Using a company-owned device for personal computing and using a personal device for work computing are both common but potentially dangerous practices. It’s best to avoid mixing the two, but if you must, then at least understand the risks. I cover common issues here and recommend how to protect yourself and your employer.
Let he Who is Without Laptop Cast the First Email
I freely admit I have, in the past, done very little to separate my private and work computing (I am now fully reformed, thank you.) It was easy to get in that predicament. My primary work computer has been a laptop for almost as long as laptops have existed, and for all that time I have carried it home with me at the end of each day. (My family would point out that I also took it on 90% of our vacations.) Is it any wonder, particularly in the days before smartphones and tablets, that I never got around to buying a home computer?
My justifications will be familiar to many, so please sing along if you know the words: Who wants to work on two separate computers? It’s a waste of space and money. After all, it’s just some web browsing…and maybe iTunes…and then there’s that tax program…and my bank is online anyway. My work laptop is better than any home computer I might buy (or could afford), and the company benefits, too! Nearly every time I open my laptop, I end up checking email or working on something. They’re getting free productivity!
By the same token, why carry two smartphones? If the company reimburses me for even a part of the cost, it’s like extra income! It’s easy to add my work email to my phone, and then it will synchronize my contacts and calendar too – and that makes it easier to stay in touch with coworkers and clients. While I’m at it I could install Dropbox so I could get to that presentation I was working on. Even better – my tablet is really just a big version of my phone, so I can synchronize them there, too! I can get things done while I’m sitting at the doctor’s office…the airport…my friend John’s…
Even if you have separate home and work devices, some crossover seems inevitable. Sooner or later you may check your email, a web page, or (God Forbid) your social media from your “work” device. So what’s the harm? Potentially plenty.
Just because you’re paranoid doesn’t mean they’re not watching you.
I strongly recommend avoiding all personal pursuits on company equipment and networks. Many companies have written rules forbidding personal use of company computers and networks, which could lead to you and your job going separate ways. Even if personal use of company devices is allowed (or at least not prohibited), think twice – unless you don’t mind sharing the details of your personal life, and potentially handing your boss justification for firing you.
The broad rule is that organizations have a right to inspect any file or other data that touches/uses/goes through their equipment – and that includes the company phone and office network. This right to capture and review will apply even if you are using your personal device on the company WiFi. Every username, password, email, web search, website, and file that you access, create, or store (even temporarily) on a company device or via a company system is at risk of being captured and investigated, and may even be considered company property.
Beyond having no expectation of privacy, you also have no guarantee of safety. Your company computer and network may not be secure or virus-free, and you have no protection against lost data, either. If your company computer crashes, don’t expect the IT department to be able or have the time to recover all your lost photos that you transferred from your camera. And what if you are the reckless employee who goes to the wrong website and introduces a virus into the company? It isn’t worth the risk.
Bear in mind that if you store all your favorites and files and other bits and pieces of your digital life on a company device, you’ll probably lose it all the minute you lose your job, and you won’t have the chance to delete your personal files from your work computer as you’re being escorted out. You have no control over what happens to those digital artifacts once you’re out the door.
What’s bad for the goose…
There are also significant risks to employers if employees do company work on personal devices. Really, more companies should be flipping out over this.
Starting with phone calls: making business calls from personal phones means that employees have client contact information on their personal devices, and clients have non-business contact info for employees. Calls to or from personal devices bypass all QA, QC, productivity and tracking systems. Employees – particularly sales and account management staff – could walk away with direct access to company clients, and clients may still call ex-employees long after they’ve left the company. You may as well introduce your customers to the competition right now.
Personal devices are a security risk, too. Any good IT department can lock down company-owned devices, but they have little control over personal devices. Employees may not take the simple precaution of requiring a (hopefully strong) password on their phone, tablet, or computer. A lost device could mean serious trouble from compromised privacy, corporate espionage, and hacking. If you seriously consider the rules set by credit card merchants (via the PCI DSS), even the possibility of data loss could cost a company tens of thousands of dollars, their reputation, and their clients.
The risks go on: personal devices more often lack up-to-date virus and malware protection. Home network devices (routers, access points) frequently have only the default admin passwords enabled and are more easily hacked, and many home WiFi networks are less secure than your local Starbucks. Personal devices may also be obsolete. (Yes, Virginia, many still run Windows XP.)
Recommendations
Your best option for maintaining privacy and security – and also protecting your company – is a firm separation of your personal digital life onto dedicated personal devices. Whether you have that option or not, there are still ways to maintain control over your personal data, come what may.
