My current company (the one which doesn’t allow VPN from non-company computers) does not use full disk encryption. My previous company (which did allow VPN from personally owned computers) did, but the password to access the PC was the same as the one which allowed connection to the VPN.
My current company does all 3 - access to company systems is only via company owned PC/laptop, offsite goes through VPN and we have full disk encryption. We are a “bring your own phone” shop, but access is via an app that routes through the VPN and is restricted to email and calendar functions.
I used VPN/VNC sessions to log in to Solaris and Linux servers (and my desktop.) This was only available on my work laptop which had full disk encryption, and different passwords for the encryption, the PC and the VPN and VNC.
Given that every security training course I took talked a lot about leaving laptops on the train, or having them stolen, it is a big problem.
I could access my email through my personal laptop, so that could be a security hole. Plus I could easily transfer files that way.
We were not allowed to use personal email for work, and not allowed to use the cloud.
Past couple of places I’ve worked have required encryption on laptop devices. As mentioned above, it then becomes a lost property issue rather than a lost/compromised data issue.
We’ve removed as many VPN users as possible, and shifted them to a Citrix solution presenting them with a virtual “on campus” system, or a set of published applications for their use. The virtual system/or app is presented in an “isolated-from-the-user’s PC” session which prevents the transfer of “naughty software” from the user owned system to the corporate network.
We’ve implemented a two-factor authentication for our inbound users, which increases connection security.
There are many ways for companies to make remote connectivity work. The more security you add, the more hassle it can add for the end users. Depending on the level of your users (IT staff are much more able to handle multiple logins/though requiring tasks than say a Nurse when it comes to using the system) and sometimes one needs to plan more for the “less informed.” Nurses have to dumb medical things down for us IT guys, and the reverse is the same as well. It’s a balancing act between user experience and security. Too far in one direction and you end up with unusable systems or wide open unsecure systems.
A former neighbor who was an IT guy at a hospital liked to gripe about how hard it was to make things nurse-proof. His wife, a critical care RN, did not disagree.
To answer the OPs question, generally yes. Having employees use their own devices is a security risk as the company cannot ensure that they have the latest updates or follow appropriate security policies and protocols.
If you want to be a bit more secure, you would issue a corporate laptop with full disk encryption, usb ports disabled to prevent file copying, web mail and certain high risk or non-work related sites blocked, and require a vpn connection with bio-metric multi-factor authentication to a zero trust network.
If by “all” you mean “none”.
There’s an old saying that it’s hard to make something idiot-proof because idiots are so ingenious.
Definitely more than “none” - the large corporation that I work for has put full-disk encryption on all our laptops for the past several years.