There’s plenty of information and talk around about the issues of allowing company data onto a personal device, but what about personal data on a work device? More and more of our personal data is stored in “cloud” services like Gmail and Evernote that we access from work computers and company controlled accounts.
In the time of buzzwords like “BYOD” business is rightly concerned about their data being on that tablet of yours that you managed to connect to the company wireless. They want to make sure that the correct level of security protects their data – especially things like email that almost everyone accesses from their smart phone, tablet or even web kiosk. Personal devices have proliferated the work place since they became cheaper, smarter and cooler to have than the company provided devices. Right now business is just starting to catch on and recognise that things are changing and that not everything can be restricted or dictated like they used to be.
But for much longer than the iPad has been around, we’ve all been accessing web sites and apps at work with personal login information. Some of the time we also click the “Remember Me” option when logging in without a second thought. All this information about our own email, blogs, password managers, Amazon account and other browsing habits are all sitting on that company device, protected by that one password for your company login.
So think about all the people in your company who have the ability to reset your work account’s password. In an enterprise environment that might be fifty or more people. In an environment that’s been poorly managed that might be in the hundreds. So all any of them has to do is reset your password and login to your machine and start up a browser. Whatever sites you jump onto on a Monday morning without logging into, are theirs for the viewing. You may not even know after a long holiday – “Woops, I must have forgotten my password”. None of your personal sites are being “hacked” or even having their passwords changed, you’re already logged into them on your work PC.
What can you do about this? Don’t save your passwords at work and don’t stay logged in to any service you value. If you’re thinking that you don’t care about access to your email, just think what information is in there – personally identifiable information, and it probably receives password resets for most other sites you’ve signed up to. What about bank account info, insurance updates?
Just to take this one step further combine the person with access to reset your password at work with the person who manages your work cell phones, and the fact your bank uses SMS as a two-factor authentication option. They’re a password reset and SIM transfer away from your bank account.