How can I prevent my employees from using business devices for personal use?

In 2020, the world went remote. The pandemic dramatically changed how employees work and added a new set of worries for employers. Without the walls of an office, how can employers ensure that employees are working?

In information technology, this was a question being asked by a few employers before the pandemic. But once the world went remote, the question became increasingly hard to answer. Without the central control of a unified network architecture, solutions had to be deployed that were silent and could report back to a central management system.

Employees felt spied on, and employers continually looked for ways to respect privacy while at the same time protecting their interests. Shouldn't we just trust the employees to do their jobs? "Yes," of course you should. But the question goes beyond production; it speaks to many other areas of interest to an employer:

• Security: Personal use can introduce malware and viruses. Computers connected to VPNs could potentially spread malware into the larger network. If you are in a regulated industry (like Healthcare for example) client PI data potentially being on a personal device would be a violation of most regulatory compliance standards
• Productivity: Employees may waste time on personal activities.
• Legal issues: Companies may be liable for employee misconduct. If an employee accidentally launches malware or opens themselves up to a breach, the fault will fall onto the company, not the employee. It's your responsibility to secure the system and protect against any potential liability.

Strategies to Prevent Personal Use

• Clear policies: Develop and communicate clear policies about personal use. For any company using a remote workforce, you should have the following policies: Acceptable Use, Security, and Privacy policies. These will provide some protection and dictate how company-owned equipment is to be used.
• Monitoring and tracking: Use monitoring software to track device activity. This can feel very spooky and invasive, but they are very silent, and if the employee has nothing to hide, then it should not be an issue. Most work by taking screenshots at various intervals and providing those to a central reporting site. One solution, Hub Staff, works by screenshotting whenever a new application opens. It also includes timers for tasks that help employees track their time.
• Education and training: Educate employees about the risks of personal use. Most cyber insurance policies will discount your rate when you provide proactive employee cyber security training.
• Device management: Implement device management tools to control access. Your MSP or internal IT should deploy remote management software to any company-owned devices used off-site. This will provide you with control over patching, antivirus, and other aspects of the system for security and productivity.
• Separate devices: Provide separate devices for personal and work use. If your business has a distributed workforce, by far the most important investment would be devices for your remote workers. They should have computers you provide preloaded with monitoring and security software with remote wipe capabilities. Personal devices should only traverse corporate data if the employee agrees to have you load your security and monitoring software on their device

Tips for Effective Enforcement

• Consistency: Enforce policies consistently across all employees.
• Fairness: Treat everyone equally.
• Communication: Be open and transparent about the reasons for restrictions, monitoring packages in use, and how they function.
• Flexibility: Consider exceptions for legitimate business purposes.

Remember, while it's important to prevent personal use, it's also crucial to maintain trust and respect with your employees. You do this with transparency and penness, providing them with company-owned devices for work.