The use of a personal IT solution by an employee in the company must be strictly supervised.
Between telework and the increase in the level of computer equipment for individuals, it often happens that an employee uses his own computer to accomplish a professional task. A mixture of genres that can endanger company data. Explanations.
BYOD?
BYOD, for "bring your own device" or "bring your own equipment", to your workplace (or use it at home while telecommuting), is a practice that has developed strongly since smartphones, computers laptops and tablets have entered French homes. A choice made by those who believe (often rightly) that their own equipment is more efficient than that provided by the company or who wish, via a single tool, to carry out both their professional activities and their activities personal.
However, this practice is not without risk insofar as it makes it impossible for the company to ensure the protection of its network and the data stored there. The company is thus exposed to the loss of data stored on its employee's machine in the event of a breakdown, loss or theft, to intrusions by hackers via this machine, to breaches of the confidentiality of stored data or network contamination by malware.
The temptation to ban this practice
Ensuring the security of a network requires having control over each of its components. However, this is no longer the case with BYOD. This is why in its “recommendations for the protection of essential information systems”, the National Agency for the Security of Information Systems (Anssi) considers that a “controlled IS cannot integrate the practices of bring your own device (BYOD) where people can connect to the IS personal equipment whose operator does not control the level of security”.
Concretely, for Anssi, a controlled workstation is “a workstation provided, configured and maintained by the operator. On the one hand, it cannot be personal equipment and on the other hand, the user cannot be an administrator of the station, the level of security can then be directly modified by the user”.
From a purely security perspective, BYOD is therefore to be avoided.
The choice of collaborators
On the side of the collaborators, several elements explain the use of software or hardware solutions other than those of the company: - The fact of not knowing that these practices are prohibited or not recommended; - The impossibility of bringing home the computer equipment of the company;- The obsolescence or lower quality of the hardware or software solutions made available by the company;- An excess of security rules which degrade the conditions of use of the hardware and software provided;- The refusal to use several tools, in particular several smartphones.
Strong and consistent motivations that must be considered by companies before considering a simple BYOD ban. Because prohibiting BYOD, without any other form of trial, exposes them to "Shadow IT", in other words to having to deal with the undeclared use of communication hardware and software. A practice that is even more risky for the company because it is totally clandestine.
The use of COPE…
To limit these risks of "clandestine" BYOD, the company has two options. The first consists in proscribing the use of a personal machine in the professional context. But beware, this requirement, as we have already mentioned, will only be understood if the equipment provided is as efficient and user-friendly as that of the employee.
An exchange phase should therefore be initiated to better understand the needs of employees, but also to remind them of the dangers that the use of an “external” machine or software poses to the company.
In addition, employees should be authorized, within a restricted and secure framework, to use the company's equipment to carry out certain private actions. We are talking here about COPE (“corporate owned, personally enabled” or “company ownership with private access”).
These exchanges will lead to the drafting of a charter defining the rules for the use of company equipment for personal purposes.
… or very supervised BYOD
The second solution amounts to authorizing the employee to use his own equipment in a professional capacity, but only if this equipment can be secured by the company and its use is supervised.
The idea here is to protect the professional data processed via the employee's device, but also to consolidate the boundary between uses and professional and personal data. Here are 5 main rules recalled by the government platform Cybermalveillance.gouv.fr on its page dedicated to the security of pro-personal uses.
Use different email addresses
A handling error can lead to an email being sent to the wrong person (an intimate message to a colleague or a service provider, a confidential professional file to an acquaintance). In addition, the risks of having your mailbox hacked are greater when using free services. Two reasons that argue for not mixing personal and professional messaging.
Distinguish between online storage spaces
Some storage spaces (Dropbox, Drive, etc.) are used by individuals because of their convenience, but also because they are free. But here again, their use to store professional data, especially sensitive data such as customer files, contracts, must be prohibited. Business data should only be stored on secure company servers (physical or cloud).
In the same spirit, no professional data should be recorded on the hard disk of the machine at the risk of being lost or exposed in the event of breakdown, loss or theft.
Use different passwords
The temptation is strong to use the same password for all of its secure accounts. However, this practice is strongly discouraged insofar as if said password is discovered, all data is in danger: personal data, but also those of the company. The use of a different password for each type of account is therefore necessary.
Do not install any software
Certain software or applications made available free of charge on the Internet or on download platforms may contain viruses or functions intended to spy on their users. Reasons for which it is advisable to be very careful and to install on the machines used for pro-personal uses only programs coming from platforms or editors having storefront.
Provide security updates
As with company machines, security updates (operating systems, anti-malware software, browsers, etc.) must be installed as soon as they are published. Adopting an automatic update is recommended here.
Here again, a charter defining the conditions of use of BYOD machines will have to be implemented in the company.
[[k4_17925943.jpeg]] from folder
Farewell Touch Bar, I won't regret...
Caddy, the only web server to use H...
Burkina Faso / Gabon (TV / Streamin...
What the future of work will not b...