Is it safe for employees to use their own devices while working from home?
It’s challenging making sure that your newly remote team can access your business environment easily – and without inadvertently putting your company data at risk.
It helps to have a set of ‘rules’ (or a policy) in place that can be implemented and followed relatively easily, so your team knows what’s expected of them, and how they can do their jobs without exposing your business to unnecessary risk.
One of the most common policies that businesses we talk to seem to be struggling with is that of Acceptable Use – especially now, with team members working from home.
What is an Acceptable Use policy?
An Acceptable Use policy is, simply put, a framework for how employees should use your IT network and devices. It clearly sets out the rules and key processes they are expected to follow.
Most businesses will have one somewhere (though whether their staff abide by it is a different story!).
Lockdown and remote working
The whole lockdown/remote working situation has very likely introduced new risks to your company environment. This means checking in on your Acceptable Use policy is probably a good idea, now that we’re settling into a more permanent setup.
Of course, in an ideal world all staff would only use devices that were provided by the organisation. You would have full control of this and monitor and manage usage fairly easily.
After all, introducing non-business assets introduces new risks
That’s why this line is common-place in Acceptable Use policies:
‘Remote working – only company-issued devices should be used whilst working from home.’
And the following question may be familiar to some of you – especially if you were more focused on keeping the wheels in motion during lockdown and enabling some sort of operational continuity than seemingly-distant cyber threats.
Does this have to be the case? During lockdown, our staff logged into our network remotely from their own computers… Are we saying that this is not acceptable?
It’s worth taking a step back and understanding that sometimes, things cannot be perfect. Now and again, we have to introduce new risks – like when working around less-than-ideal situations that are forced on us – and best practice goes out of the window. But it’s important for business owners to know when this is happening, understand the risks it introduces, and consider ways to mitigate them.
When an employee uses their own device, it does increase the risk to your information security. Sometimes there are extenuating circumstances, and therefore it may be necessary to go outside of your policy, but this needs to be documented, approved and a risk assessment carried out, controls put in place, and then signed off. The template policy in this case would be ‘best practice’ – but of course not the only practice. To go outside of best practice, you would be advised to put this on your risk register and look at ways you can treat the risk.
Here’s a common scenario that might sound familiar
- An employee uses their own device to access your system from home
- They store confidential company data on their own device, rather than on your corporate network or designated cloud storage platform, because it’s quicker and they’re in a rush with important deadlines
- Your data is now stored outside your perimeter (and you don’t even know)
And here are just some of the risks
- Their device may not be up to date with the latest software patches (meaning it is far more vulnerable to attack and the data could be compromised)
- The data isn’t backed up, so hardware failure/damage/loss could result in that data being lost
- The data could be accessed by unapproved users – for instance, if the device is shared
- The employee might use the device to access websites that could result in malware, meaning the data could be accessed or corrupted
The list goes on.
Reducing the risk
It’s advisable to identify the controlled circumstances in which deviation from best practice is permitted, and the resultant organisational and technical controls that should be put in place to reduce the risk.
An example of a technical control would be mandating VPN access and multi-factor authentication for logging into the corporate network remotely.
An example of an organisation control would be ensuring you have a signed policy stating that employees are not permitted to save information on their own devices or share their device with other users.
It’s also worth noting that once staff understand why something is a risk, they will generally be supportive and follow the controls to protect themselves and your data. So it’s well worth taking the time to talk them through why your policies and processes exist.
Still not sure?
We’d be more than happy to talk through your current setup and make some recommendations. Just give us a call or fill out a contact form below, and we’ll get right on it.