Infinet

Your Employees Are Using Personal Phones for Work. Here’s What That Actually Means.

It’s Already Happening

Nobody sent a memo. Nobody asked for permission. It happened organically – the way most technology habits do. 

Your team got busy. Checking work email from a personal phone was easier than carrying two devices. Responding to a Teams message from the couch felt like being a good employee. Downloading a company file to finish a presentation seemed harmless enough. 

And honestly? Most of the time, it seems fine. 

It isn’t. 

This is not an argument for banning personal phones. Flexible access to work tools is part of how modern businesses operate, and employees are not doing anything wrong simply by checking work email on a phone they already own. 

But personal access changes what your business can see, manage, and remove. A few practical safeguards can reduce that risk without forcing everyone to carry two phones. 

What’s Actually at Risk

Company Data on a Device You Don’t Control 

When an employee adds company email, Teams, SharePoint, or another business app to a personal phone, company information is being accessed from a device the business does not own or manage. 

That phone may use a weak passcode, back up information to a personal cloud account, be shared with a family member, or include apps your IT team has never reviewed. The exact risk depends on the device, the apps, and how access is configured, but the business has less visibility than it would with a company-managed device. 

The Departing Employee Problem 

When an employee leaves, what happens to the company data and active sessions on that person’s phone? 

With the right mobile device or app-management setup, IT may be able to revoke access and selectively remove company data while leaving personal photos, messages, and apps alone. Without that setup, the business may be limited to changing passwords, revoking sessions, and hoping local copies were not saved elsewhere. 

That is why the policy and technology need to be in place before offboarding begins – not after access has already walked out the door. 

A Lost Phone Can Become a Business Issue 

A phone left in a rideshare can become a security concern if it still has active access to company email, files, or internal systems. 

A screen lock, automatic timeout, and multi-factor authentication all help. MFA adds another layer beyond the password, and phishing-resistant methods provide stronger protection than text-message codes alone. It does not eliminate every risk, especially if a device is already unlocked or a session has been compromised, but it makes account takeover much harder. 

Personal Apps Add Another Variable 

Personal phones usually contain more apps than company-managed devices. Mobile operating systems are designed to separate apps, but malicious software, risky permissions, stolen credentials, and unpatched vulnerabilities can still create exposure. 

The point is not that every personal app is dangerous. It is that the company cannot evaluate or manage the full device unless the employee has agreed to an appropriate management approach. 

The Fix Is Not “No Personal Phones” 

The goal is not to make employees carry two phones or feel monitored. The goal is to protect company information while respecting personal privacy. 

A written BYOD policy – “Bring Your Own Device” – is the starting point. It should explain which company apps and data may be used on personal devices, what security settings are required, how lost devices must be reported, what happens during offboarding, and what the company can and cannot manage. 

Require a PIN, passcode, or biometric lock on every phone that accesses company accounts. The device should also lock automatically after a reasonable period of inactivity. 

Enable multi-factor authentication on Microsoft 365 and other core business applications. Where practical, use phishing-resistant options such as passkeys, security keys, or certificate-based authentication rather than relying only on SMS codes. 

Use mobile device management or mobile application management when the business needs more control. Depending on the platform and configuration, these tools can separate work data from personal data, apply security rules to company apps, block access from noncompliant devices, and remove managed business data without factory-resetting the entire phone. 

What “Having a Policy” Actually Looks Like 

For an Omaha-area business with 25-100 employees, a practical starting point can be simple: 

  • A one-page BYOD policy employees review and acknowledge during onboarding. 
  • A screen-lock requirement for any device that accesses company accounts. 
  • Multi-factor authentication on Microsoft 365, email, and other core applications. 
  • A clear lost-or-stolen-device reporting process. 
  • An offboarding checklist that revokes accounts, sessions, and device access promptly. 

A defined management approach for company data, including whether selective removal is available. 

This does not have to become a massive IT project. It is a baseline that gives employees clear expectations and gives the business a better response when a phone is lost, replaced, or no longer used for work. 

