In the first part of this series, we talked about many of the areas where cloud computing can be affected by employees and some of the major security issues. In this part, we will explore two overlapping areas of concern in cloud security:
- Remote working
- Bring your own devices to work (BYOD)
After the first pandemic lockdowns, many organizations invested in secure equipment for their employees; others did not and put the onus on their employees. Those organizations did themselves a disservice. Employees should not be expected to be security experts
80% of IT business leaders believe employees need mobile devices to do their jobs —TechRepublic
The pandemic may have forced most office workers into becoming remote workers, but that does not mean employees are suddenly reliable IT departments. The average employee’s home security is inferior to what their company provides.
There are many pros to having remote workers. Here are a few of them:
- Higher productivity. It seems like the reverse should be true, but the pandemic has shown corporate America that employees can be trusted to work. With fewer distractions from other employees, no dress code, and a comfortable work environment, their productivity is higher. CISCO did a survey of 1,800 employees, 150 managers, and 50 companies and found higher productivity and better attendance among remote and semi-remote employees than their on-site counterparts.
- Healthier employees. At home, employees generally eat less fast food and vending machine food than at the office.
- Better work-life balance, especially with so many parents now forced to become part-time teachers, homeschooling their kids while working full-time.
There are also cons to having remote employees. Here are a few of them:
- Internet connection. Your employees do not have T-1 connections at home and should not be expected to have the same upload and download speeds. Be patient with them. They may not be able to afford the fastest connection with their provider. They might live in a rural area where broadband is rare or nonexistent. Keep this in mind when an employee is asked to be the moderator for your next Teams call, and it cuts out.
- It’s easy for corporate communications to be missed. In the office, you can put a memo on every desk, or have all computers open to the company intranet with important announcements. Ensure you have a reliable cloud-based communications channel aside from email that allows two-way communication, such as MS Teams.
There was a woman in Detroit recently who took advantage of a company rule loophole. Her organization’s IT policy specified “iPhones, Androids, and Google Pixels,” so she bought a Huawei phone to get around the security guidelines she didn’t like. She got an extremely good deal on her phone by ordering from a rather shady site. That deal came at a price. Her new smartphone infected the entire agency network with malware, taking the entire company network down for three days.
While we can’t tell employees what type of phones they should buy (assuming the company is not providing work phones), we can make hard decisions about which mobile devices are allowable. Certainly, no one is going to accept a Jitterbug as a professional business phone. The Huawei phone should have been acceptable. Had it been purchased through a legitimate phone carrier; it might have been fine.
While Apple mobile devices are generally more secure than their competitors, they are not immune to attacks. Many companies purchase iPhones and iPads with that wrongful assumption, and Apple tries to convince the public that this is the case. As always, employees pose the greatest risk to the network — not devices.
Some of the upsides of BYOD for companies include:
- Lower equipment costs
- Employees update and upgrade their equipment more frequently than companies do
- Employee satisfaction increases when employees are allowed to work on the device of their choosing
Some of the downsides of BYOD for companies include:
- Employees might not install anti-virus software, putting your company data at risk.
- Employees often use the weakest passwords on their own devices.
- You don’t know who else has access to the employee’s devices. Many parents let their children on their devices. While the possibility of a child stealing company secrets is small, the possibility of a child deleting files to make room for video games is not.
What is the solution?
Companies need to have a well-coordinated strategy for remote working, covering everything from devices to WiFi to communication channels to approved 3rd party solutions. Ideally, this should ideally be written as a joint effort between your HR department, IT department, and a third-party security team who will see the situation with fresh eyes.
Use language in your strategy that is broad in scope and — unless it is absolutely necessary — avoids brand names. For example, say “mobile devices and tablets” instead of “iPhones and iPads.” Choose to say instead, “storage apps and sites” instead of “Dropbox and Box.” Otherwise, you are allowing the loopholes we mentioned earlier. While you’re here, check out our Cloud Security Solutions. We’re experts in cloud security issues and are happy to talk to your company about your security challenges.