COVID changed the work landscape for the foreseeable future. However, many employees are still not comfortable returning to the office, and companies have noticed that reducing their real estate footprint saves them millions of dollars. So it seems like everyone wins, right—WRONG!
Work-From-Home (WFH) may be a viable alternative to the traditional office setup, but it can become a dilemma if not appropriately managed.
When the pandemic hit, companies closed their offices, and employees rushed home to work. Although in some cases, their company’s IT set things up correctly, hardened home networks, and only allowed work to be done using company-issued hardware and software. Sadly, some did not.
Case in point: unless you have a strong IT game plan, do not let anyone use their personal computer for work. Here’s why.
A Frightening Scenario
Frank wants to sell the old laptop he bought himself a few years ago and used for work from home during the pandemic. So he put an ad on social media that said, “Selling my old work laptop. All offers considered.”
Frank’s ad got a lot of play, and he soon sold his laptop. Before the buyer paid, he asked Frank if the device still had any data on it. Frank said yes, but he would clean it off when the buyer came to pick it up. It would only take a few minutes.
Before handing the computer over to the new owner, Frank went to his “C” drive, highlighted his folders and files, and hit the “delete” button. Then he handed over his computer to the new owner and received his money.
The buyer went home, used free data recovery software, and retrieved Frank’s work files that he thought he deleted. The laptop was soon sold on the Dark Web.
Unknowingly, Frank put his company, fellow employees, and clients in danger because cybercriminals now had access to confidential corporate and personal information.
Frank’s company was hacked shortly after that. Their data was held for ransom, which they paid, but the crooks never gave them the key to unlock their information. The company’s data was sold on the Dark Web, and many employees and clients had their identities stolen.
Frank was fired immediately, but the company went out of business shortly afterward, unable to survive without access to their data, a severely tarnished reputation, and the onslaught of lawsuits against them.
How many Red Flags Did You Spot?
- Frank did not get his manager’s approval before selling his laptop. Even though Frank owned the device, the minute his company permitted him to use his personal laptop for work, the company had an obligation to ensure their data was secured.
- When Frank advertised his laptop for sale on social media, his ad mentioned that the device was used for work, immediately alerting and attracting cybercriminals.
- Frank thought that merely deleting data off of the drive was sufficient. He didn’t know that the “delete key” really doesn’t delete data for good; it only hides the location on the drive until it is overwritten by something else. Free recovery software can easily be downloaded from the web.
- The company did not have a Business Continuity solution in place to back up data on the network and saved to two geographically dispersed data centers in the cloud and onsite. If they did, they would have had copies of all of their data.
What Should have Happened?
- The company should have had written policies in place covering the use of company-owned equipment, protecting its data wherever it is located, Working-From-Home (WFH), Bring-Your-Own-Device (BYOD), and the use of personal devices for work.
- All employees should have been required to acknowledge the company’s IT policies.
- The company should not have allowed employees to use personal computers for work. If exceptions needed to be made, then those personal devices should have been required to have company-approved security software installed with the ability to remotely wipe data should they be lost or stolen.
- Anyone approved to use their personal devices for work should have:
- Received that approval in writing.
- Acknowledge, in writing, that they will adhere to all company IT policies and receive written approval to dispose of the device only AFTER the company’s IT department has reviewed and securely wiped company-related data from the drive’s contents.
- The company should require all employees to undergo ongoing Security Awareness Training, including simulated phishing attacks and weekly instruction.
Properly disposing of devices is very important. The devices we use daily can store massive quantities of sensitive information. If the data is not correctly wiped from a device, it could be easily accessible to cybercriminals.
Your company’s IT department or Managed Services Provider (MSP) will have the knowledge and tools to wipe hard drives so all data is securely deleted. Ask for their advice and guidance to protect yourself and your company. Be safe.
XSolutions is an IT Services Provider serving New York (NY), New Jersey (NJ), and Connecticut (CT). We provide Managed IT Services | Managed IT Security | Backup & Disaster Recovery| Cloud Data Protection. Call (845) 362-9675 for a free consultation.