk of exposing your business to a multitude of security and privacy risks.
By allowing remote access to your company through devices that you do not control (non-company owned computers and phones or “home devices”) you increase the risk of your employees’ assets being used by someone for purposes you may not authorise or agree to. Company information could be copied, modified, transferred to your competitors or just made public. Yes, imagine that confidential trade secret out there on the web……
A home worker’s computer may gain access into your company network and communications, or that of a client, which could inadvertently result in a data protection violation. While working on your own computer, it is possible that a social media app recently downloaded or already active could vacuum up the work contact database, sharing identifiable information of clients’ which, by law, would need client consent before being passed onto a third party.
Another very plausible scenario is that the owner of the computer may innocently install Apps from unsavory or insecure sources without realising the risks. This could make your company files vulnerable to attacks from malware. Even failing to update (patch) a device can leave it open to security threats.
The owner of the computer, your employee, may leave their device lying around unsecured (after all they are at home). They may allow friends and family to use it. What happens if the device gets lost or stolen?
How do you control the contents and access of a private device if your employee leaves your company, how will you ensure your information is erased? What if your employee sells their device with your company information still accessible? How are you to know where this device even is? Sadly, these are all very real scenarios which have led to security incidents.
If this is all news to you, and very worrying news, there are simple things you can do to take back control and protect your company information.
The easiest thing you can do is write and enforce a Bring Your Own Device (BYOD) policy. This does not have to be a complicated document and here are some suggestions as to what could be included in the policy:
BRING YOUR OWN DEVICE POLICY
- Any device being used for company business must be supported by the manufacturer.
- All security updates must be installed within 14 days.
- The device must automatically lock when not in use.
- The device must have an 8 digit or more pin/pass code (Use a biometric if available as well).
- The device must be encrypted.
- Apps should only be installed from the manufactures respective store.
- An anti-malware App should be installed.
- Unused apps should be uninstalled
- If lost or stolen, it must be reported to the business promptly.
- Rooting or Jailbreak is not permitted.
- A remote erase and tracking app must be installed and activated so you can track a lost device, lock access and erase data.
For further risk reduction you could look at:
- Container Apps or Managed Apps
- Mobile Device Management software (MDM), which allows you to monitor, manage, and secure employees’ mobile devices. This gives you full control but comes at a price!
So, before allowing private computers and phones to access your company information, be aware of the hidden costs (subscription, updates, limitations) and risks around your data and make a balanced judgement. If this is a subject you need support with, seek advice from an independent IT security service company. IASME has a UK wide network of Certification Bodies, many of who are IT service providers who can support you.
The Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulation (GDPR). Strict laws determine how you store people’s contact details and personal information.
Malware is any software intentionally designed to cause damage to a computer, server, client, or computer network. A wide variety of types of malware exist, including computer viruses, worms, Trojan horses, ransomware, spyware, adware, rogue software, and scareware.
Bring Your Own Device (BYOD) is a widespread term for when a company allows employees to use their own laptops, tablets or phones for work purposes.
Biometrics are unique identifiers such as fingerprints, face, iris and/or voice, already being used instead of passwords to make human identity authentication a bit more secure.
To encrypt your device means that every time you power your device on, you’ll need either a numeric pin or password to decrypt the device. An encrypted device is far more secure than an unencrypted one. When encrypted, the only way to get into the phone is with the encryption key.
Jailbreaking is the process of removing the limitations put in place by a device’s manufacturer. Jailbreaking is generally performed on Apple iOS devices, such as the iPhone or iPad. Jailbreaking removes the restrictions Apple puts in place, allowing you to install third-party software from outside the app store. Essentially, jailbreaking allows you to use software that Apple doesn’t approve.
Rooting is the process of gaining “root access” to a device. Similar to Jailbreaking, but this is generally performed on Android devices.