What are employers' responsibilities when we use personal tech to work from home?
With many more months of lockdown ahead of us, and workers reluctant to return to the office full time, it's time to think about roles and responsibilities
As we’ve been working from home for the better part of a year now, you might expect employers to be fully on top of their responsibilities when supporting people who use their personal tech for work activities. This isn’t always the case, however, so it’s worth familiarising yourself with the responsibilities employers should take when we use personal tech while working from home.
Are we really still using personal tech for work?
Employees behaving badly?
Why awareness training mattersDownload now
If there’s any doubt that we are still using personal tech for work, some sobering research from digital identity management firm SailPoint found that 25% of people in the UK use their own computers for work, while 11% have borrowed computers from family members or their partner.
Reversing the picture, 34% of remote workers in the UK said they use their work devices for personal uses with 64% of these checking personal emails and 60% admitting to doing online shopping. There are security implications, too: 42% of UK employees say their company has not put any additional cybersecurity measures in place in the last twelve months, while 24% said they have shared work passwords with a partner or family member.
This reveals that the blurring of what constitutes work and personal equipment and how this tech is used is still very much alive and kicking. It could create significant headaches for employers.
Getting serious about responsibilities
It’s important for employers to take their responsibilities around all of this seriously. Felipe Polo, a digital-focussed entrepreneur, non-executive director and investor, who helps organisations align their tech, teams and business strategy tells IT Pro: “[You should] make sure your employees have everything they need. Regulations may differ depending on the territory your employees work in, but at the very minimum, provide them with good laptops, good monitors and a good VPN in case they need to work with internal networks.”
Employers have some very clear legal responsibilities around all this. Take data security such as that required around GDPR for example, where there are legal requirements around managing personal information. Employers can expense their responsibilities around such areas. Christian Brundell, associate in the regulatory team at law firm Walker Morris explains: “To the extent an organisation incurs costs in connection with data security, those costs will be part and parcel of the business operating expenses and will generally be viewed by regulators as a burden that coexists in tandem with the benefit derived from the commercial activity. Accordingly, the employer will generally be expected to address any costs that arise in this respect.”
In practice this would mean employee support is likely to involve the provision of a secure access portal to employees (typically through use of a VPN), but wouldn’t amount to an obligation to contribute to employee home connectivity costs. Employers might offer to provide discretionary financial support, however.
When it comes to using personal tech for work, device security is more important than ever. How can a firm be sure that the data on a home worker’s device is truly secure? Tom Venables, practice director for application and cyber security, at risk management consultancy Turnkey Consulting, explains that “from a data protection point of view, employing organisations have to ensure that they’re doing everything in their power to protect sensitive information such as client, customer, and employee data”.
He adds: “Once data in on an uncontrolled device then many controls no longer apply and the chain of ownership is lost, with this risk increasing if the device is shared amongst other people within a household.”
For Venables, one of the responsibilities firms should take to ensure that devices remain secure is providing training on best practice and cybersecurity, and doing this regularly. Polo concurs, saying employers need to ensure robust security measures are in place – for example, by enforcing password rotation, encrypting hard drives, automatic laptop locking after a brief period of inactivity, using encrypted password managers and two-factor authentication, and creating access roles.
Going the extra mile
Getting things right in this respect isn’t only about securing tech and ensuring that workers are up to speed with best practice. It’s also about providing ‘softer’ support, which is arguably just as important as people using personal tech for work purposes, as employees deal with competing pressures around work/life balance, adjust to working in a home environment and maybe also try to manage home schooling.
The average workers is not a tech supremo, and as Brundell points out: “Since the majority of employees will not be best placed to assess the technical security capacity of an individual tool … or to appreciate its interaction with other business systems in play, the employer will generally want to ensure that only authorised technologies are used.”
Polo has some more advice, suggesting employers should “keep your door open in case any of your employees need some extra help … [and] try to facilitate any sort of financial aid if you are in a position to do so”.
This level of flexibility seems highly appropriate at the current time. If firms are going to support workers who use personal tech for work purposes, then focusing on both the ‘hard’ areas of legal requirements and secure access and the ‘softer’ areas of providing additional support – including financial help with broadband connections and equipment – seems to strike the right note.
The ultimate law enforcement agency guide to going mobile
Best practices for implementing a mobile device programFree download
The business value of Red Hat OpenShift
Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShiftFree download
Managing security and risk across the IT supply chain: A practical approach
Best practices for IT supply chain securityFree download
Digital remote monitoring and dispatch services’ impact on edge computing and data centres
Seven trends redefining remote monitoring and field service dispatch service requirementsFree download