Todd Broccolo, Senior Director – Head of Workplace Technology Engineering & Operations, First Republic
CybersecuritySecurity

What does a one-device policy mean to you?

cxomagazine

By Todd Broccolo, Senior Director – Head of Workplace Technology Engineering & Operations, First Republic

In the last few years, we have seen a shift in end-user physical devices from static office-based desktops to lightweight laptops – but with this freedom comes a price…

The days of desktops sitting under the desk at work and always powered on have shifted from the majority to the minority of end-user devices. Once held only for the C-suite executive, lightweight laptops are now handed out to every new hire. The challenge we have is that our external threats and vulnerabilities have risen to all-time highs. Cyber breaches are much more common than ever, and data ransom has become a lucrative business.

To ensure the timely resolution of security vulnerabilities that put the firm at risk, it is recommended to reduce the dependency on physical hardware issued to employees and limit the number of devices in circulation. The overhead associated with patching, updating, tracking, and retrieving these devices from leavers continues to increase.

The first analysis you should perform is to understand how many users have multiple devices. It was a good-natured idea that took off during Covid but, was a bad practice that spiraled out of control. Yes, C-suite executives will always have multiple devices, but is there really justification for the general population to have multiple machines? My initial analysis highlighted that over 35% of staff had multiple devices.

So, my advice/recommendation is to move to a single-device policy, hold users accountable for the physical safety of their device, and mandate that they check in (VPN) once a week to the corporate network for relevant updates.

For most companies, the envisioned plan was to eventually retrieve the second device and leave the user with a single mobile device. This mobile device killed two birds with one stone — it was the user’s primary machine AND eliminated the requirement for a fully equipped disaster recovery site. Ideally, the end user always carries their laptop with them, and if a catastrophe strikes, they simply pick up and move to a safe location and continue business as usual.

Most users today work in a hybrid environment between the office and home. It became evident that most did not want to carry their mobile device back and forth. So, when in the office, they work from their desktop, and when at home, they may power up their corporate laptop or use a personal device to remote back into their desktop at work. We experienced firsthand how users were resistant to surrendering one machine, and their managers would back them really without justification to keep the peace. Hence, this multi-device model has become embedded in our current culture.

Now, one of the biggest challenges for users possessing multiple devices is patching security issues in a timely manner. Most zero-day security events require an escalated level of attention and remediation, ideally within 72 hours. I can attest that is a challenge when people have multiple devices to achieve compliance in this timeframe. Most users rely on one as their primary device and the rest of their machines are seldom used or powered up. The challenge is when the CISO requires 95% patching compliance within 72 hours and users ‘forget’ to powerup their additional devices. These devices then drag down the security scorecard as they are out in the wild, not patched and not checking in. From experience, I can tell you the worst corporate experience I have had is being involved in a security breach from a foreign entity due to not properly updating or patching devices.

Most of these additional devices are simply not warranted but more of a convenience, and from what I have seen, they drive up the physical device’s total cost of ownership. These additional machines can be a huge drain on the hardware budget. The last study I performed revealed a 7-figure savings moving to a single device policy on hardware costs alone. Another hidden cost with multiple devices is software licensing. Some applications require one license per device, and this can inflate software costs for those products. Typically, when you true up and have more licenses than active provisioned users, unless there was major user attrition, it could equate to these additional devices driving up the license count. Finally, the reputation and financial risk associated with a non-compliant device acting as a conduit for bad actors to infiltrate and ransom corporate data can be astronomical. In total, overspending on equipment carries a huge overhead and decreases shareholder value.

From a resource perspective, we are all asked to deliver more while achieving headcount reduction targets. As the team shrinks, this resource drain takes its toll on the team, having to constantly chase users to power up their dormant devices that are sitting at home in a drawer. When devices sat in the office and were always on, it was an overly simplistic but safe model with no need to chase down users.

So, my advice/recommendation is to move to a single-device policy, hold users accountable for the physical safety of their device, and mandate that they check in (VPN) once a week to the corporate network for relevant updates. When devices are not compliant, are underutilized, lost, or stolen, the risk and exposure to the firm increase considerably. You need to ask yourself if that really is a risk you and your shareholders are willing to accept…