We get it, you reacted quickly to respond to COVID. You learned about how COVID spreads, how to protect yourself and your family from getting sick, and how to keep your business afloat. Now we are in an emerging new normal and it’s time to reevaluate what was done from a technology and information security perspective to ensure that the quick decisions you had to make are safe and reasonable.
Personally-owned computers, including laptop and desktop machines, can be very dangerous when used to connect to your company’s systems; these policies that allow usage of personal devices are commonly known as BYOD (Bring Your Own Device). Small and medium-size businesses often implement these policies without understanding the significant risk.
There’s a basic truth of personal computer security. If a hacker gets into your personal computer and you use that computer to access work systems, a hacker can access those work systems. Add this fact to the rising instances of cybercrime since the beginning of the COVID pandemic. The FBI’s Cyber Division reported in April that cyber complaints have increased at least 300% over the previous few months. Now you have a recipe for disaster.
This is a really inconvenient reality. When someone manages a personal computer with security practices required for an organization to be in a defendable position, they have to tell the computer’s owner (their team member) that they can’t install whatever they want on it, they can’t go wherever they want on the web, and they must perform certain maintenance activities on their machine. That all works well when it’s a corporate machine, but it can make people mad when they can’t play games or install video editing software on a machine they paid for.
Here are some common myths and the hard truths about using personally owned computers for work.
Myth: Anti-malware will protect us.
Truth: Anti-malware misses lots of malware, and even if you specify that your employees need to install anti-malware software, how do you know they’ve done so or that its’s working properly? Those users may not install the software at all, install it incorrectly, or not install updates to catch the latest iterations of malware. And those updates matter; in case you didn’t know, current estimates of new versions of malware range between hundreds of thousands to over a million per day.
Myth: Virtual Private Networking (VPN) will protect us.
Truth: VPN, a secure way of connecting to your corporate network, will not protect you if the machine has been hacked. Remember, if a hacker owns your machine, a hacker can see everything you do, including typing in your password. The hacker can also get right into your corporate network.
Myth: All of our stuff is in the cloud, so we’re safe.
Truth: Once again, if a hacker has full control of your machine, a hacker has access to everything you do.
Myth: Multifactor authentication will protect us.
Truth: Multifactor authentication, where you enter a code or approve a login access from your phone or other device, is an excellent additional security measure. However, and I know I may sound like a broken record, the hacker can do whatever the hacker wants once your machine has been taken over. The Zeus Trojan, for example, created in 2008 to steal money from bank accounts, has the ability to get around multifactor authentication.
Myth: Mobile Device Management (MDM) software will ensure that the systems our users bring to work are secure.
Truth: This can be true in some cases. However, in most cases, we find the security and settings inadequate to ensure that your system will protect your company and keep your computer owners happy. If you have adequate controls to protect the personal computer and your company, the person who owns the computer is not going to be very happy about what they cannot do.
Cut to the Chase: What to Do
The good news is there are numerous cost-effective solutions to solving the personally-owned computer/BYOD problem. In the long term, providing your team with laptops rather than desktop machines can be a straightforward solution. Depending on your security needs, properly secured tablets or limited use laptops, such as Chromebooks, allow for security at a reasonable cost point. All of these decisions should be made in consultation with your subject matter experts; however, I strongly suggest that you also fact check your expert against our myths to make sure that they truly understand the risk at hand.
David Lam is a partner at Miller Kaplan. For more than 30 years, he has been managing information for small and medium businesses including custom software development, systems management, and information security. Learn more at MillerKaplan.com.