is it a bad idea to let my staff use their own machine?
It’s not about trusting your staff
We always explain to clients that allowing staff to use their own computer, or home device for accessing work systems is strongly against our recommendation.
Often a client will say, ‘it’s okay, I trust my staff’, or ‘it’s fine, they have anti virus’ – but, the worry about allowing a non-business owned piece of equipment access to your business data, is a much wider concern than trust or anti-virus software.
You cannot manage that device, you do not know what is already installed, or will be installed on that device, not just by your staff member, but by their partner, or their children. You cannot govern how up to date the operating system or software is on the machine.
And, what happens when the staff member leaves your employment, or no longer needs access using that device, you cannot manage deletion of data which is downloaded to the machine, accidentally or on purpose, you cannot seize the machine, verify the content or check its health, you are without any control.
It might be more expensive to provide machines, tablets or phones, but beyond any doubt, it is safer and easier to manage.
What are the risks to my business?
Read on to understand in more detail the risks of staff using their own devices in your business;
Businesses who allow staff to bring their own devices (BYOD) to their roles, will be adding significant complexity to their business IT security. Using a home device to access company data will be bringing a list of vulnerabilities to the office systems.
Business owned devices which are managed through centralised administration allow continuity and consistency across the entire organisation. This means certification of security controls is as straightforward as possible, where BYOD, home machines complicate this, making security controls challenging.
There are significant risks to your business such as;
-
Lack of encryption, home machines rarely employ encrypted drives, meaning theft of the machine will expose business data
-
Lack of passworded user accounts – often home machines do not utilise passwords, let alone suitable passwords
-
Privileged user accounts – users rarely restrict accounts, which means that not only that any software can be installed, but that viruses can infect machines quickly and easily
-
No software firewalls installed – often home machines do not activate firewalls
-
Easier loss of data, such as downloading items locally to machines, not storing information on central servers
-
Higher potential accidental data loss, such as sharing devices with family members and lack of backups
-
Device health consideration, will a home device have suitable operating system updates and security patches installed & continued monitoring
-
Likelihood of unsupported or out of date applications, as software becomes end of life making known security vulnerabilities high risk
-
Lack of knowledge on device previous life history, meaning machines could hold viruses, keyloggers or malicious software
-
Additional exposure due to user’s managing devices in a personal context – meaning user’s share account & password details between family members
-
Reluctance to report breaches, or vulnerabilities – meaning home users may not know their family has created, or found a data breach and are likely to be reluctant to report to your business
Obtaining the nationally recognised Cyber Essentials certificate for your business will rely on all your devices being correctly protected and updated, along with all user accounts being secured and firewalls enabled, which will mean that any BYOD will compromise this requirement.
It is recommended a full risk assessment is made to calculate the risk to the business and security of all systems and data by allowing home devices of any kind (ie. including tablets and mobile phones). Details can be found on the National Cyber Security Centre’s website
Therefore, we do not recommend that any business allows its staff to access business systems using a home device. The only exception is for personal mobile phones which are allowed to access 2 Factor Authentication codes, which will in turn allow access to systems.