Most employers are dealing with an expanding range of technology issues. Everything from budgets and cybersecurity to remote workers. In this article we give you a definitive answer to a common question. And you don't have to read the entire article to get the answer!
Should you allow employees to use their personal computers and/or phones for work?
No for computers. Maybe for phones.
Read below for some reasons why we say this.
Why you shouldn't let employees use personal computers for work
When I asked Kosh's in-house cyber security expert, I got a quick and definitive "no". He said there're too many security, privacy, and liability issues that it's just not worth it. Some businesses think they're saving money by not having to buy computers for their employees, but the risks definitely outweigh any savings.
The cost of a basic business-grade workstation is about $1,700 and for a laptop with extended warranties is about $2,100. According to IBM the average cost of a data breach in the United States is about $9.44 million! And for the healthcare sector it is even higher at $10.10 million. The math is pretty easy to work out.
Security problems with personal computers
Here are some of the security issues that come with allowing employees to use their own computers.
You never know who else has access to their computer. Their computer might be shared with family members, and you definitely don't know what they're doing on the computer. Remember, this computer has your company's data on it, and it's now very exposed to viruses and malware.
Typically, personal computers don’t run premium anti-virus software. If they have anti-virus software, is it up to date? Is it robust enough to protect corporate data? Is it always running, or do they turn it off sometimes? Too many questions that you won't have the answers to!
Is other software updated on a routine schedule? Probably not. What about updates and patches to business software, is that being maintained? Probably not without having access to their computer to run the patches and update for them.
How are their passwords stored on their computer? Do they just have the passwords in a word doc? Are they using complex passwords? You would have to install password requirements to force the employee to comply.
There are way too many security holes when staff use their personal computers for work and that's why it's an easy "no". There're measures you can take to mitigate the risks the questions above pose, but it's far easier and more secure to issue a computer to your staff.
Kosh offers a free (no sales call) cybersecurity quiz that evaluates your staff's cyber awareness. Simply click below to fill out the form and we will get started.
Encryption as a security measure
Briefly, encryption is a way to protect your data if the physical machine is stolen. It can be difficult to enforce encryption on every computer if every computer working with your company data is different. Once again, the way to solve this issue is to buy computers for your staff.
The legal headaches of letting staff use their own computer
I feel like I'll convince about 99% of decision makers that purchasing computers for staff is the way to go if I just make the case that it will eliminate, or at least decrease the likely hood, of certain legal issues. A couple legal issues are:
Setting privacy expectations and more importantly guaranteeing that your staff and company are able to comply with these expectations. How can you assure employees that you can only see data related to the company? Does the company potentially have access to private personal data?
What happens when a personal computer used for business breaks? What if the employee spilled water on their computer? Who is responsible for buying a new one? So, there's the expense of the computer to consider and then the expense of having that employee down for a certain amount of time. Headache.
What happens to the data when the employee leaves the company? Do you have the legal right to remove company data from their computer? What if the former employee doesn't want to give you access to their computer? How will you enforce this? Once again, a lot of questions with difficult decisions that could be eliminated by simply purchasing a company computer in the first place.
What happens when the employee's computer doesn't meet your company standards? Maybe the computer doesn't have high enough specs to perform the tasks you require. Some business software requires newer generation video cards, processors, or large amounts of storage that are not commonly found on personal computers. Or they might use the wrong operating system - Mac vs PC. If you purchase a standard computer used throughout your company, these issues will not arise.
Should employees use their phones for work and personal purposes?
When I asked our in-house expert, he said this one is a little more flexible and gave a few points to consider.
Your company needs a Mobile Device Management tool. These tools allow the company to have additional management control over devices used by employees. MDM tools commonly have features such as device location, device reset, remote app install, ensuring the device meets a compliant state, and OS version control. Whether you choose to issue company phones or allow employees to bring their own, this management tool is worth the investment.
If employees use their personal phones, how is the line drawn between work and personal on the phone? Most applications will contain their data in their own space. This allows it to be isolated from other applications. Then when the company app is removed the company data is also removed from the device. However, when things like the built-in email app are used things can get a bit blurry as the built-in apps can share data with other apps on the device. And it's that blurriness that can cause problems.
Can the company see personal info? Are there ways employees are assured of this? This usually depends on who “owns” the device. For example, if the device is owned by the company everything can be viewed by the company. If it is a personal device than only limited information is available. Most people assume that their employer can view more information than they actually can. A common example is text messages. On a personal device the company cannot view text messages, but on a company device they can. In most cases when you connect your mobile device to your company, your company gains the ability to remotely remove company information, reset the device, require a passcode, and enable encryption. If your employees are using their personal devices, it's a good idea to be very clear what access the company has.
Is using a phone for work and personal purposes secure? Mobile devices are secured in the same fashion whether they're used for work or personal use. However, business phones can have their content limited making them less likely to get infected.
What about the difference between android and iPhone, anything to consider here? At the core these platforms are very similar in what they offer. Many applications have apps for both platforms. When selecting a mobile device platform, companies should consider hardware requirements, accessories, and total cost. Android phones tend to have a lower device cost, but some are limited on accessory options that might be needed. The iPhone has a large hardware ecosystem that has increased the ways the device can be used.
Issuing a company phone or allowing employees to use their personal devices are both acceptable. However, a company issued phone will be a cleaner, more straight forward experience.
The information contained in this communication is intended for limited use for informational purposes only. It is not considered professional advice, and instead, is general information that may or may not apply to specific situations. Each case is unique and should be evaluated on its own by a professional qualified to provide advice specifically intended to protect your individual situation. Kosh is not liable for improper use of this information.