Using company devices for personal activities leads to data loss
GFI Software released the findings of an independent study into how workers use company provided computers and laptops for personal activities, and the direct impact that personal use can have on the organization.
The survey revealed that the employers of 40% of those surveyed had suffered a major IT disruption cased by staff visiting questionable and other non-work related web sites with work-issued hardware, resulting in malware infection and other related issues.
35% of staff would not hesitate to take company property including email archives, confidential documents and other valuable intellectual property from their work-owned computer before returning it, if they were to leave their company.
Half of those surveyed use a personal cloud-based file storage solution (e.g. Dropbox, OneDrive, Box) for storing and sharing company data and documents.
The blind, independent study was conducted by Opinion Matters and surveyed 1,007 UK employees from companies with up to 1,000 staff that had a company-provided desktop or laptop computer.
Key findings include:
- 75% of respondents use their work-provided computer for non-work activities
- Overall, 90% have at least some understanding of their company’s policy on usage and follow it to at least some degree
- 8.5% completely disregard company IT policy on approved use of company computers for non-work activities
- Nearly a third (31%) of those surveyed have had to get their IT department to fix their computer after an issue occurred as a result of innocent non-work use, while 6% had to do the same due to questionable use (porn, torrents, etc.)
- 10% have lost data and/or intellectual property as a result of the disruption caused by the outage.
The survey also found a substantial concern among employees over whether their employers were monitoring their computer use, as well as a lack of understanding of how it can be done and what devices can be monitored.
42% of respondents are concerned about their employer’s ability to monitor their computer use, while almost two-thirds of those interviewed (63%) think their employer can monitor an iOS, Android, or Windows-based tablet use as easily as they can a conventional PC. However, almost one in five are unsure if their employer can monitor a tablet.
“Data security and integrity is a big challenge for companies as a result of the widespread movement away from desktop computers to laptops. Since laptops are usually brought home, they frequently get used out-of-hours for both work and non-work activities. Without clear policies and guidelines in place on approved personal use boundaries – backed up with technology to limit access to the most challenging parts of the internet – the dividing line between work tool and personal device, can quickly become blurred,” said Sergio Galindo, general manager of GFI Software.
“There are clear arguments in favour of letting staff use company computers for a degree of personal activity. It’s good for morale, productivity and it’s just common sense. However, people still need to remember that at the end of the day it is not their device, and neither is the company data on it. It is surprising how many people forget that and our survey underscores just how true this is. You would not go racing around a track in a company car, even though they let you take it home for an evening and pay for the petrol or diesel. The same principle applies to a company computer. Just because you can use it to access questionable content, doesn’t mean it is appropriate to do so,” Galindo added.
With many people using their company-owned PC as their own fully-fledged computer, and relying on it for everything from banking to shopping and music to videos, they will build up a comprehensive history of web sites visited, as well as files and documents of their own that have no bearing on their job role.
The survey also asked users how comfortable they would be if their co-workers, or their friends and family could see their personal browsing history. Over one in five (21%) would not want their family or colleagues to see their browser history or hard drive contents in the event they were suddenly incapacitated, died, or otherwise didn’t have an opportunity to sanitize their computer first.
This reaction highlights significant issues for users who need to return a company-owned device when they leave a job, or simply when it is time for it to be replaced with a new model.
When asked what they would do to their computer first if their employment ended, 60% would make a grab for their personal files. More than one-third (35%) would also take company documents, including confidential data and customer lists, despite it being a blatant act of theft, raising significant concerns for employers over data security and compliance.
However, 27% would simply walk away from their work device, not taking anything, including their own legitimate belongings, from the unit before handing it back.
“Data protection is a big problem, and one that has been exacerbated by the casual use of cloud file sharing services that can’t be centrally managed by IT. Content controls are critical in ensuring data does not leak outside the organization and doesn’t expose the business to legal and regulatory compliance penalties. Furthermore, it is important that policies and training lay down clear rules on use and reinforce the ownership of data,” added Galindo.