Because privacy, employment, and consent requirements can vary, the final policy should be reviewed with HR or legal counsel before it is rolled out. 

The Conversation Worth Having

If you are not sure which personal devices currently have access to company email, Teams, SharePoint, your CRM, or project management tools, start with an access and device review. 

Microsoft 365 and other business platforms can provide device and sign-in information, but what administrators can see depends on the licensing, enrollment method, and management tools already in place. 

InfiNet helps businesses throughout Omaha, Lincoln, Council Bluffs, and surrounding communities understand what is connected, choose an approach that fits the business, and put practical policies in place. 

Not sure which personal devices can access your systems? Let’s talk. 

Frequently Asked Questions

Is it safe for employees to use personal phones for work email? 

It can be, when the business requires a screen lock, uses MFA, limits access appropriately, and has a written process for lost devices and offboarding. The right setup depends on the sensitivity of the data and how much control the business needs. 

What is a BYOD policy? 

BYOD stands for “Bring Your Own Device.” A BYOD policy explains how employees may use personal devices for work, which security requirements apply, how incidents must be reported, and what happens to company access and data when employment ends. 

Can my company remove data from an employee’s personal phone? 

Possibly. Mobile app management can be configured to remove managed company data from supported apps, while device-management tools may offer broader actions. The available options depend on the platform, enrollment method, licensing, and policy. The company should document the approach clearly and obtain appropriate HR or legal guidance. 

What happens if a personal phone with work access is lost or stolen? 

The employee should report it immediately. IT can revoke active sessions, reset credentials when appropriate, remove managed company data if the technology supports it, and review sign-in activity for unusual access. A screen lock and MFA reduce the risk, but the response process still matters. 

How do I find out which personal devices have access? 

Start with the administration tools for Microsoft 365 and your other core applications. Managed or enrolled devices may appear with details such as operating system, management status, and last check-in. Sign-in logs can provide additional context for devices that are not formally managed. 

Do employees have to give up privacy to use a personal phone for work? 

Not necessarily. Mobile application management can leave the personal device under the employee’s control while applying policies only to supported company apps and data. The exact visibility and control should be explained in the BYOD policy so employees understand what the business can and cannot 

Your Employees Are Using Personal Phones for Work. Here’s What That Actually Means. Read More »

Why One IT Person Isn’t Enough — And How Co-Managed IT Helps | InfiNet Solutions

Why “One Person Doing IT” Becomes a Business Bottleneck

The Hero IT Story Sounds Great… Until It Doesn’t

Every organization has one.

The person who knows where all the passwords are.

The person everyone calls when the printer stops working.

The person who somehow manages Microsoft 365, cybersecurity, backups, vendor calls, internet outages, software updates, new employee setups, conference room technology, and the mysterious issue where someone’s email “just disappeared again.”

They’re the IT hero.

They’re also probably your biggest technology bottleneck.

For many businesses throughout Omaha, Lincoln, Council Bluffs, and surrounding communities, technology often starts with one capable employee handling everything. Maybe it’s an office manager who became the unofficial IT person. Maybe it’s a technically savvy operations manager. Maybe it’s an internal IT professional wearing fifteen different hats.

At first, it seems efficient.

Then growth happens.

And suddenly, your entire technology environment — your security, your data, your day-to-day operations — depends on one person’s availability, knowledge, and sanity.

That’s where problems begin. And it’s exactly why co-managed IT has become one of the fastest-growing conversations we have with Omaha businesses.

The Single-Person IT Trap

Let’s be clear: this isn’t about criticizing your internal IT person. In fact, the problem is usually the opposite — they’re working incredibly hard.

The issue is that modern business technology has simply become too complex for one person to manage effectively alone.

Today’s IT responsibilities include cybersecurity monitoring, Microsoft 365 administration, endpoint protection, cloud services, backup management, compliance requirements, vendor relationships, network management, employee support, AI governance and adoption, disaster recovery planning, technology budgeting, and strategic planning.

That’s not one job. That’s an entire IT department.

Yet many businesses still expect one individual to handle all of it.

What Happens When Everything Flows Through One Person

Projects slow down. Need a new software rollout? Waiting on IT. Need cybersecurity improvements? Waiting on IT. Need a new employee onboarded? Waiting on IT. When one person becomes the gatekeeper for every technology decision, progress naturally slows — even if that person is excellent at their job. They only get 24 hours in a day. (Microsoft still hasn’t released the “36-Hour Workday” update.)

Critical knowledge lives inside one brain. Many organizations have undocumented systems, passwords, vendor contacts, and procedures that exist solely in one employee’s memory. What happens if they take a vacation, accept another position, get sick, or retire? Suddenly, your business is scrambling to figure out how things actually work. This is an operational risk most business owners don’t recognize until it’s too late.

Cybersecurity falls behind. Cyber threats don’t care that your IT person is busy. While they’re troubleshooting printers and resetting passwords, critical tasks get delayed: security monitoring, vulnerability management, patch management, user training, incident response planning, and backup testing. These are often the exact activities that prevent ransomware attacks and data breaches. For businesses across Nebraska and Iowa, cybersecurity is no longer optional — it’s a business necessity.

Technology becomes reactive instead of strategic. Here’s a question we often ask business leaders: “When was the last time someone brought you a technology roadmap instead of a technology problem?” Most organizations with a single IT resource operate in constant firefighting mode — fixing issues, responding to emergencies, troubleshooting. But who’s planning for the future? Who’s evaluating AI opportunities, cloud modernization, infrastructure improvements, and long-term budgeting? When IT spends all day reacting, innovation takes a back seat.

Growth Exposes the Cracks

A company with 15 employees can often survive with informal technology processes.

A company with 50 employees starts feeling pressure.

A company with 100 employees usually discovers those processes no longer scale.

As organizations grow throughout Omaha, Lincoln, Council Bluffs, Bellevue, Papillion, La Vista, and surrounding communities, technology complexity increases dramatically. More employees means more devices, more software, more security risks, more support requests, more compliance requirements, and more integration challenges.

The workload doesn’t grow in a straight line. It compounds.

Eventually, one person simply can’t keep up — and the business pays for it in downtime, risk, and missed opportunity.

Why Co-Managed IT Is Becoming So Popular in Omaha

Many businesses assume the only options are to hire more internal IT staff or outsource everything to a managed services provider. But there’s a third path that more Omaha businesses are choosing.

Co-managed IT.

This approach lets your internal IT person remain the trusted face of technology while gaining access to additional expertise, tools, monitoring, cybersecurity resources, and strategic support from an experienced MSP partner like InfiNet.

Think of it this way: your IT person doesn’t need replacing. They need reinforcements.

A co-managed IT partnership can handle proactive monitoring, help desk overflow, cybersecurity management, backup oversight, compliance guidance, strategic planning, and specialized expertise — while your internal team stays focused on business priorities.

Everyone wins. Especially your overworked IT person.

The Cost of Waiting

Most businesses don’t address IT bottlenecks until something breaks — a ransomware attack, a major outage, a key employee departure, a failed backup, or a missed compliance requirement.

Technology bottlenecks rarely announce themselves. They quietly create inefficiencies, increase risk, and limit growth until the consequences become impossible to ignore.

The question isn’t whether your business depends on technology. It does.

The question is whether your technology strategy depends too heavily on a single individual.

If the answer is yes, it may be time to build a stronger support structure before that bottleneck becomes a business interruption.


Frequently Asked Questions

Is one IT person enough for a small business? For very small organizations — typically under 20 employees with simple technology needs — one IT person can sometimes manage effectively. However, as employee counts grow and technology complexity increases, one person’s capacity is rarely sufficient to cover both day-to-day support and proactive security, compliance, and strategic planning. Most businesses start feeling the strain between 25–50 employees.

