Home Phones at Work?

There needs to be a clear line between device use for personal and work purposes.  This will include phone calls, emails and application use.  There have been recent examples of poor practice at the highest levels of the UK government.  In October 2022 it was revealed that Liz Truss while foreign secretary had her mobile phone compromised allowing hackers to eavesdrop on high level government discussions.  Around the same time the home secretary Suella Braverman admitted to forwarding government documents to her personal email account.

It might have been expected that large, security conscious organisations including members of the UK cabinet would be following some form of Mobile Device Management solution.  These can restrict applications that can be installed and used as well as facilitating remote updates and even device wiping.  These solutions do restrict what the individual can do at work and can tempt employees to carry another, personal, device to work.  This breaks the security fence set up by MDM and impacts on the work life balance of the individual.  Some MDM solutions turn the device into a kiosk device. These are locked down to only provide corporate applications such as a bathroom design service for a retail chain.  Any communications outside the business of work might be impossible on such a system.

If a personal device is used for work related communications then it facilitates receiving work calls and emails outside of the working day.  A regulated device, provided by an employer could be left at work or turned off when not required.

With the growth in the use of mobile phones many expect instant communications even for matters of a trivial nature.  Older readers will recall living without constant connectivity even for emergency use.  The BBC was still transmitting emergency contact messages on the radio up until the 1990s.   It would be hard to deny the use of a personal phone for real emergencies but this will be an uncommon occurrence.

There is a grey area of the sort of communications that are not essential but lighten the working day and might take place during sanctioned break times.  These would be harmless only if no work related activity or data transfer takes place on any personal device.  A personal device could be hacked and cannot be remotely disabled or wiped such as within a MDM system.

The means of communication also needs to be considered.  Voice conversations can be overheard and recorded if either the sending or receiving device is hacked. Emails containing personal information from within an organisation would be a breach of GDPR if sent to an external not corporate email server.  Facebook and WhatsApp chat applications are a real risk as they store data external to the organisation and facilitate communications with ‘friends’ who might only be known by screen names.  These individuals might not be who they appear and could compromise security.  Certainly caution should be applied before using either for customer focussed contacts.  FaceBook and WhatsApp position themselves as a data processor rather than a data controller under the GDPR .  This leaves the security issues of personal data passed through their systems within the user’s responsibility.

The overall rules should be to use Mobile Device Management and issue corporate devices where feasible.  Often this is not the practical so corporate rules need to set how and when personal devices can be used at work.  A system of warnings and potential disciplinary actions needs to be in place to ensure that rules are followed but that employees’ freedom is not unnecessarily restricted.

 

More from Security

04/12/2024

Sitting Duck Attacks

The Sitting Duck attack revolves around taking control of a domain and then using it to distribute malware or as a source for phishing …

Read post

25/11/2024

Developers Hit By Compromised Software Packages

A Typosquat campaign uses slight variations on well-known names to mislead a user to access a rogue rather than genuine asset.  It is well …

Read post

04/11/2024

UK Data (Use and Access) Bill

The Data (Use and Access) Bill had its first reading in the Lords on 23 October 2024.  This step is merely a formal introduction …

Read post

28/10/2024

Zero-Day Attacks

In October 2024 Google Mandiant reported on 138 exploited vulnerabilities since 2023.  They concluded there had been an increase in the number and speed …

Read post

Sign Up

Sign up to our newsletter list here.

    Successful sign up

    Thank you for signing up to our newsletter list.

    Check your inbox for all the latest information from Kindus

    Categories