So You Think You Are Saving Money by Letting People Use Personally Owned Computers
Many companies allow employees to use their own personal computers for work. They do this for employee convenience and an apparent cost savings. After all, if we don’t have to buy employees their own laptop, certainly we will save money. At least it seems like that is true.
In a perfect world, with no hackers, maybe that is true. Unfortunately, that is not the world we live it.
So when companies allow or encourage or require employees to use their own computers, they are putting the company at risk.
They are putting the company’s data at risk.
They are putting the company’s customers’ data at risk.
They are putting the company’s reputation at risk.
Here is a story about that.
LastPass fessed up today that one of its engineers was using a personal home computer for work. That computer got hacked. The hacker installed a keystroke logger on that computer.
How it happened is not so important – other than, one more time, a third party was involved. But here is the short version of the story.
The attacker pivoted from the August 2022 attack to recon, enumerate and then exfiltrate (that is a fancy word for steal) data between August and October of last year.
The attacker then exploited a vulnerability – a remote code execution attack – in a third-party media software package to plant the keystroke logger on the engineer’s home computer.
Using the keystroke logger, the attacker was able to compromise the employee’s access to corporate vault entries, secure notes, decryption keys and data on 30 million users.
On the other hand, the company saved a few bucks by either forcing or allowing the employee to use a personally owned computer for work.
Definitely worth the savings. I suspect that LastPass probably doesn’t think so any more.
Why does the ownership of the computer matter? Because, if the computer was owned by the company and the company installed its full suite of security software on it, managed the updates, managed access and was logging events on that computer – well, maybe or probably, I would not be writing this blog post right now.
Now would be a good time to rethink your strategy. If it is important enough for an employee to be able to work at home, then buy them a laptop. Period. No argument.
Just sayin’.
Credit: Security Week
by 