Employees Using Work-Issued Devices for Personal Reasons
It should be common sense at this point: employees using work-issued devices for personal reasons are a cybersecurity nightmare.
Issuing work devices like a sleek new PC or the latest model cell phone is a great thing for your employees but can be a bad thing for your business. From the moment the devices leave your sight, you rely on your employees to do the right thing.
Or do you?
Increasingly, employers aren’t just trusting their workers to do the right thing. They are monitoring employees’ activities while on these devices. In fact, an estimated 80% of employers monitor their employees’ online activities such as social media, online browsing, and checking personal email. This number has increased significantly from the late 1990’s when only 35% of employees were monitored on work devices. Of the 80% of active employee monitoring, 55% included looking at emails, 76% checked browsing habits, and half looked at computer files on devices.
Why Such a Drastic Increase in Employee Monitoring?
Employees using work-issued devices for personal reasons is nothing new, but it can have unseen consequences to your workforce.
The biggest reason employers give for monitoring employees’ use of work-related devices is to increase productivity.
It’s far too easy for your employees to get distracted by checking social media and personal email or checking personal text messages on a company issued phone. Other activities, such as browsing and shopping online, are real productivity-killers.
Employees Using Work-Issued Devices for Personal Reasons Increase Security Risks
It’s a well known fact that employees are inadvertently the number one security risk your company faces even when they are using work-issued devices appropriately. When you consider the added risks of employees browsing unsafe sites, clicking malicious links on personal emails, or following suspicious Facebook page links, it’s easy to see how these risks spiral out of control.
Stay Safe: Employees Using Work-Issued Devices for Personal Reasons is Not Permitted
There are a few ways to make sure your employees are using their work devices appropriately. A combination of these two can pretty much ensure that employees using work-issued devices for personal reasons will stop.
Cybersecurity Awareness Training
Every employee who has access to your network, from the janitor to the CEO, needs to take a cybersecurity awareness training class.
To be effective, covered topics will include email safety, understanding the spread of malware across the network, password security, and some common red flags of a malware infection.
In addition, your employees need to know what to do if they suspect they have been infected, from isolating their device to notifying the IT department.
Whether your employees have been with the company for ten years or ten hours, cybersecurity awareness training must be a core part of your company culture from onboarding to routine refresher classes.
Acceptable Use Policy
Drafting an acceptable use policy is the key to outlining what your employees can do with work-issued devices, and what they are not permitted to do. It will cover employees using work-issued devices for personal reasons in depth.
An acceptable use policy also notifies the employee that internet habits may be monitored, and that anything they do on work-issued equipment can be retrieved for any reason.
Conversely, an acceptable use policy can also cover employees using personal devices for work.
This policy can be drafted with your internal IT department or a trusted MSP.
It’s important to have the employee physically sign two hard copies. One copy will be kept in the employee file, while the other will be given to the employee. If a breach should happen, this policy is a key factor in determining and limiting your business’ liability.
How to Talk About Security with Your Employees
It’s important for your team to understand that employees using work- issued devices for personal reasons not only endangers the network, it places their own identities at risk as well.
Some helpful tips to tell your employees include:
1. No Side Jobs on Work-Issued Devices
Some employees may use their work devices for freelancing and side gigs. Office equipment is generally faster and better equipped than home devices, making side gigs far easier to do on work devices.
This is a potential vulnerability for your network. For one thing, hackers target files, sites and applications that are commonly used for freelancing. If this happens, hackers can access work files stored on the employee’s computer, or in the network itself.
A second reason to prohibit freelance work on company issued devices is because your network security weakens if the devices are used outside of the office. Remember that a VPN is only effective if the employee uses it for all internet connections, not just your company files and documents. Your employee may use his personal network connections on his work-issued device, opening the equipment up for hacking.
2. Leave the Personal Emails Alone
Remember that 92% of all malware attacks are launched via poor email practices.
Obviously, your work email has protections in place, but commonly used personal email sites are playgrounds for cybercriminals.
People seldom have the same levels of protection on personal emails as your business has for work-related emails.
3. Don’t Save Personal Passwords on Company Devices
It’s common to save passwords on computers. It’s far easier to track passwords on a device than trying to remember them all.
These personal passwords are a hacker’s dream come true. Network analyzers and key-loggers routinely monitor private information, including email sites and passwords. This makes tracking the employee easier, and it won’t matter what device they are on; saving personal passwords places your network and the employee himself in danger of data breaches.
4. Personal Data Storage on Work-Issued Devices Isn’t Permitted
Many employees don’t think twice about storing personal files, photos, videos, saved internet site addresses, passwords and more in folders on their work-issued devices.
Storing personal data on a work-issued device is another vulnerability for hackers. Remember that if an employee saves an infected file, your entire network is at risk.
It’s important that office computers don’t store any more information than is necessary to reduce a hacker’s “treasure” when infiltrating the device. Less storage also means less breaches and chances for hackers to launch malware into your network and devices.
5. Never Use Work-Issued Devices to Access Financial Information
Hackers are especially vigilant for online activity that involves financial information. Employees using work-issued devices for personal reasons often log in to bank accounts or PayPal, and don’t think twice about providing credit card information when shopping online.
If your employees are saving financial information, logging in to bank accounts, transferring money, or providing credit card information online, they are putting their own financial data at risk as well as your network security.
Employees Using Work Issued Devices for Personal Reasons: The Takeaway
Remember that you are within your rights as an employer to monitor your employees’ online activities while they are using work issued devices if you inform them that you are doing so. The best way to inform them is by having them sign an acceptable use policy clearly outlining expectations while using your equipment.
Many times, the acceptable use policy is enough to stop the trend of employees using work-issued devices for personal reasons.