editione1.0.0
Updated October 9, 2023Now is the time where you have to make a decision that can have a big security impact on your business. Do you allow staff to use their personal devices for work? If not, do they have other work-owned devices they can use to get the job done, or does your business operating model need to change? If you do allow them to use personal devices, how do you make sure those devices are just as safe as the work devices they could use?
To help you make that call, here are the realistic scenarios you can pick from. Think of it like choosing your own adventure, except all paths lead to safer devices!
If your staff are handling personal information or sensitive business data, this is a path for you to consider.
In this scenario, your business provides a work device that staff use for most of their work. It is managed by you and the business, which means you can protect them however you need to. You are not big enough to have a “centrally managed” device setup, so you will just be using standard consumer-type devices, and configuring them before giving them to the team. There is enough built-in protection on these devices that if they were lost or stolen, they can still keep the data and access stored on them safe.
You don’t require staff to use their personal phones, because they have work devices they can use to access things as needed. They can optionally opt in to log into their work email on their personal phone if they want, but they are not required to. If they do, the sign-in process explains that the phone will be partially controlled by you and the business to protect this access. This means if the device is lost, you can remotely wipe the device in a similar way you would if you were using the “Find My iPhone” feature. It also means you can require a few basic things, like a lock screen with a password or PIN.
If you choose this path, you need to make sure to:
Turn on the basic settings for mobile device management with your email provider. With major email providers like Google or Microsoft, you can be quite granular with the level of permissions you can keep for yourself. At a minimum, you need to have the ability to wipe any work-related accounts and data, and require a lock screen with a PIN or password. This is usually the basic option.
Set up work devices to be secure before handing them over. You can easily search any of the terms below in the device’s search bar to find the right spots in settings to turn these features on.
An up-to-date or updated operating system. You are at a size now where you don’t have that burden of old, legacy software that prevents you from using newer operating systems. Use the latest version where you can. The major operating system providers, Microsoft and Apple, tend to be clear and upfront on how long they will support existing versions.
Automatic updates are enabled. These are turned on by default, but now is the best time to check before handing a device over to someone else. Make sure that updates have not been “paused,” and you have nothing to download when you click the “check for updates” button in the device’s settings.
Security settings are enabled. Open up the device’s security or virus protection settings. Make sure the anti-malware, anti-virus, firewall, and other similar features are turned on. These features that come pre-built into your operating system are made to protect everyday people, and your business is small enough that it is easier to turn all the settings on and set automatic updates, rather than get too bogged down with trying to understand the exact risk a feature is meant to protect against. If it is a feature within your settings, chances are Microsoft and Apple thought it was important for their users and you can leave it at that.
Turn on hard drive encryption. This is a helpful setting that keeps all the data on the device secured and encrypted when it is turned off. This is especially helpful for if the device was ever lost or stolen, as it prevents someone from taking apart the device and getting to the data inside. It also has the added benefit of requiring the device user to set a password to unlock the device, so turning this on is like hitting two security tasks with one stone.
Create a second user account and store your administrator account in your password manager. You would have set all these settings up as an administrator on the device. You don’t want your staff to undo all the work that you have done, accidentally or on purpose. Save the username and password for the administrator account you used in your password manager, and make sure you made it clear which device this was for. Then you can set up a second user account, or the user account your staff will use. When you sign them up, they will be given basic access to be able to use the device, but will be stopped from performing any sensitive changes, like changing security settings or pausing security updates.
Speak to your staff about how they can protect the work device, and make sure they know to call you immediately if anything seems strange or not right. Your defensive perimeter has now expanded. Since you are sharing out the control of the devices that let people into your business and see your data, you need to think of your staff as the first lines of defense. They might be one of the first ones to tell if something has gone wrong, and it shouldn’t matter at the time if it was their fault or a mistake they made. Focus on growing that positive security culture by telling people to contact you when they need help. Having them save your phone number in their address book now will save them from panic later.
Make it clear personal devices are not needed, and what opting in to using their own phone means for the control you have over it. Oftentimes, if you provide staff with a work account they won’t have a need to use their own. Sure, there is nothing stopping them from logging into their work email on their personal laptop, but that is why security is usually a series of steps rather than a singular doodad you turn on. You’ll find, especially if you grow, half the battle with security is communication. While communicating with your staff now about personal devices won’t stop a problem from happening, it opens up a channel of communication and the expectations that “security here is important to us.” It sets that first impression and culture, which makes things like reporting problems or talking about issues later on much easier.
It also allows staff who might not be technically savvy to ask questions and understand what these security controls mean. “Can you see what my text messages say?” or “Can you listen in to my phone conversations?” are questions that might seem silly but are important to address now. They are handing over some privacy on their personal devices by logging into their work email now, because you do have the ability to see what type of phone they have, what operating system it is running on, and when/where they last used it. Setting these as clear understandings now is important so your staff can make a more well-informed decision on actually using their personal phones.
