Personal Devices – Are Used for Work by Both Remote and On-site Employees… a Lot
It’s no surprise that more people than ever before are bringing their personal devices into work in 2017 and, unless you’re a bank or a government agency, you’re most likely not stopping your employees from this behavior. You want to keep your employees happy, inspired, and productive, making it as easy as possible for them to get their work done while staying connected to their family and friends.
There are, of course, major security risks that you must defend your organization against now that this practice has multiplied your attack surface by the hundreds, if not thousands. Let’s talk a bit more about the changes that have happened in recent years in order to grasp the challenges presented by our ever-changing work environment.
The Shift From Corporate-Issued Devices to Personal Devices
A recent Gartner survey found that only 23 percent of employees surveyed had corporate-issued smartphones. The trend from only a decade ago of executives, and some employees, being given a corporate mobile device (phone or tablet) along with their work laptop or PC has taken a swift nose dive.
But, of course, that doesn’t mean employees just aren’t using mobile devices at work – in fact, that number has skyrocketed in recent years due to BYOD policies being relaxed.
Nearly eighty percent of employees bring their personal mobile device to work. You know that guy at your office who’s super into that silly strategy gaming app? He’s probably not paying much attention to the rights that application has on his device or the legitimacy of its developer. Maybe that sales professional in your organization who’s on the road 90% of her life accesses her corporate email from an old Samsung smartphone, with no idea of the security risks older devices inherently carry.
How Can We Protect Ourselves Against Potential Threats Without Banning Employee Personal Devices?
We can’t expect end-users to care about security as much as security professionals, of course, though training is always encouraged. Most employees, if they do have some cybersecurity awareness, believe that they’re only posing a risk to their own data by using outdated or unpatched devices, and would never consider themselves as “carrying the keys to their employer kingdom” in their pockets.
The onus is on us as an industry to help protect our companies against risky employee behavior that can allow attackers and malware to gain access to our corporate networks. Luckily, many modern security tools offer enterprise-grade security that’s so easy to use and manage that it can now be issued to every employee.
In 2017, most of the workforce is so comfortable using mobile tools and applications that they can quickly adapt to using new security processes, like two-factor authentication and single sign-on applications. Will they love it? No. But these basic security tools protect against so many threats for such minimal effort on your employees’ part that it’s hard to list any real arguments against them.
On home PCs and laptops, enterprise-level antivirus is now available that can be easily managed by security teams back in the corporate office, without bogging down employee systems or requiring a large learning curve.
An Open, Honest Discussion With Employees About Cybersecurity and Privacy
Most hurdles for onboarding these security solutions with employees can be dealt with by simply educating your staff about the potential threats their personal devices can open up their company to. They should know why it’s important that they agree to make at least minimal efforts to help protect their company.
When onboarding new security tools, it’s also a great idea to send a very clear message to your internal team about protecting their own privacy and to be extremely transparent that their company is not using these tools to spy on employee activity, emails, website traffic, etc.
Reassure them that the company has no rights to do things like read their personal emails or access personal photos on their smartphone. Be very transparent, though, about what you do have access to, and explain clearly why you need access to that data and what an attacker could do with it to potentially victimize the company, its reputation, its clients/customers, etc.
Take the opportunity to remind employees that corporate-owned devices are not personal devices and should never be treated as such. While company IT policy may permit lower-risk activity such as checking personal emails or accessing Facebook on their ‘work’ laptop, employees shuld be made aware that risky behaviors such as installing unlicensed third party software or downloading movies and music from torrent sites (which are typically riddled with malware) should not be permitted due to the high level of risk this poses to your company.
Typically, employee backlash or non-adoption/ circumvention of security tools is based on the suspicion that their employer will have more access to their personal data than they are comfortable with. Overall, being honest and transparent about what you have access to and why you must have access to it, protects both the company and the employee.