Introduction
Cyber threats are pervasive and everywhere today it seems. Cyber thieves are having success with snatching passwords via phones, personal email accounts, pirated software, and illegal websites. We know they are being successful because more and more attacks are yielding positive results like ransom payments and business interruptions. Today, let’s examine the underpinning of a common practice that seems to be a money saver for businesses that potentially opens a business up for considerable risk.
A Potentially Costly Choice
Many businesses are opting into Bring Your Own Computer (BYOC) so the company does not have to buy or maintain staff devices. On the surface, this choice seems to make economic sense while presenting minimal risk. What could go wrong with an employee using their own computer? In fact, some businesses even provide a stipend for the employee to use to “maintain or improve” their system.
At the heart of this policy choice is that the business has no rights or controls on the system. The software installed and who uses the system and for what purpose is completely unknown. Many home computers do not even have anti-virus software that is updated or updates applied on a regular basis. So, yes, this seems like it will save money. The policy appears to make good fiscal sense for the company and the employee can use the device they prefer. The issue and the risk is that the danger is in what is not known. And, by the time it is known that the system is compromised, it will be too late.
Introducing Unknown Risks
The commercialization of cyber thievery and cyber criminals is a huge enterprise. These markets have expanded to such heights that there are no corners where there is no value. What happens when a business selects a policy of BYOC is that they rely on the employee’s or contractor’s understanding, and risk posture for protecting the business. I am not aware of any studies showing how many computers there are per household yet by inference there is usually just one computer. This shared computer is then used by multiple people in the household. Cybercriminals have learned to attack via fake websites, emails, fake software, and tantalizing free offers just too good to resist.
Consider this response I garnered from an AI search engine to the question: what is the cyber attack impact on small businesses less than 50 employees?
“The cost of a cyber attack can vary depending on the nature and scale of the attack, as well as the affected organization. According to cybersecurity statistics, there are approximately 2,200 cyber attacks per day, with an attack occurring every 39 seconds on average1. However, it is important to note that the cost of a cyber attack is not typically measured on a daily basis.
It is worth mentioning that the cost of a cyber attack extends beyond financial losses. Organizations may also experience reputation damage, legal liabilities, and operational disruptions.”
Exposure Example
The bottom line is that BYOC provides zero control of the systems being used and this can introduce considerable risks to your business. For a recent example, a computer belonging to an employee of Turkish Airlines containing third-party login credential details for Airbus was hacked. Airbus had allowed the employee to use a personal computer which enabled the cyber criminals to hack their corporate systems. It’s worth noting that Airbus is not a small company. As of 2022, Airbus reported revenue of €58.76 billion, operating income of €5.33 billion, net income of €4.25 billion, total assets of €115.94 billion, and total equity of €12.98 billion. The company has approximately 126,495 employees.
It’s Your Call
Note that I am not saying it is wrong to have a BYOC policy. What happens is that the risks associated with the “savings” of not buying computers for staff need to be weighed against what even a single attack could cost your business. Where it would be fabulous to have a rule-of-thumb formula or specific guidance on the true risks of BYOC, there really is no singular guide. As business owners, we need to take stock of those risk factors that are applicable, assign a dollar figure, and then ask the hard questions.
We Can Help
Lead IT Consulting helps small business owners understand the risks associated with decisions like these so your business can operate with less risk and focus on what is needed. Just reach out to us if you would like to start this conversation.