What are the risks of relying on a single IT employee? The most significant risks are knowledge concentration (critical systems and passwords living in one person’s head), cybersecurity gaps caused by reactive rather than proactive IT, delayed technology projects, and loss of business continuity if that employee leaves, gets sick, or takes time off. For businesses in regulated industries, compliance risk is also a major concern.

What is co-managed IT? Co-managed IT is a model where an organization’s internal IT resource works alongside an external managed services provider (MSP). The MSP provides additional expertise, proactive monitoring, cybersecurity tools, help desk support, and strategic guidance — while the internal IT person maintains day-to-day involvement and business relationships. It’s designed to complement internal teams, not replace them.

How is co-managed IT different from fully managed IT? With fully managed IT, the MSP handles all technology responsibilities and there is no internal IT staff. With co-managed IT, the business keeps its internal IT person and the MSP fills in the gaps — overflow support, specialized expertise, security monitoring, and strategic planning. Co-managed IT is ideal for businesses that want to keep an internal presence while gaining the depth of a full IT team.

How do I know if my IT team is overloaded? Common warning signs include delayed technology projects, recurring issues that never fully get resolved, cybersecurity initiatives being repeatedly postponed, growing support backlogs, and technology decisions being made reactively rather than planned in advance. If your IT person regularly works outside normal hours just to keep up, that’s a clear signal the workload has outpaced capacity.

Can an MSP work alongside our internal IT department? Absolutely — and this is exactly what co-managed IT is designed for. Many businesses throughout Omaha, Lincoln, Council Bluffs, and surrounding areas use co-managed IT services to give their internal teams breathing room, deeper expertise, and better tools without giving up internal ownership of their technology environment.

What does co-managed IT typically cost? Pricing varies based on the size of your environment and the level of support needed. Co-managed IT is typically structured to cost less than hiring an additional full-time IT employee, while providing broader expertise and broader coverage. InfiNet offers tailored co-managed IT arrangements for Omaha-area businesses — reach out to start the conversation.

Why One IT Person Isn’t Enough — And How Co-Managed IT Helps | InfiNet Solutions Read More »

4 Cybersecurity Gotchas on the Road

What to Do

Avoid accessing sensitive systems on public Wi-Fi whenever possible

Use a company-approved VPN

Verify network names before connecting

Disable automatic Wi-Fi connections

What to Do

Verify unexpected travel-related emails

Avoid clicking links from unknown senders

Use official websites and apps whenever possible

Report suspicious messages immediately

I swear it was in my bag…

Not every security incident starts with a hacker. Sometimes it starts with a laptop left at TSA, a phone forgotten in a rideshare, or a tablet that disappears from a hotel room.

For Businesses

  • Enable full disk encryption
  • Require multi-factor authentication
  • Use mobile device management
  • Enable remote wipe capabilities

That Free Charging Station Might Cost You

Your phone is hanging on at 4%. The gate just changed. Boarding starts in 15 minutes. We understand the temptation.

Public USB charging stations can introduce security risks if they’ve been tampered with. Bring your own charger, use wall outlets, or carry a portable battery pack.

travel tips for cybersecurity

4 Cybersecurity Gotchas on the Road Read More »

VPNs Being Targeting By Threat Actors

VPN

VPNs have long been considered a safe way for employees to securely connect to company systems remotely. But today, cybercriminals are increasingly targeting VPN access as a way into business networks.

Instead of hacking directly through firewalls, attackers are going after:

  1. Vulnerable remote access tools

2. Stolen VPN usernames and passwords

3. Weak or missing multi-factor authentication (MFA)

4. Outdated VPN software

Once attackers gain VPN access, they can often move through a network while appearing to be a legitimate user.

The NSA and CISA recently warned that VPNs have become “attractive targets” for cyberattacks because they provide direct access into protected business environments.
https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/2791320/nsa-cisa-release-guidance-on-selecting-and-hardening-remote-access-vpns/

Microsoft has also reported cases where attackers created fake VPN software downloads designed to steal employee credentials.
https://www.microsoft.com/en-us/security/blog/

Additionally, CISA has issued multiple alerts around active attacks targeting VPN devices from vendors like Ivanti and SonicWall.
Source: https://www.cisa.gov/news-events/cybersecurity-advisories

So what should you do?

A VPN is still important — but it should not be your only layer of protection.

Organizations should make sure they have:

  • Multi-factor authentication (MFA) enabled
  • Regular VPN updates and patching
  • Endpoint protection and monitoring
  • Access controls and account reviews
  • Security awareness training for employees

VPNs Being Targeting By Threat Actors Read More »

Tax Season Security Risks: 5 Gaps Firms Miss

During this busy period, tax season security risks rarely come from advanced attacks. They’re more likely to surface when workloads increase, deadlines tighten, and everyday decisions are made quickly.

In a short span of time, accounting and tax service firms manage large volumes of sensitive information—Social Security numbers, tax forms, banking details, and prior returns—while approvals accelerate and exceptions become more common.

Addressing tax season security risks isn’t about adding more technology. It’s about reinforcing the basic controls that matter most when teams are under pressure.

5 Security Gaps That Show Up When Workloads Spike

1. Rushed Email Requests & Impersonation Attempts

Illustration of email phishing and impersonation highlighting tax season security risks tied to rushed financial requests and urgent document emails.

This tends to show up when urgency becomes the default. A client “updates” banking info. A partner requests documents quickly. An admin forwards something that looks routine.

The issue isn’t the email—it’s how urgency gets mistaken for legitimacy.

What to keep in mind:
Financial or document-related requests should always trigger verification, especially when they feel routine.

2. Over-Shared Tax Documents and Uncontrolled File Access

When teams are trying to move quickly, documents start traveling—email attachments, shared drives, temporary links.

Temporary access often becomes permanent. And “just helping” can quietly expand who sees sensitive data.

What to keep in mind:
Clear rules around where tax documents live—and who can access them—matter most when speed increases.

Illustration of unsecured file sharing and access control issues showing tax season security risks when sensitive documents are widely shared.

3. Unclear Ownership of Financial and Client Decisions

Illustration of confused staff reviewing files representing tax season security risks caused by unclear ownership and overlapping approvals.

This tends to show up as overlap. Multiple people approve a change. Or worse—everyone assumes someone else already did.

Security breakdowns here aren’t caused by negligence. They come from ambiguity.

What to keep in mind:
One clear owner per decision type reduces mistakes when timelines compress.

4. Compromised Logins During Peak Workload

Phishing emails don’t need to be sophisticated during tax season. They rely on distraction.

Add MFA fatigue or shared credentials for speed, and identity becomes the easiest entry point.

One compromised mailbox can expose dozens of clients.

What to keep in mind:
Identity protection matters most when attention is stretched thin—not when things are calm.

Illustration of phishing alerts and login threats emphasizing tax season security risks related to compromised accounts and MFA fatigue.

5. Backups & Recovery That Assume “Nothing Will Go Wrong”

Illustration of data backup and recovery system highlighting tax season security risks when recovery processes are slow or unverified.

Not all data loss is an attack. It’s often accidental deletions, overwritten files, or collaboration mistakes.

And when recovery is slow, the impact compounds quickly during peak deadlines.

What to keep in mind:
Backups should be designed for speed, integrity, and verification—not assumption.

Security That Holds Up Under Pressure

The goal isn’t to slow work down—it’s to keep it consistent. Firms that stay secure during tax season don’t necessarily do more. They clearly define ownership, verification, access, and recovery before pressure builds.

That’s where a trusted managed IT service in Omaha can help—by reinforcing the guardrails that keep everyday workflows steady, even when volume spikes and timelines tighten.

If volume doubled tomorrow, would your current workflows hold up—or start to drift?
That question alone is worth a closer look.

Professional man seated and using a tablet with office background, featuring InfiNet logo and contact message.

Tax Season Security Risks: 5 Gaps Firms Miss Read More »

Talk to our Team