Cybersecurity Handbook
Chapter 6

Is Working on Your Personal Device Recommended?

Using a personal device for work can be practical, for both employee and employer, who can thus avoid the expense of frequently having to buy electronic devices. Its use also comes with certain risks that we need to keep in mind. 


What are the risks?

The risks are mainly related to the authorized access on your device (cloud service, linked accounts), the strength of your passphrases (or their weakness, if you haven’t followed our valuable advice), and your Internet connection.

The basis of the BYOD policy

In the BYOD Policy (Bring Your Own Device) section, we help you establish a policy for your organization. If the use of a personal device for work is your only solution, no problem: it’s completely understandable. You just need to be sure to establish a BYOD Policy

Establishing this type of policy helps to reduce the attack surface significantly. The logic is simple: every connected device increases the risk, and every secure connection decreases it.

As an overview, here are some recommendations you can apply quickly and easily!

  • Make sure you have a secure authentication for opening your device (passphrase, fingerprint, etc.).
  • Whenever possible, separate your personal and professional documents in the folders on your desktop and in your online accounts.
  • Systematically organize your professional folders so that you can trash and permanently delete them quickly and easily. Deleting a properly organized folder at the end of a contract is much simpler than finding files located in different places on your device and deleting one at a time.
  • Use secure passphrases for all your accounts, even personal ones, since a personal account breach can impact your organization.
  • Make sure you have completely different passphrases for your personal and professional accounts. This way, if one of your personal accounts is compromised, the integrity of your work will be assured. 
  • Update your device and software regularly. Updates often fix security breaches. They protect your device from recently discovered cyberattacks.

Let’s briefly go over this last piece of advice. We all know that updates are incredibly tedious and take time. Whether you’re using your own computer or the organization’s, updating the applications and operating systems (on your computer and mobile devices) is one of the main recommendations given by cybersecurity experts. The reason is simple: many viruses and malware (such as ransomware) can gain access to your computer by exploiting the vulnerabilities that have been found and documented. Security updates fix these vulnerabilities and thereby immunise your outdated software.

What are the advantages of separating private from professional?

It’s important that an employee using their personal computer or borrowing a device from their workplace separates their private accounts and information from those of the organization. 

Just as in the offline world, our private and professional lives benefit from staying digitally separate as much as possible. While this may be difficult to do at times, remember that every action of segmentation reduces the risk of data being compromised. The segmentation also facilitates the transition when someone leaves the organization.

Certain starting points are easy and obvious. Let’s begin with the basics: have different email addresses for your private and professional activities. If your personal account is linked to your organization’s accounts, a data compromise could easily endanger the documents and sensitive data of your team and all the linked accounts.

Some additional precautions

We can never repeat it enough: a strong and unique passphrase for logging in or accessing an account is also a necessary starting point. The other necessary starting point is without a doubt regularly updating your applications and operating systems. 

What to do when the private/pro separation is impossible?

It’s not possible to separate everything. If you use your own device, you will certainly use the same browser for personal and professional activities. You can nevertheless take some precautions to reduce the risks associated with these practices. 

It’s recommended to always enter your usernames manually or through a password manager. If possible, organize your professional passwords in a separate folder in your password manager. This will allow you to delete its contents easily.

Why is using a password manager recommended when browsers can remember our usernames free of charge? Because this automatic service always comes with an additional risk: it saves your usernames and passwords locally in your browser, often in a non-encrypted manner. Therefore, if someone were to gain physical access to your device (if your computer is lost or stolen, for example), this person would win the jackpot: the access to all of your accounts. 

The distinction between private and pro accounts is also made in your password choices. Clearly at this point, you should have unique passwords (RIGHT?!). An absolutely crucial first step is using completely different passwords for your private and professional accounts. We are well aware that you have a tendency to create variations of the same passwords to make them easier to remember. At the very least, it’s important to refrain from doing this in a professional context. 


Recap

  • Have separate devices for your personal and professional life as much as possible.
  • Use different professional and personal accounts (social networks, email, etc.).
  • If having separate devices is not possible, establish a BYOD policy. 
  • Make sure to always update your devices.
Chapter 7 What Risks Do We Face on Social Media? All the Chapters