Should employees be allowed to bring their own devices into the workplace and connect them to the corporate network? There are mixed views on this, and you must carefully consider the advantages and disadvantages and then define corporate policy. Personal devices in the workplace are high risk, and the IT departments would have no control over the content of such devices.
- It could result in the theft of data by an employee. As company data is likely to be needed on personal devices to undertake their role within the organisation, use of the data for other purposes is a straight forward next step. Data found on personal devices could easily be considered plausible. If staff used data for other purposes, the evidence is unlikely to be available due to the lack of monitoring.
- It would be challenging to verify the removal of corporate data on personal devices when employees leave the organisation. Backup copies could be available in remote storage areas such as Dropbox, Google Drive and One Drive. Someone could restore deleted data using recovery tools as a file is never entirely deleted until the file data has been overwritten with other files or securely deleted.
- If companies allow employees to have data on their own devices, they generally have much less control of the data than if it was on fileservers within the organisation. It isn’t easy to maintain an inventory of sensitive information within an organisation if it extends to personal devices.
- Using personal devices within a corporate environment also introduces risks associated with malware.
- Software compatibility could become an issue. In a lot of cases, versions of the software are more recent on personal devices. If document formats have changed, saving a document from a personal device could result in it no longer being accessible to software on corporate devices. If corporate licensed software needs installing on personal devices, it may not be compatible, and if it is, it may be in breach of software licence terms and conditions.
- With lost or stolen personal devices, it could be impossible to know what corporate data was on the device, and consequently prevent accurate reporting under data protection regulations.
A different kind of risk with personal devices in the workplace is the quantity of time spent undertaking personal activities during working hours. Businesses can control the software on corporate devices, but personal devices will include employee’s software and data. Own devices can introduce a lack of productivity.
Although this blog began with a question, the case is more in favour of not allowing employee’s own devices to connect to the corporate network.
Robert is an information security professional with over 20 years of experience across a diverse range of organisations, both in the UK and internationally. Robert graduated in 1997 with an honours degree in software engineering for security and safety-critical systems. Robert is contactable directly through Telegram.