Sunday, September 12, 2010

After the hack: Why you REALLY shouldn't do personal business on a corporate machine

Corporations hate employees doing personal business on office machines.

I, of course, have never done this. I've certainly not checked my family calendar, or managed personal email, or browsed my Google Reader feeds on my corporate laptop, either at home or at the office.

Corporations hate this because employees should be working. Besides, it's an obvious security risk. Employees visiting off-color web sites are sure to bring viruses to work.

I agree. Sort of. Specifically I agree employees shouldn't use their Google credentials on corporate machines, and I agree there's a security risk -- for someone.

Mostly, though, the security risk is for the employee, not the corporation.

Let me explain why.

As best I can tell the average large publicly traded company admits to at least one major XP malware attack every 4-12 months. I expect the real number is twice that. That's a pretty high attack rate. A lot this of this malware, like Lemir.VA, incorporates a keylogger function. This malware captures usernames and passwords and sends them on.

If you check your family calendar at work, that would include your Google credentials. Your robust password is now meaningless; you will be hacked like I was.

That's at work. How about at home? Well, in our OS X/iOS household we haven't had a malware attack for over five ten years. My home is far more secure than my workplace.

It's safe to access Google from home. It's not safe to access Google from my office.

So you shouldn't use the office computer for personal work after all. It's in a very bad neighborhood, you really don't want to take your Google credentials there.

No comments: