| It likely also depends on the company itself and where they’re at in their lifecycle when it comes to this stuff. When I set up my original laptop (a MacBook Pro) for my current job I asked them if I should set up a new Apple ID or what. They said to do whatever I wanted but that people mostly just used their personal ones so they could easily text and make calls and all that from their machines. I asked someone in the C-Suite a question about our antivirus and he said he didn’t know, he never got around to installing it (years later I got him to finally encrypt his damn drive). The same guy got us all to install steam on the company laptop to do a random end of day hour of gaming when it was relatively quiet. That would not fly today. Fast forward a few years and now we’re less startup-like and more corporate and there are very clear official rules about how to set up encryption, what the mandatory corporate antivirus is, certificates, MFA and password rules and expiration policies, and a Meraki router in each office that is actively and seriously monitored (to the point that I gave them a heads up before wiping and resetting 4 laptops in one day and putting them on WiFi to download what I needed to get them up and running again to avoid worrying anyone). I’ve always had a personal laptop, but I could’ve easily fallen into the trap of using the work laptop for everything back in the early days. These days we have real HR, real security teams, serious network policies, semi-regular external pen tests, etc. That makes it easier to remember that this is a job and personal stuff doesn’t belong on corporate hardware. Back in the day, some people would also clone their work setup (VPN, PKIs, ssh keys, etc) on their home computers to avoid having to carry their laptops home every day in case of an incident. These days that’s a fireable offense (as it should be, there are times when my work laptop holds many millions of dollars in clients’ IP, plus millions of our own IP, and PII that’s subject to GDPR and CCPA regulations). I found it easier to be lax with my work laptop usage back in the earlier days when things felt less serious and structured. These days, I filter my jokes and I don’t screw around on the company laptop, and both feel like parts of a natural evolution of the workplace, if that makes sense. |
When I started my career in the late 90s, personal use was extremely low. This was because there was not much internet yet in the workplace, you actually had to request internet access and if you got it it was very restricted. Most people only had desktops, you were really special if you had a laptop. Work was a 9-5 thing and jobs and IT were very strictly focused on your role. There just wasn't much non-work-related stuff to do except perhaps playing solitaire. Security was pretty good actually but really focused on the on-prem networks. If a hacker did make it on there they could run wild as nothing was encrypted. Nobody had admin rights.
Then in the 2000s-2010 things started loosening up. Everyone had internet access and it was mostly used for non-work. Most people still had desktops but were doing their webmail a lot. Extracurricular activities were less frowned upon. I remember one time walking into the customer care centre (I was admin) and pretty much everyone was playing this flash game online where you had to swing a penguin and throw it a long distance, it was a bit like an early "angry birds". Managers were walking around and didn't really care, as long as the calls were answered when they came in. More and more people started getting laptops as they were getting cheaper. The old CRTs started disappearing for TFTs. If you had a work mobile phone (mostly managers) it was highly restricted like a blackberry or still a dumbphone.
Then came the cloud in the 2010s, blurring the line between 'internet' and 'work' much further. All people started getting laptops as they were no longer more expensive than PCs. The credit crisis in the late 2000s left its mark and there was a strong focus on productivity, no matter where or when. People logged in to O365 from home which was totally open, with username/password and no MFA. People had all kinds of work stuff on their phone, as MDM was still pretty basic. This period was peak security laxness. Security was viewed as an auxiliary cost not providing productivity. Not just in our company, this was the age of "USB stick with state secrets lost in taxi" headlines. Only financial institutions and government really had real security. People were using all kinds of cloud storage for work besides the official one and attempts from security to put a stop to it were hampered because 'people have to be able to work'. People were working at any hour on any device and this also made the burnout (and on the personal side, smartphone addiction) a common thing.
And then of course the reality check came in the shape of WannaCry. Things didn't change overnight but security was suddenly back on the map. The word of security was once again critical in the process, investment in it was no longer seen as unnecessary. MFA was introduced pretty quickly and restrictions to what users can do on the cloud. Limiting to official online storage tools only, we banned dropbox for example. As a result we've been slowly returning to a phase where security is on the map again. At the same time privacy became more important. Both for the company (GDPR was a big driver!) but in the minds of the users in terms of "what work can see".
These days we're not really ruling out personal use or work use on personal devices, but doing it in a much more conscious way. MDM restrictions are more common. Android got Work Profile which is a pretty ideal way of providing work access on a personal device IMO. Strong restrictions from work but no visibility on what the user does on the 'personal side' of the phone. We're starting to implement document encryption with Azure Information Protection, meaning a document can be tracked and protected all the time. This is also the time of SSL inspection proxies, and limitations on what users can do if they log into the O365 cloud from an unofficial device. Admin rights which had slowly been granted by default to pretty much everyone over the last decade are now being removed again.
I think this is where we're heading now, we don't want to lose the flexibility of mixing work with personal, especially now that so many people work from home. But the separation is becoming more 'official' and supported by the operating systems. We're also seeing a return of the VDI concept which was gone from the old Citrix days. I think most of the intermix between the work and private will take place on personal devices, not on work ones. And where it does happen on work machines it will be in the browser only.