Forum menu
What's the thoughts on the MS authenticator app on your personal phone? (For use logging onto work accounts).
I think that’s perfectly reasonable (and happily run it on my own phone).
Forwarding work mails to personal email is a sackable offence in our place – but it’s a regulated industry so we’re under a lot of scrutiny.
So do I, do you not use document classification? Most of the crap I get in is Not Protectively Marked, occasionally a Protect: Personal Information and on very rare occasions I get a Protect: Proprietary. I don't think I've ever received or even seen a Sensitive Information or higher but we all know (in theory) the classification system and what we can do with each doc type.
Forwarding work mails to personal email is a sackable offence in our place – but it’s a regulated industry so we’re under a lot of scrutiny.
I work in regulated industry too, but we haven't a blanket ban (for obvious reasons) - still not installing any form of MDM on my own phone.
Is the company trying to get a certification such as Cyber Essentials? Personal devices are now in scope if they touch personal data. Just having an decent AUP signed by users is not enough, and technical controls need to be in place to ensure compliance. The main reason for this is the old CIA triangle -
Confidentiality, integrity and availability of data belonging to the company. The controls state that all devices must be fully patched, only have authorised apps, not be jail broken, have 6 digit PIN codes and be supported models. Unpatched systems, including phones, are in the top 3 attack vectors for malicious access to data (social engineering and weak passwords the others). It’s a massive problem. If a hacker compromises a phone with access to company data that is an easy way in to the inner sanctum and you better hope the company has good security and detection methods inside. Ransomware, Exfiltration and publishing of confidential data, manipulating data are all possible. CIA goes to pot, GDPR police get involved and it’s not good. The cost of recovery can be huge.
The problem with Cyber Essentials is that it is a tick box exercise and many companies tick the boxes but don’t apply the controls. It drives me mad and I tell customers that is not the point - it is meant to make you more secure and try to stop data breaches. Often it falls on deaf ears.
Separating personal devices from company data is a problem that isn’t going away and sometimes it’s a case of being draconian. The company says you aren’t coming in unless we have controls. You can say no as personal data can be compromised, so you don’t come in. As mentioned, they should provide devices for this access. Many places just ban personal devices now.
I’m ranting a bit, but user awareness training is also massively important. Educate your staff in why these controls are in place and get them on side. All the tech controls in the world don’t protect against an effective phishing attack.
Sorry, you can go back to your daily lives now. But watch out, and update that phone!
Have you read your company policy ?
Ours states that personal devices must be surrendered for inspection upon leaving the company IF you use it for company business.....
Therefore - it's a hard no for me beyond my immediate team phoning me or whatsapping to let me know to check my other phone when there are issues during my downtime.
Likewise I don't use my works phone for personal business - I know alot of people do.
everything is in it’s own container on the phone but I have a work phone as I want to be able to turn it off when I’m off.
With the segregated phone you can turn off the work half, it has the same effect.