business security

Avast finds employees connecting personal devices to SMB networks

Our findings underscore the fact that good security is directly related to visibility and control

It’s never a good idea to mix work and play. And when we’re talking about security and data privacy, that rule doubly applies.

For years, it’s been a best practice to have separate systems and devices for work and home. Primarily, this protects the security and data at work because home systems typically don’t have the security and privacy protections that businesses need. However, it also helps to protect security and data at home, too this ensures that things employees don’t want to share with their employer remain private.

In light of that, findings from a new survey carried out by Avast underscores the fact that an alarming percentage of companies and employees aren’t following this best practice.

In a new survey of IT Decision Makers (ITDMs), we have found that employees in almost a third (31%) of small and medium businesses (SMBs) in the United Kingdom are connecting to their companies’ networks using personal devices and that these devices do not have any security controls in place. This means that nearly a third of businesses are putting their networks, data, and customers’ data at significant risk.

While this has always been an issue, the sudden shift to remote work in response to the global Covid-19 pandemic has increased this problem significantly.

Our survey found that 66% of the respondents said they had not provided employees with their own dedicated work computers, in essence forcing employees to use their personal systems at home to connect to work networks and data.

We found that part of what is causing this problem (and the risks to company networks and data) were difficulties in providing hardware to employees working from home. 19% of the respondents cited this as the reason why they told employees working from home to use personal systems. 22% of the respondents said they gave employees company software to install on their home systems because of this same problem.

However, another startling fact in this survey is that less than a quarter of those responding, 23%, said they specifically instructed employees not to use personal systems or devices for work. In other words, 77% of the respondents haven’t been following best practices and educating and instructing their employees to do so.

This leads to a worrisome finding: 15% of those respondents said they had seen unidentified or unauthorized devices on their networks. They believe these are employees' personal devices. The key point here is that they “believe” this: they don’t know for sure and can’t know because these are unknown and unauthorized devices.

Looking at the issue from the employee side, our survey found that 27% of employees said they’d connected a personal computer to their work network and 15% a smartphone. Of those who did this, 8% didn’t get permission before connecting their computer, and 13% didn’t get permission before connecting their smartphone.

What are the takeaways from this survey?

SMBs need to give their remote employees computers and devices to connect to work networks. They also need to give those employees clear instructions not to use personal computers and devices to connect to work networks. Any personal computer or device that connects to a work network represents significant security risks to the network and data. 

We also see as a result of this that nearly a quarter of those responding are seeing unknown, unauthorized, and untrusted computers and devices on their networks. These systems and devices represent a clear and present danger to these businesses, their data, and their customers' data.

This underscores another key point: good security is directly related to visibility and control. In addition to taking steps to have employees only use work computers and devices to connect to their network, businesses also need to take steps to ensure that only known and authorized systems and devices are on their network.

If businesses do these two things, they will significantly improve their overall security and privacy posture and be better protected from threats to their networks, their data, and their customers’ data.


Further reading:
The Avast Red Team's top 5 security tips for SMBs
Cybersecurity best practices for small to mid-sized businesses