Most organizations we bring on initially have a fuzzy line around what’s “work” equipment and what’s “personal,” and what can be used for what, the result is an insecure environment. On business machines, there is typically a security standard that is in place, a set of policies and procedures set by management and rules (set by IT) to keep the bad guys out and your confidential information inside. Personal machines typically have virtually none of this. security
If your organization allows business information on personal machines or personal use of business machines you’ve opened up the door to attackers. To use the video game example, this company doesn’t seem to count an entire category of bugs important enough to fix. If they sold to businesses, they would never get away with it. If you let your employees install this video game software on your computers, however, you just did. If you allow your employees to access your company information from their personal machines, you also just did.
It’s an easy fix: put in place a written policy that only allows access to confidential information from secured, company-owned machines.
BIG WARNING: Execs usually want to be exempted from these rules. They also typically have the MOST access to the most CONFIDENTIAL information. Then THEY become your biggest risk, and TARGET.
Policies are abstract and don’t often change. They are defined by specific procedures that change as your business changes (“our external IT partner will provide you with a work laptop from which you can access company information”) and enforced by technical rules (i.e., your MSP provider blocks access to company information from machines without your security policy in place).
Even if you can’t get all of your rules and procedures in place today, define and communicate your policies. The security of your organization depends on it, and your security is no less than your future.