NEW YORK (MainStreet) — The majority of younger employees would oppose measures by their employers to prevent them from using their personal laptops, cloud, mobile device or tablet for work purposes, according to a new study.
“Employees can face the risk of disciplinary action for violating these rules,” said Heather Egan Sussman, partner and co-chair of the Global Privacy and Data Protection Affinity Group with McDermott Will & Emery in Boston. “This can mean losing the right to have a personal device at work, up to and including termination of employment or anything in between.”
A Fortinet study found that 55% of 21- to 32-year-old employees have experienced an attack on personally owned PCs or laptops, and yet 14% would not tell an employer if a personal device they used for work purposes was compromised and 51% would violate the policies that restrict the use of personal devices.
“It’s worrying to see policy contravention so high and so sharply on the rise as well as the high instances of Generation Y users being victims of cybercrime,” said John Maddison, vice president of marketing with Fortinet.
Some 89% have a personal account for at least one cloud storage service, such as DropBox, 70% have used their accounts for work purposes and 33% admit to storing customer data.
“There is no question that companies derive a corresponding benefit including cost savings by not having to pay for these devices to issue, but there also are huge risks to the company for allowing dual use devices to attach to the network,” Sussman told MainStreet.
Allowing employees to use personal mobile phones, laptops and tablets in the emerging Bring Your Own Device (BYOD) movement requires particular policies and procedures in the event of a breach.
“Employees shouldn’t be putting proprietary information on their device and storing it there,” said Tim Francis, enterprise cyber lead at Travelers. “They can link into company servers but shouldn’t download or store corporate information on a personal device.”
What’s at stake is $400 billion globally each year lost to cyber crime, according to the Center for Strategic and International Studies.
“When employers have a BYOD system in place, it’s one more thing that could lead to hactivism or extortion online,” Francis said.
In cases of hactivism, cyber attacks are not financially motivated but rather are about proving an opposing political point involving a company’s philosophy or ideology while extortion involves holding a firm hostage by encrypting its files and then demanding money be sent to an offshore account to release them.
“Extortion is on the rise because it’s easy and inexpensive,” said Francis. “Cyber criminals send a virus in an email to different companies, and it only takes one employee to open an email on their BYOD device.”
Depending on the policy, cyber risk insurance can serve as a safety net when and if a laptop is stolen, a mobile device is misplaced or an account is hacked.
“Ask your cyber policies if there are any exclusions that might be impacted by BYOD,” said Francis.
Employee security protocol particular to the BYOD trend includes device monitoring, password updates, a kill feature if the device goes missing and guidelines on what can and cannot be downloaded and uploaded from the device to company servers.
“Generally these policies make clear that the employee has no expectation of privacy in the device and that the company can and will monitor use of its network,” said Sussman.
--Written by Juliette Fairley for MainStreet