It is standard procedure in many organizations for new employees to be given their own laptop, PC or other device to work with. Laptops are usually the preferred choice because it enables employees to be mobile and be more productive.
At the same time, you have company-owned hardware ‘out of the admin’s reach and control’. And admins are aware of the risks: when employees are home are they going to shut down the laptop or will they use it for personal stuff? By accepting to use a company laptop are they vesting their presumed ‘right’ to do what they want on it? Some employees might argue that if they are going to be using the device at home and still work, then they should be able to use it for personal needs (and those of their spouse and kids).
Given that employees will browse the Internet, play games and do their own stuff on the company’s laptop, what do they really get up to? Does their activity at home mirror what they are at work? Even more critical: should those devices be monitored remotely? How would that impact the organization? Are employees fine with Internet monitoring in the office but baulk at the thought that their home activity is vetted by IT?
A survey by GFI Software issued today takes an independent look into how workers use company-provided computers and laptops for personal activities, and the direct impact that personal use can have on the organization.
The study was conducted for GFI Software by Opinion Matters and surveyed 1,010 U.S. employees from companies with up to 1,000 staff that had a company-provided desktop or laptop computer.
The survey revealed that the employers of more than one-third of those surveyed (38.6%) had suffered a major IT disruption caused by staff visiting questionable and other non-work related web sites with work-issued hardware, resulting in malware infection and other related issues.
The study also revealed that 35.8% of staff would not hesitate to take company property including email archives, confidential documents and other valuable intellectual property from their work-owned computer before returning it, if they were to leave their company.
Furthermore, the study revealed that nearly half of those surveyed (48%) use a personal cloud-based file storage solution (e.g. Dropbox, OneDrive, Box) for storing and sharing company data and documents.
Key findings from the survey include:
- 66.9% of respondents use their work-provided computer for non-work activities
- Overall, 90.9% have at least some understanding of their company’s policy on usage, and 94.1% follow it to at least some degree
- 25.6% of those surveyed have had to get their IT department to fix their computer after an issue occurred as a result of innocent non-work use, while almost 5.8% had to do the same due to questionable use (porn, torrents, etc.)
- 10% have lost data and/or intellectual property as a result of the disruption caused by the outage
Big brother is watching
In addition to these findings, the survey also found a substantial concern among employees over whether their employers were monitoring their computer use, as well as a lack of understanding of how it can be done and what devices can be monitored.
36% stated they are concerned about their employer’s ability to monitor their computer use, while nearly 70% think their employer can monitor an iOS, Android, or Windows-based tablet use as easily as they can a conventional PC. However, almost one in five are unsure if their employer can monitor a tablet.
With many people using their company-owned PC as their own fully-fledged computer, and relying on it for everything from banking to shopping and music to videos, they will build up a comprehensive history of web sites visited, as well as files and documents of their own that have no bearing on their job role.
The survey also asked users how comfortable they would be if their co-workers, or their friends and family could see their personal browsing history. Almost one in five (19%) would not want their family or colleagues to see their browser history or hard drive contents in the event they were suddenly incapacitated, died, or otherwise didn’t have an opportunity to sanitize their computer first.
This reaction highlights significant issues for users who need to return a company-owned device when they leave a job, or simply when it is time for it to be replaced with a new model.
When asked what they would do to their computer first if their employment ended, 62% would make a grab for their personal files. 35.8% would also take company documents, including confidential data and customer lists, despite it being a blatant act of theft, raising significant concerns for employers over data security and compliance.
However, 28.5% would simply walk away from their work device, not taking anything, including their own legitimate belongings, from the unit before handing it back.
Top uses for work computers inside and away from the office
Data security and integrity is a big challenge for companies as a result of the widespread movement away from desktop computers to laptops. Since laptops are usually brought home, they frequently get used out-of-hours for both work and non-work activities. Without clear policies and guidelines in place on approved personal use boundaries – backed up with technology to limit access to the most challenging parts of the Internet – the dividing line between work tool and personal device, can quickly become blurred.
There are clear arguments in favor of letting staff use company computers for a degree of personal activity. It’s good for morale, productivity and it is just common sense. However, people still need to remember that at the end of the day it is not their device, and neither is the company data on it. It is surprising how many people forget that and the GFI survey underscores just how true this is. You would not go racing around a track in a company car, even though they let you take it home for an evening and pay for the gas. The same principle applies to a company computer. Just because you can use it to access questionable content, doesn’t mean it is appropriate to do so.
Data protection is also a big problem and one that has been exacerbated by the casual use of cloud file sharing services that can’t be centrally managed by IT. Content controls are critical in ensuring data does not leak outside the organization and doesn’t expose the business to legal and regulatory compliance penalties. Furthermore, it is important that policies and training lay down clear rules on use and reinforce the ownership of data.
IT admins have good reason to be anxious these days.
A copy of the full survey results can be found at: www.gfi.com/documents/pc_use_survey.zip