Businesses large and small are warming up to the idea of employees conducting company business on personal computers. It sounds straightforward, but this is a technological can of worms with benefits, risks and policy issues to consider.
With employees working from home in greater numbers and BYOD (bring your own device) culture often touted as a perk of employment, now is the right time to discuss using company-allocated devices vs. personal computers for work. Here are the benefits, trade-offs and cybersecurity concerns.
The Benefits of Using Personal Computers for Work
Every company will get different mileage out of any workplace trend. Some of the reported benefits of BYOD culture include:
- Some 50% of workers aged 30 and older believe their personal devices are better for productivity than their work ones.
- Companies can save $350 per year for every employee who uses their own devices for work.
- An employee using a personal computer for work puts in the equivalent of two hours of extra effort per day.
There are benefits on both sides of the employer-employee relationship.
The worker gets the comfort of working with a familiar device and operating system and the company receives a little extra productivity and worker satisfaction.
However, BYOD culture opens up a serious downside:
the increased risk of cybersecurity threats
Cybersecurity Considerations and Risks
The glaring issue with employees using personal computers is that the company no longer has complete control over the environment in which sensitive — and potentially classified — work is performed. There are unanswered questions such as:
- Who else has access to the machine in question besides the employee?
- How conscientious are the employee’s password hygiene and web-browsing habits?
- How frequently are the machine’s applications and operating system updated?
- What antivirus and anti-malware software is installed? What’s required by your industry?
Companies considering any form of bring-your-own-device culture must weigh the risks of device loss and data exposure against the potential advantages of BYOD for the company and the workforce.
BYOD isn’t appropriate for every company, industry or niche. Some roles or entire operations may need to issue company-owned computers with tighter restrictions and software settings to ensure security patches are installed as soon as they become available.
There may be industry-specific certifications and cybersecurity standards to weigh as well. If you have ambitions of becoming a government contractor, some cybersecurity maturity certifications may have restrictions that preclude using personal devices for company — or government — work.
Here are a few other cybersecurity and security-adjacent concerns worth considering before endorsing BYOD culture. how to do their part to mitigate them.
The potential productivity benefits of using PCs for work may vanish if employees’ machines aren’t up to the task. In addition to running antivirus and anti-malware software in the background, employee devices must capably perform and multitask at the same level as company-owned items or else productivity will suffer.
Windows 10 Home does not include encryption right out of the box. Windows 10 Pro does. Windows 11 Home and Windows 11 Pro provide encryption tools — including automatic encryption — but the processes are different.
Take steps to verify that any computer containing company data is encrypted as a matter of course. This is vital. Issue a company-owned device if an employee’s machine cannot carry out automatic encryption without interrupting their workflow or impacting performance.
If your company uses its own encryption processes, follow best practices to ensure your encrypted files stay secure. Automate encryption key management to reduce errors; invest in secure backups; and always keep your key separate from the device, or else the encryption is rendered essentially useless.
VPNs (Virtual Private Networks)
VPNs may come into play if you have workers who telecommute and need access to company tools or databases. Employees can access these assets as though they’re doing so from within the company’s IT network.
Virtual private networks are also useful for security purposes. Employees who perform company work on personal computers or public networks should install and use VPNs to protect their IP addresses. This also hides the contents of their web activity — including intellectual property (IP) and sensitive company data — from bad actors.
Conducting regular backups of personal computers’ content is one of the most basic tenets of using a PC safely. However, should the company back up personal files alongside its IP if someone uses their own device for work?
This may be a delicate matter for some employees, which means there needs to be a clear set of expectations before they begin using personal computers for work. Consider:
- Should employees conduct full PC backups or more targeted ones?
- Is there a preferred backup method or application?
- Are local backups permissible? Is there a more secure cloud equivalent?
- Are conventional backups still required, or is a cloud alternative available?
- How will the backups be encrypted?
- Who will have access to PC backups and under what circumstances?
Falling back to recent backups is how many companies answer attempted ransomware and cyber-extortion. Given the sensitive nature of these backups, it might be wise to have employees think of them as an emergency resource only rather than a quick fix for accidental deletion of personal files.
Repairing computers can be a weak link for cybersecurity. There may be spans of days or weeks where the machines are outside your control and the chain of custody is unclear.
You must have a strong policy outlined in advance that answers these questions if your employees conduct work on personal computers and one of those machines needs repairs:
- Does the employee take the device to your company’s IT department for service or to the original equipment manufacturer?
- Does the company have an outside partner that specializes in PC repair? What is the process for repairing computers containing sensitive data?
- Is there a preferred procedure for removing sensitive contents from the PC before sending it in for service? Is it the device owner’s or your IT team’s responsibility?
Ensure your employees know where to find the instructions if they must factory reset their computers.
Chain of custody
Finally, how can you track the chain of custody before and after the device leaves company hands? You may recall the theft of personal data from a Facebook employee after they accidentally left company hard drives in their car overnight. Be sure you know where your computers are at all times and who has access to them.
Keep Company-Issued and Personal Computers Safe
If your teams use their personal computers for work purposes, it will require extra precautions. While your business may save some money by letting employees use their own devices, you may also lose millions if that same device gets hacked or loses client information. Staying safe means every party needs to be aware of the potential risks and know how to do their part to mitigate them.