Following are a few tools I use, while trying to maintain a balance between my budget and the need to stay current. Staying current on technology is one of the best protections against gremlins and digital miscreants.
Home Computer: I need enough power for large spreadsheets and running multiple programs at once, but nothing very graphic intensive (like gaming). I prefer a laptop to a desktop, and many laptops are now cheaper than desktops.
You can pick up a decent 14″ or 15″ laptop for less than $300 at Best Buy or your local equivalent. Many will include a warranty and a year or more of virus protection. I am partial to Dell, but Acer, HP, and Lenovo play in this space too. If you get an open-box/floor model, it may be cheaper still. I favor something with Windows 10, at least 6GB of RAM, and 320GB to 500GB of disk space (I have lots of pictures, music, and files). Peripherals will drive the price up, but could wait until your budget recovers.
Antivirus: I have no specific recommendation except to say that you must have one, you must keep it current with automatic updates, and you do not have to buy the most expensive. Look up the latest comparison on PC Magazine (like this one from January 2017) and follow your gut. If your budget is really squeezed, there are still several free options but don’t expect all the lights and buzzers. If all else fails, at least turn on Windows Defender. Ideally, you want virus and malware protection, plus a firewall.
Password Management: Here’s a simple test: if you’re writing down your passwords, or you can remember all of them, you’re doing it wrong.
I researched several password management programs before trying both 1Password and LastPass. I ended up sticking with LastPass. I believe both have free versions, but I switched to the paid version so I could share passwords with my wife. At $12/user/year, it’s well worth it. The program integrates with most browsers and has standalone Apps for phones and tablets. I now have a ridiculously complex and unique password for every website or service. LastPass fills them in automatically, and most look like this: CrLm&OVa8GJ%EfI9 (and no, I’m not using that one.)
Some businesses also run LastPass, and users can link their personal and business logins together to allow a single sign-on, which is controlled by the user. If you and your company part ways, just get on your phone and unlink them. Of course, since you’re keeping personal and business separate anyway, you won’t need to link them, will you?
Cloud File Storage: Google drive, iCloud, Dropbox, box.net, OneDrive…there are a lot of options now. Most will give you 2GB to 15GB of free storage, but that isn’t even enough for my photo library. If the free space is enough for you, choose whichever is most convenient to the way you work.
I have had accounts on all of the above, and last year I consolidated around Google Drive. When I realized I needed more than their free space offer, and even more than their first tier paid plan, I signed up for the 1 Terabyte plan at $9.99 per month, and winced every month.
I recently moved everything over to OneDrive for purely financial reasons. Microsoft has a deal for the full MS Office suite and 1 TB of OneDrive space for each of up to 5 users, all for $99.99/year. My wife and I now have the latest version of Office plus all the storage we need for the same annual price as 1TB on Google Drive for one user.
I also still keep a large backup drive at home, just in case the Cloud goes up in smoke. For day-to-day needs, though, nothing beats Cloud storage for convenience.
Basic Device Security: If you ignore everything else, at least do this:
Password protect your devices. Your computer should require a password to login, and to wake it from sleep or a screen saver, and it should automatically lock after no more than 15 minutes of inactivity. Your phone and tablet should at least require a fingerprint or a 4-digit code to unlock, and each should lock any time you turn off the screen, close the cover, or go 5 minutes without activity.
Turn on WPA2 security on your wireless network. If your access point won’t support WPA2, get a new router or access point. Older hardware defaulted to no security at all, so if your broadband has been untouched in several years, it’s time to upgrade.
Change your network device passwords. Never leave the default admin password on your wireless access point or router. Defaults are easy to look up online, making them easy for your neighbor’s kids to hack. Even better: change the default admin username.
Don’t write down your passwords. Use a good password management program. If you need to write down the master password, try limiting your written note to enough characters to remind you what it is.
Don’t use the same login or password for multiple sites. If someone hacks/guesses one, then they’ll immediately try the same login on Amazon, eBay, PayPal, and every bank known to man.
Change passwords at least once each year. It’s a good New Year’s Eve time waster while you’re waiting for the party to start. Most password keepers will prompt you to change occasionally. Another plus for LastPass: if a site gets hacked, they’ll warn you to change your password next time you log in.
TL;DR
The short version: your private, personal information isn’t safe at work or on company-owned devices. Get a cheap laptop, keep your antivirus current, use a password keeper, put passwords on your personal devices, and don’t ever touch work files from your personal device.
(cover photo credit: www.bluecoat.com)
(lastpass security challenge screen shot is from my own computer)