Company computer use from home - how much can they see on the desktop?
I have a company supplied computer that I use from home. I log into VPN (cisco AnyConnect) when i need to access company email or internal company sites.
In the past the company has been able to "take control" of my desktop to make software updates (after i handed power over to them). A co-worker -- also off-site -- received an email from the company saying that Mac her internal hard drive was over 90% full and advised her to delete files that were no longer needed to avoid a possible hard drive failure.
So my question is how much can they see? Obviously if i'm logged into VPN they can track the sites I'm on, but what about if i were to log into my bank to check on a balance or pay a bill?
Or even my browsing history when not logged into VPN? how about an area on the computer where I might keep passwords for various sites (everything from facebook login info to credit card accounts)?
Assume "everything" and don't use it for anything you wouldn't want your company to know about.
The tools are out there for a company to collect a great deal of information about how you use your work-supplied computer. There is software available that can record every keystroke, complete browsing history, even periodically take pictures with the webcam or sound from the microphone. Your company may not have this sort of thing installed, but it is good advice to assume that anything you do on that computer, or even within sight or hearing distance of that computer may be recorded.
In many cases the law isn't particularly clear about what information companies can use, historically companies own and have the rights to anything you do on their equipment, even if you weren't clocked in. People have been fired from their jobs and students have been expelled because of information on systems when they weren't at work or school.
In other words don't use your work PC for anything that you wouldn't want your employer to see or hear.
If you have to ask the question, then don't do what your thinking about doing on company computers, networks, or equipment. Not only do you have to worry about the company, but if your company becomes part of a litigation or a regulatory compliance issue, whatever you have done on it will get gathered up and become public record.
So to my original statement... If you have to asked, or pause to think, "should I" - then don't.
The answer really is... it depends.
This question is impossible to answer without knowing exactly what sort of software your company has installed on your computer. However, to assuage your fears do take a look at the contract you signed. That should detail exactly what sort of data the company is allowed to collect from you.
From my answer to a related question:
If you're really concerned about your personal privacy, don't use corporate resources for personal purposes. Most companies have included in their Acceptable Use Policy or similar documentation, a clause that specifically says you may be subject to monitoring and have no expectation of privacy when using their systems. In many jurisdictions, this means that they can do whatever they want to observe and record your activities with or without your explicit consent (generally, your consent is given implicitly upon your agreement to the AUP) and/or knowledge - causing any retroactive attempts at personal privacy to be futile and ineffective.
Case in point: At one former workplace, I heard of a user who decided to do some, let's say, "very personal" web browsing on a company laptop while he was on his home network. Apparently he was under some delusion that whatever he did with the company's hardware was none of their concern if he did it on his own Internet connection. To be safe though, I'm sure he had some good history cleaning software in place and in use. He was also technically savvy enough that he probably did some manual cleaning of his own, periodically.
What he didn't know was that the company had monitoring software installed locally and running in the background. This software would record his Internet activities at all times, and relay the logs to the corporate servers whenever the laptop was connected to the intranet. You can imagine the resulting disciplinary actions when this occurred.
Long story short: If it's not business-related, don't do/keep it on a business computer.
Even regardless of what they are seeing or collecting in real-time, the fact remains that you will eventually have to turn the equipment back in - either for a hardware refresh, or as a part of your separation from their employment - and you may not necessarily have control over when and how that happens. At that point, they'll have access to anything you've stored unencrypted (or encrypted with company-provided tools) on the system. If they're using keyloggers or other monitoring software, they may even be able to break into things you encrypt yourself.
Bear also in mind that a malicious insider may still choose to do these things even if law or company policy prohibits this. If the company has the tools to monitor your activity, but is generally prevented by law or policy from doing so without cause, a malicious sysadmin may choose to ignore such restrictions and snoop on whatever it is you're doing on the system regardless. In an even more extreme scenario, it's always possible that a malicious sysadmin may do this with their own tools even if the company itself is not equipped to do so.
If it's not your system, don't trust it with your personal data.
It depends on what software they install on the computer. Many keyloggers can track keystrokes/passwords typed, websites visited, chat conversations and capture desktop screenshots. So all your activities might be tracking by the spy software.
The only way tracking could be done is by having a software loaded on the system, there's no way to do it only through a VPN connection.
If the system have been reinstalled with factory settings and all the programs were loaded by you, and they have not installed any tracking programs, they cannot track the usage.
While being at home. I went to a website and by mistake I downloaded a trojan. I got an email from the security department. Still not sure what is the extent of their monitoring. I guess they spotted it right away because In their email they mentioned: name of the file was
OSX.Trojan.Genand its in the directory of
/users/username/downloads/..., timeStamp, my ID and display ID( I guess that's the name of my laptop). The only that wasn't there was my grandma's SSN, which they said they will send it soon if I don't scan the computer and send a screenshot of having the macBook cleaned
The email's attachment:
Look at you employment contract and companies computer usage policy if it has one.
I have worked places where world of warcraft was installed on company desktops and people played during the lunch hours/after work as the computer usage policy did not say state that users could not install there own programs on the company devices.
Other places where everything you did, each webpage visited, email message and event log entry was saved, uploaded and analysed either in real time or when the device came back on the network.
As others have said, it's possible to monitor everything, it also highly unlikely outside of secure environment as it's time consuming and expensive. Most likely if your working from home via a company provided device it will have basic security controls and programs such as AV, maybe software asset management and some form of company update mechanism (SCCM, Alteris, etc.) that will communicate back to the home network. It's also possible that while off the VPN your web traffic might be monitored via Cisco Umbrella or a similar system.
If in any doubt look for the company polices, depending on where you are in the world some local laws may also have precedence so you should also check those.