Make sure the expectations you set for them and their responsibilities at work align with how you have set up their device access. It would be unfair to expect your staff to immediately respond to a work email if you don’t require them to use a work phone or have work email on their personal phone. It also wouldn’t be fair to expect them to get work done if you haven’t provided them a work device yet. Realign your business or operational processes to make sure they account for this new way of using devices.
confusion You probably notice the emphasis on “opt in” for personal mobile devices here. I am a firm believer that if you require someone on your team to use a device, and as part of their role they have access to data that needs to be protected, it is the business owner’s responsibility to make sure they have a secure device to access that data from. You can’t have your cake and eat it too—you can’t have your staff use their own personal devices and expect them to be able to protect it the same way you would if your business owned it. If you do need to require staff to use mobile devices, option 2 might be for you.
In this scenario, your business provides both a laptop and a mobile device for staff that need them. You have expectations that these staff will be accessible for work on an on-call or ad hoc basis, and therefore have to provide them both.
Some staff will prefer to use just one device for both work and personal reasons. They can choose to opt in to use their personal device for work, and they understand the trade-off of control they are making here.
Any work devices are managed and controlled by the organization, but using consumer-level software. You are too small to use the clunky enterprise versions, and therefore will have to configure devices before handing them over.
If you choose this path, you need to make sure to:
Set up work laptops to be secure before handing them over. This would be the same steps as above, and we won’t duplicate them here.
Turn on the advanced settings for mobile device management with your email provider. The advanced settings allow you to have more granular control over any mobile devices that are logged into an account on your work email domain. Usually this requires the user to download an email provider app from the official store so that the email provider can get more permission or access to change things. Without this app, often the setup would fail.
This is also where the larger email providers like Google and Microsoft allow you as the administrator to approve specific devices and disallow others. You want to set this up to require new mobile device connections to be approved, which means you or the other email provider administrators get an email or notification each time a new one tries to connect. You can easily accept or allow for the work mobile devices, or chat to any staff trying to connect their personal mobile devices.
For now, the rest of the advanced settings can likely be left to default, and you can easily change them over time as the context of how you operate or the size you operate changes.
Set up work mobile phones to be secure before handing them over. You can easily search on the phone settings for these terms to find the right menus:
An up-to-date mobile operating system. Sadly, phone operating systems fall out of support faster than laptops, although it can usually be cheaper to replace an old mobile phone than an old laptop. Make sure the phone is on a supported operating system that still gets updates from the provider.
The rest of the security settings can be configured by your staff, as the advanced settings you have set on your email provider will require them to set things like a lock screen and a PIN.
Speak to your staff about how they can protect their work devices, and make sure they know to call you immediately if anything seems strange or not right. Again, set the security culture at the very start. Make sure they know why you have set up devices the way you have, what their role is, and how they can get help.
This option goes the extra mile by providing work devices and retaining more control over how they are used and secured, which is especially important for staff who have access to important systems or data. You might find yourself in a situation where you have some staff who have no access to risky systems or data, and perhaps the biggest risk they pose is that their email account is compromised and is used in a phishing attack. That is where option 3 comes in.
Option 3: Allow personal devices for staff in lower-risk roles, and provide work devices for everyone else.
In this scenario, you have staff that don’t have access to customer or other personal information, nor do they have access to sensitive internal business data. For example, this could be staff that help you produce and manage digital marketing or sellable content, or perform physical tasks or work in a physical shop. All the access they need will be located in the physical workplace, or the access and data they need is low risk, and if it was lost or stolen it wouldn’t be the end of times. It would still be annoying, but a manageable annoyance.
You could let these staff use their own personal devices without needing to get control of them. If you have other staff that do have access to information and data that needs protecting, those staff would get their own work-provided devices so they can be secured and controlled.
If you choose this path, you need to:
Turn on the advanced settings for mobile device management with your email provider. All roads point to some type of mobile device management setting. This is because it allows you to collect some data about how your staff access their email accounts, and you can always toggle off any required security settings, such as the ability to wipe these devices.
Knowing where accounts are logged in will be important, so you can tell if something seems not right about where they have logged in from or the type of device they are logging in from.
Be prepared to provide devices if their role or access to data changes. You have some staff using personal devices now because they present a lower security risk. This can change; they might start supporting someone in your business and start getting access to customer data, or they might cover for someone else in the business who goes on extended leave. It is important to scale the security the same way you might scale the accounts or system they need access to.
Make sure the expectations you set on them and their responsibilities at work align with how you have set up their device access. With this option, you are expecting staff to be able to do their jobs with very limited access to data. It is important to make sure that this expectation is right, or if you need to consider providing these staff with work devices or requiring their personal devices be secured.
danger We never recommend giving employees the option to use a personal device to access sensitive or risky data. That risk for you as a business owner is very hard to control. You don’t have much of an authoritative leg to stand on to require staff to secure their devices to a level you need them to, while not giving them any money to overcome any challenges. What if your staff can’t afford an iPhone that still receives security updates, or what if your staff share devices with others and can’t afford their own? Then it can’t be fair for you to put the burden of managing security risk on them. You need to either give them work devices, or you need to find ways for them to do their job with limited access to data.
You now have an inventory of devices, accounts, and tools used; you have a strategy for keeping devices used (work or personal) secured; the last step we want to talk through is securing the accounts and tools you listed. We will use tools and accounts interchangeably here, this is because they are quite synonymous in this context. We are referring to any software or website (or Software as a Service) that you use for your business and you need to log in for.
We split this into two sections to tackle two very common licensing situations: tools where most of your team need access, and specialized tools where only a limited few require access.