Separate Personal and professional Use
One of the most important things that small businesses can do to improve their cybersecurity posture is separate the personal and professional use of computers, devices, and ideally – network segments.
We’ll cover network segmentation in the next lesson. In this lesson, we’ll focus on creating a separation between work and personal-use devices like desktop computers, laptops, and cell phones.
From a practical standpoint, this means that every employee of the company who needs a computer, has a dedicated work machine. The same goes for cell phones, and even the network itself.
Separating personal and professional devices is important because it significantly enhances security, and can also improve operational efficiency. When people mix personal and professional activities on the same device or network, the risk of cyber threats such as malware, phishing, and ransomware increases – a lot.
There are a few reasons that we recommend separating personal and professional use of devices.
First, it defines what are personal assets and what are company assets, and it allows the company to effectively control what happens on business devices. Most people enjoy surfing the web and hanging out on social media. Almost everyone does it, and it typically involves a lot of random link clicking. This is one of the main ways that you get infected with malware and your network gets compromised. It’s really hard to tell an employee they can’t openly browse the internet on their own devices. It’s much easier to restrict what a user is allowed to do on a company owned computer or phone.
A related point is that, compared with personal devices, work devices can have more limited use, and this keeps the company safe. In order to effectively perform their role, most employees need access to specific software and access to specific websites – and that’s often it. Users don’t need to be able to install whatever apps they want in order to do their job. In fact, the company should usually be determining what apps are needed, not the users themselves (although it’s always great when the company listens to its employees). By limiting what is allowed on a company device, we reduce its attack surface as well as the likelihood of a successful attack through a variety of means. An app that isn’t installed on a work machine can’t introduce a vulnerability, and it can’t be exploited in any way.
Next, a clear separation of personal and professional usage may be required for compliance reasons. We’ve already seen that using secure configurations like the Principle of Least Privilege is a very important aspect of the organization’s security strategy. Some companies that have compliance requirements go farther and implement hardening measures designed to stop or slow an attacker’s progress. These types of secure configurations can reduce the individual’s ability to freely enjoy the use of their device.
In addition, we want to encourage small businesses to adopt technologies that can actively protect against cyberattacks, like Managed Endpoint Detection and Response (EDR/MDR). There is an associated cost that the company won’t want or need to extend to personal devices.
Finally, most people today are familiar with the use of work and personal devices and it’s standard practice for a new employee to be issued company devices as part of the onboarding process. New employees are already going to be used to browsing the internet on their own devices, and there’s no need to change this behavior (although it’s always good to encourage employees to be as secure as they can be).
Protecting the Company From Both Risky Behaviors and Configurations
By only using personal devices for personal use and professional devices for company use, we automatically protect the company assets from both risky online behaviors and insecure configurations.
Configuring Devices For Professional Use
Devices issued to employees should be pre-configured using the Principle of Least Privilege:
- Employees shouldn’t have administrator access on their device.
- Unless they’re in IT, in which case they probably need admin access but it shouldn’t be the default account. They should only use the admin account when it’s needed.
- Giving employees admin access nullifies your ability to control their devices.
- Employees should only have access to the devices and applications that they need to do their job.
- Consider what apps an employee needs and then issue access on a case-by-case or role-based basis.
- If an employee only needs seldom, occasional access, consider having them work with IT to perform that task – rather than giving them a set of permanent login credentials that could potentially be targeted.
- Strong configurations need to be enforced, including password length and complexity and the use of multi-factor authentication.
- Internet access should be restricted; ad blocking, social-media blocking, and porn blocking are common.
- Companies with compliance concerns (such as those in the financial or medical industries) should have their devices hardened using the CIS Benchmarks or alternate framework needed to achieve compliance.
- Hardening makes it much harder for a device to be successfully attacked, but it can take a few hours for a professional to properly harden a single device and is therefore a bit expensive. That’s why we recommend it as a primary tactic for compliance-concerned businesses, and only as a secondary tactic for others.
Separating The Personal and Professional Network
In addition to creating a distinction between personal and professional devices, we recommend segmenting personal and professional networks where they coexist – such in home offices or retail locations.
For example, in a home office we need to consider both the needs of the company in obtaining secure internet and network access, as well as the needs of the family in providing internet for the entire family including access to social media and entertainment apps. Many homes today also have iOT devices such an Amazon Echo (‘Alexa’), cameras, locks, doorbells, or ‘smart’ appliances.
For most home offices, security – and potentially speed – can be greatly enhanced by creating separate ‘virtual’ networks (VLANs) for personal and professional use. It can also be greatly beneficial to put all of the iOT devices on their own VLAN.
Similarly, small businesses with customer-facing locations often want to provide internet access to their guests. Unfortunately, it can be tricky to properly set up a secure guest Wi-Fi network. We’ve seen many cases where businesses thought that they were secure but in reality, had no protection at all! If a guest network is improperly secured, it may allow guests open access directly to the company assets. But most guests aren’t malicious hackers. What’s scarier, if a guest’s device has already been compromised by an attacker, that attacker will now have direct access to the company’s network.
As with the home network, proper segmentation is key.
This might sound a bit technical, and it’s true that the inner-workings of VLANs are a bit complicated. But you don’t need to be an expert to properly segment your network!
We’ll cover more about this in the next lesson. If it all seems too technical, remember that you can reach out to us at anytime!
Additional Reasons For Separating Personal and Professional Use
This section is for those who would like to learn more about this topic. It looks at this issue from a number of unique perspectives that can help to add context for why it’s an important issue.
Compliance with data protection and security regulations is one critical reason for maintaining separate devices. Regulatory frameworks like GDPR, HIPAA, and PCI-DSS require businesses to protect sensitive data and maintain auditable security practices. Personal devices, with their unpredictable usage patterns and lack of security measures, make it harder to achieve compliance. By using dedicated work devices, small businesses can implement and demonstrate adherence to these standards more effectively, avoiding potential fines and legal consequences.
From a tactical standpoint, segregating devices reduces the number of potential entry points for attackers. Personal activities, such as downloading apps, gaming, or using social media, can introduce vulnerabilities into a business network. Keeping work devices strictly for professional use limits these risks and ensures that only authorized software and applications are installed.
Furthermore, the separation makes it easier to enforce security policies. Businesses can use tools like Mobile Device Management (MDM) to ensure that professional devices are regularly updated, protected with strong passwords, and monitored for compliance with organizational policies. This level of control is difficult to achieve on personal devices, where employees may resist or overlook security protocols.
When security incidents do occur, having dedicated professional devices simplifies the process of incident response. Mixed-use devices make it challenging to identify the source of a breach or isolate compromised systems. Clear boundaries between personal and professional devices allow for quicker identification of issues and more efficient resolution, minimizing potential damage.
Finally, separating personal and professional devices contributes to a business’s reputation. Clients, partners, and customers expect their data to be handled securely. A security breach caused by personal use of a work device can erode trust and damage a company’s credibility. Demonstrating strong security practices through device separation shows that the business prioritizes its clients’ and stakeholders’ safety.
In summary, maintaining separate personal and professional devices is a fundamental step in reducing risks, safeguarding sensitive data, ensuring compliance, and enhancing productivity. For small businesses, this practice is an essential component of building a secure and professional operational foundation.