Using Personal Computers In the Workplace Can Cause BIG Problems Without A Few Simple Rules!

At ACT, we support a great many organizations that allow employees to use their own computers or other personal devices at work. Sadly, I’ve noticed that some of these companies don’t set many rules for the use of personal devices. This can be a problem for both sides of the keyboard.

Personal computers can harm your network without some basic controls.Companies SHOULD have rules regarding what can and cannot be accessed on the network. This accomplishes two goals. It enforces necessary security rules for the safely of the network assets. For example, one of the key problems with personal devices is the ability of employees to carry critical and potentially confidential information beyond the limits of the in-house security system. If any employee from HR, for example, copies personnel records on their notebook to work on from home that confidential information is vulnerable to theft or loss despite the best intentions of that employee. If he or she stops at the store on the way home and the notebook is stolen off the front seat of the car, the company now has a serious exposure to penalties, litigation or financial loss. Laptop loss and theft by employees is one of the top causes of HIPAA personal health information (PHI) in the healthcare industry.

Organizations that allow un-controlled access to company networks by employee computer equipment ran a dramatically greater risk of data theft and corruption. Here’s a real life example, a local school that will remain nameless allowed employees to take data home and bring it back using their own personal flash drives or computers. Since those devices didn’t have the same anti-virus or security software that the network had, when an employee plugged in a flash drive that contained data from his home computer but also contained a particularly aggressive virus. It spread across the network like wildfire erasing all the school data from the server and all 120 computers connected to the network. They called us in to clean up the mess and restore all of the lost data. It took over 60 hours to clean up the servers, the 120 computers and every flash drive from every employee to make sure we eliminated every instance of the malware. When we isolated the flash drive that initiated the event, the employee was indignant and claimed he was too computer savvy to be caught by a virus like that. We pleaded with the management to implement some sort of security protocol to secure portable devices that connect to their network but our plea fell on deaf ears. End of the story? NOPE! Three days later the same employee brought the same malware from his home PC back to the office on his flash drive and re-infected the entire network again! We spent another 60 hours cleaning up his mess again. Finally, management listened to us and allowed us to secure their computer USB ports properly.

From the employee side of the equation, the issue is more pragmatic. They want to know what kind of device to buy so that they can access the right assets at work and do their job better.

Here’s a real life example of the hassle that can ensue with there aren’t good policy guidelines for use of personal computers. Employee A wanted to use her own tablet at her job. She needed to access data on the move at work and her desktop limited her ability to do that.

Her employer had no rules regarding what could or could not be accessed. She knew that she needed access to the company web site for part of her job but she also wanted to access data on the company file server as well. She got a vague “OK” from her boss who wasn’t particularly computer savy and headed off to her local Super Store where the salesperson there talked her into a Microsoft Surface with Windows RT.

Here’s where her problems began. Because there were no company guidelines on what kind of devices were allowed on the network she had no real direction on what to buy on her own and wound up with a device that would only do half of what she wanted. She COULD access the web site but Windows RT isn’t intended to be run on a network like the one at the office so accessing server assets became a problem.

I’m not picking on Microsoft or Windows RT. The tablet could just as well have been an Ipad or an Android tablet and the hassles would have been similar. She wound up with a computer that solved half of her goals. Of course, there are technical workarounds that a good IT department can implement to resolve some things but wouldn’t it have just been easier for the company to think ahead and publish some guidelines so she could get it right without the extra hassles? She really needed a tablet with Windows Pro instead of RT to do everything she wanted.

Here’s a very simple Personal Computer Use Policy example.

  1. Employees are allowed to use their personal computers in the office but only for the following tasks X, Y and Z. (This lays out what they can and can’t do)
  2. These computers must have the following programs installed prior to connecting to our network – Trend Micro anti-virus, BitLocker file encryption software and A, B and C security related programs. (This protects company assets stored on their computers)
  3. Computers must be registered with and inspected by the IT department prior to connecting. (For security purposes the company must know who is accessing their assets and that the devices are secure.)
  4. No company confidential information may be copied to personal devices unless it is encrypted and the company knows the encryption keys and password. (‘nuf said!)
  5. If an employee desires to access our network, we require XYZ operating system and Acrobat version xx.x, Flash Player version xx.x, MS Office 2013 etc. (Now they know what to buy)
  6. Computer with the following operating systems X,Y,Z are NOT allowed on the company network. (and what NOT to buy)
  7. Every employee desiring to use personal computers on the company network must sign a confidentiality agreement , an appropriate use agreement and must present their computer for inspection by the company in the event of any suspected security breach. (They have to acknowledge they will follow company rules)
  8. Personal computers that hold company data should be equipped with company managed file scrubbing software so that if the computer is lost or stolen the company can erase any and all confidential information remotely.

These kinds of policies establish some basic rules for the employee to work within but also gives them some guidelines for what to buy if they intend to use their personal computer at work.

One final thought, don’t think that personal use policies only apply to notebooks and tablets. They SHOULD apply to things like smartphones, PDAs, flash drives and any other device that can hold data. Remember that e-mail is considered a company communication asset too and if your managers or staff use their personal devices for receiving email there should be provisions for that too in your personal device use policy!