The Mac Security Blog

Security & Privacy

Why You Should Think Twice Before You Bring Your Device to Work

Posted on by

Bringing personal devices into a work environment can be a legal minefield, no two ways about it. Rather than dealing with the myriad questions that arise from the business-side perspective, we’ll assume you’re someone who works for a company that has already decided to allow people to bring their personal devices to work. Unfortunately, just because you can, doesn’t necessarily mean you will ultimately want to. We hope to educate you on what you would want to be aware of before you agree to use your personal device for business purposes.

There is one thing you need to be very clear on before using your device to access corporate resources: from a legal perspective, your device and data ceases to be your own.

The company may:

  • Push management software to your computer
  • Restrict your access to certain apps or services
  • Remotely wipe your device of all data if loss or break-in is suspected
  • Require you to turn over your device in the case of a lawsuit
  • Monitor your physical location via GPS or Wi-Fi
  • Monitor use of your machine
  • Turn off your camera or microphone in certain areas

From the company’s perspective, what they’re trying to do is to protect themselves against any problems due to loss of data or misuse of corporate resources. This is especially problematic with mobile devices since theft and loss is a whole lot more common than with desktops.

It’s one thing when these actions are applied to a corporate-issued laptop. It’s a whole other matter when it’s a personal cellphone that has pictures of little Johnny’s first birthday party plus contact info for all your friends and family. And what if this device is something you share with family members? If corporate policy mandates passcodes with remote wipes for too many incorrect guesses, what happens if Johnny tries to play a game on your machine and tries to guess the passcode? There goes everything.

The first (and most important) thing you can do is to fully understand your company’s Acceptable Use Policy before you agree to connect your device to their network. You should be able to answer all of the following questions, and if not, keep asking until you fully understand:

  • Will my personal data be subject to automatic remote deletion?
  • What will trigger the automatic deletion? (e.g., suspected loss or break-in, leaving the company voluntarily or through termination/layoff)
  • Will someone ask for my approval before deletion?
  • Does the company provide the means for me to periodically backup data?
  • Does the company provide the means for me recover the personal data deleted?
  • Does the company have any restrictions about what apps I can use or websites I can visit?
  • Under what circumstances might I be required to turn over my device for forensic analysis?
  • Are there any exceptions to this rule?
  • Will the company provide a replacement?
  • What is the process to regain use of my device?
  • Who will have access to personal data on my device during forensic analysis?
  • Will someone within the company be able to track my location?
  • Are there rules about when tracking can happen?
  • Will someone ask for my approval to track my location?
  • Do I get notified if I’m being tracked?
  • Will tracking happen outside of regular work hours?
  • Will my personal use of the device be monitored?

There are things you can do to ease potential problems with putting your phone and data under corporate control:

  • The best thing to do is to back up your own data. Don’t rely on someone else to do this. Your personal data is more important to you than to anyone else.
  • Help the company out and make sure you’re connecting to corporate resources securely. This is easy if you’re just accessing email via Exchange Server. It can be more tricky if you are connecting to other resources. Ask your IT folks if it would be useful to connect through VPN, or if there are other ways they would recommend to encrypt your transmissions.
  • Enable Auto-Lock so that it minimizes the window for someone to be able to access your data if your device is lost or stolen.
  • Encrypt important data, whether it’s yours or the company’s. And understand that you will be required to provide the decryption key if your device needs to be forensically examined.
  • Keep up with firmware updates to minimize the possibility of someone being able to use known, old vulnerabilities to access your device.
  • Don’t “root” or jailbreak your device, as this drastically increases the vulnerability of your device.
  • Separate company and personal data, in case there is some possibility of remotely wiping only company data.
  • Use 2-Factor authentication or password management software when you can.

Has your company allowed a Bring Your Own Device policy? If so, have you used it? Do you think it’s convenient or intrusive?

photo credit: Simon Adriaensen via photopin cc