In an era where hybrid and remote work is the new normal, the temptation to let your team use their personal laptops for work is undeniable. However, before embracing this seemingly convenient solution, discover the hidden pitfalls of personally owned devices or BYOD (Bring Your Own Device) in the workplace. Read on to learn why BYOD might not be the game-changer you expect and how it could lead to a labyrinth of IT, HR, and legal headaches.
IT and Cybersecurity
Even if your workplace’s corporate-owned devices have IT policies that resemble a Dickens novel and have stricter IT controls than a bank vault, personal computers bring along a certain “Wild West” spirit that’s hard to wrangle. Consider this scenario: In most workplaces, IT departments take pride in locking down work devices to prevent users from gaining administrator privileges. It’s akin to locking the cookie jar to avoid late-night snacking. However, when it comes to personal computers, it’s as if we’ve handed out the master key to the office supply closet. Users can freely download the latest trendy apps and games, which, much like an unexpected party guest, might not be as harmless as they seem. If one of these seemingly innocent applications turns out to be a Trojan horse, it can spell trouble for your business. Once that compromised computer finds its way onto your company network, it can begin poking around private company files, emails, and other business applications. These hackers can steal your privileged information, infect other devices, encrypt your data, or simply wreak digital havoc. It’s almost as if they’re the life of the (uninvited) party.
A prime example of the fallout from such a compromise was seen during last year’s unfortunate saga of the password manager company LastPass. Interestingly (and by interesting, we mean cringe-worthy), a chunk of the drama revolved around a developer’s personal home computer. This breach allowed the cyber intruders to waltz right into the company’s treasure trove of resources and backups, uninvited, of course. The end result? Well, let’s just say LastPass experienced an astonishing level of embarrassment, especially as a company that touts itself as a trusted place to store sensitive information and passwords. They also had an unfortunate exodus of customers, particularly from their corporate and enterprise clientele, who were quicker to hit the eject button than a parachute enthusiast. If that wasn’t enough, they had the pleasure of months of investigation to determine the root cause, depth of the breach, and issue multiple public responses. A tad more time on their BYOD policy could have avoided this embarrassing, time-consuming, and extremely costly mistake.
Personal computers can be a real HR headache. In the US, Employers typically retain ownership of all files, emails, company apps, and other company data employees create. When an employee decides to part ways, whether it’s an amicable farewell or more of a “don’t let the door hit you on the way out” scenario, it’s only natural to want to pull the plug on their access and tidy up the digital aftermath. On a company-owned device, this can be a straightforward affair. A few clicks, or better yet, a trip to IT with the device in hand, and voilà! Access revoked, data deleted, and everyone moves on with their lives. But now, welcome the employee’s personal computer to the stage. IT suddenly finds themselves in a tête-à-tête with employees to wrest control and cleanse the digital footprint. It’s now a convoluted mess of IT and HR arranging time with the former employee to take all appropriate data removal actions. Sure, you can address some of these challenges with the right company policies and procedures, but the plot thickens when the departing employee’s exit is accompanied by storm clouds. There is no shortage of stories, especially in customer-facing roles, where team members (unintentionally or intentionally) moonlight as information smugglers, storing your clients’ details away for a rainy day and maybe even tempting those clients to join them on their new professional endeavor with their new employer.
In the world of regulated industries, such as healthcare or the public sector, personal computers can be a legal tightrope walk. Their lack of oversight can carry profound legal implications. Imagine this: failing to ensure the complete erasure of sensitive information after an employee’s departure could lead down a road to a costly game of fines, penalties, and a front-row seat to regulatory scrutiny if such data ever decides to make a dramatic entrance into the public eye. Impacts such as financial liability, the need to disclose the event, and extensive (and expensive) investigations are the expected outcomes. With HIPAA regulations, there is even a virtual “wall of shame” with the name of every healthcare organization in which sensitive information has leaked in the last 24 months.
Embracing personal devices for their simplicity and initial cost savings might seem like a bright idea, but be prepared for the hidden costs lurking in the shadows. It’s a bit like opening your door to a stray animal—you might end up with some unwelcome surprises. Introducing an unvetted computer can lead to anything from minor inconveniences to major disasters that hit your bottom line and reputation.
TST Can Help
As seasoned experts in cybersecurity and IT, we specialize in uncovering those hidden IT risks lurking within your organization’s technology landscape. Don’t let uncertainty cloud your path to success. Reach out to us today for a complimentary IT assessment, and let us empower your organization with the clarity and confidence needed to navigate the ever-evolving digital terrain. Your peace of mind is just a phone call away.
HIPAA wall of shame: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf