Should employees be allowed to bring their own devices into the work place and connect them to the corporate network? There are mixed views on this, and the key point is to carefully consider the advantages and disadvantages, and then define corporate policy. Personal devices in the workplace are a high risk and the IT departments would have no control over the content of such devices.
- It could result in theft of data by an employee. As company data is likely to be needed on personal devices in order to undertake their role within the organisation, use of the data for other purposes is a straight forward next step. Data found on personal devices could easily be considered plausible and if the data was used for other purposes, evidence is unlikely to be available due to the lack of monitoring.
- It would be difficult to verify that corporate data on personal devices has been removed when employees leave the organisation. Backup copies could be available in remote storage areas such as Dropbox, Google Drive and One Drive. If data has been deleted, it could be restored using recovery tools as a file is never truly deleted until the file data has been overwritten with other files or securely deleted.
- If companies allow employees to have data on their own devices, they generally have much less control of the data than if it was on fileservers within the organisation. It is difficult to maintain an inventory of sensitive information within an organisation if it extends to personal devices. Using personal devices within a corporate environment also introduces risks associated with malware.
- Software compatibility could become an issue. In a lot of cases, versions of software are more recent on personal devices. If document formats have changed, saving a document from a personal device could result in it no longer being accessible to software on corporate devices. If corporate licensed software needs to be installed on personal devices it may not be compatible, and if it is, it maybe in breach of software licence terms and conditions.
- If personal devices are stolen, it could be impossible to know what corporate data was on the device, and consequently prevent accurate reporting under data protection regulations.
A different kind of risk with personal devices in the workplace is the quantity of time spent undertaking personal activities during working hours. Available software can be controlled on corporate devices but with personal devices it will include access to the employee’s own software and own data. Own devices can introduce a lack of productivity. Although this blog began with a question, the case is clearly more in favour of not allowing own devices to be connected to the corporate network.
Robert is an information security consultant with over 20 years of experience across a diverse range of organisations, both in the UK and internationally. Robert graduated in 1997 with an honours degree in software engineering for security and safety-critical systems. Robert is contactable directly through LinkedIn.