Using Personal Computers In the Workplace

At ACT, we support a great many organizations that allow employees to use their own computers at work.  Sadly, I've noticed that some of these companies don't set many rules for use of personal devices.  This can be a problem for both sides of the keyboard.

Companies SHOULD have rules regarding what can and cannot be accessed on the network.  This accomplishes two goals.  It enforces necessary security rules for the safely of the network assets.  For example, one of the key problems with personal devices is the ability of employees to carry critical and potentially confidential information beyond the limits of the in-house security system.  If any employee from HR, for example, copies personnel records on their notebook to work on from home that confidential information is vulnerable to theft or loss despite the best intentions of that employee.  If he or she stops at the store on the way home and the notebook is stolen off the front seat of the car, the company now has a serious exposure to penalties, litigation or financial loss.

From the employee side of the equation, the issue is more pragmatic.  They want to know what kind of device to buy so that they can access the right assets at work and do their job better. 

Here's a real life example of the hassle that can ensue with there aren't good policy guidelines for use of personal computers.  Employee A wanted to use her own tablet at her job.  She needed to access data on the move at work and her desktop limited her ability to do that.  Her employer had no rules regarding what could or could not be accessed.  She knew that she needed access to the company web site for part of her job but she also wanted to access data on the company file server as well.   She got a vague "OK" from her boss who wasn't particularly computer savy and headed off to her local Super Store where the salesperson there talked her into a Microsoft Surface with Windows RT.  Here's where her problems began.   Because there were no company guidelines on what kind of devices were allowed on the network she would up with a device that would only do half of what she wanted.  She COULD access the web site but Windows RT isn't intended to be run on a network like the one at the office so accessing server assets became a problem.  I'm not picking on Microsoft or Windows RT.  The tablet could just as well have been an Ipad or an Android tablet and the hassles would have been similar.  She would up with a solution that hold solved half of her goals.  Of course, there are technical workarounds that a good IT department can implement to resolve some things but wouldn't it have just been easier for the company to think ahead and publish some guidelines so she could get it right without the extra hassles?  She really needed a tablet with Windows 8 Pro instead of RT to do everything she wanted. 

Here's a very simple Personal Computer Use Policy example. 

1. Employees are allowed to use their personal computers in the office but only for the following tasks X, Y and Z. (This lays out what they can and can't do) 
2. These computers must have the following programs installed prior to connecting to our network - Trend Micro anti-virus, Bitlocker file encryption software and A, B and C security related programs.  (This protects company assets stored on their computers)
3. Computers must be registered with and inspected  by the IT department prior to connecting.  (For security purposes the company must know who is accessing their assets and that the devices are secure.)
4. No company confidential information may be copied to personal devices unless it is encrypted and the company knows the encryption keys and password.  ('nuf said!)
5. If an employee desires to access our network, we require XYZ operating system and Acrobat version xx.x, FlashPlayer version xx.x, MS Office 2013 etc. 
   (Now they know what to buy)
6. Computer with the following operating systems are NOT allowed on the company network. (and what NOT to buy)
7. Every employee desiring to use personal computers on the company network must sign a confidentiality agreement , an appropriate use agreement and must present their computer for inspection by the company in the event of any suspected security breach.  (they have to acknowledge they will follow company rules)

This kind a policy establishes some basic rules for the employee to work within but also gives them some guidelines for what to buy if they intend to use their personal computer at work.

One final thought, don't think that personal use policies only apply to notebooks and tablets.  They apply to things like smartphones, PDAs, flash drives and any other device that can hold data.  Remember that e-mail is considered a company communication asset too and if your managers or staff use their personal devices for receiving email there should be provisions for that too in your personal device use policy!