As the use of mobile devices by employees increases, so too do the risks to businesses of data breaches and a failure to comply with the Data Protection Act 1998 (“DPA”).
The Information Commissioner believes that ever more popular mobile working practices will enhance both the “potential attack surface” for hackers and the risk of data breaches. The DPA requires data controllers to take “appropriate technical and organisational measures…against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”.
The recent travails of TalkTalk are a potent reminder that the reputational risks of data breaches are also high for businesses. In addition to the number of management hours that can be lost, a recent survey by PwC found that, on average, businesses lost 13-24 man days in responding to each data breach at a cost of £3,000 - £10,000; there is great incentive to ensure that breaches are prevented rather than cured.
Therefore, what can and should businesses be doing to protect themselves as mobile working increases?
Ensure every company issued phone with access to your secure server is protected with an alphanumeric password and set to lock automatically if the device is left idle.
Supplement this with the ability to wipe remotely the contents of the device in the event that it is lost or stolen. Applications that perform this function are readily available, but they must be set up in advance of phone loss.
If you are considering a ‘bring your own device’ (“BYOD”) approach, then take special care. In particular:
Get a strong policy in place (alongside relevant training) before anyone so much as glances at an email. It should stipulate employees cover the basics above and importantly give an employer the right to access devices to review and delete data if appropriate.
Consider using a ring-fenced email application that enables secure connection to your server alone. Many organisations allow employees to view their work emails through the phone’s inbuilt email software. Not only do these messages download to the user’s phone, but they often also back up automatically to the device’s cloud service. These cloud servers may not have adequate security or be outside the EEA or other countries recognised as having an “adequate level of protection” for data subjects – another potential breach under the DPA.
Make employees aware of the dangers of malware – they should be required to update safety software, be forbidden from ‘rooting’ or ‘cracking’ their phone, and prevented from installing software from unknown sources. Hackers can use malware in mobile apps to circumvent encryption and access data on the device just as easily as they can on a PC.
The use of laptops for mobile working has even greater potential for data breaches, given the large storage capacity and the more substantive work generally carried out on them. As such, employers should bear these suggestions in mind:
It almost goes without saying – remember to password protect all laptops. An unattended laptop represents an opportunity for security breaches. Laptops left idle should also be set to lock automatically.
Consider only allowing laptops access to your network, work related emails and documents if done through an encrypted Virtual Private Network – this includes not allowing employees to save documents to their device’s hard drive, in case the laptop is lost or stolen. The ICO will be publishing guidance for companies on the use of encryption early this year.
Use secure cloud servers for the exchange of large amounts of data remotely rather than relying on flash drives, which can more easily be lost or hacked.
Block access to potentially dangerous sites on your network by applying restrictions on users’ browsing and consider secure ‘sandbox’ browsers to allow employees to access personal-use sites such as Gmail and Facebook safely.
Although working in public places, such as trains, should be discouraged where possible, require employees to use privacy screens if this is unavoidable.
A final suggestion relevant to all mobile devices is to prohibit employees from using unsecured Wi-Fi networks that are often provided for free in public places. It is relatively straightforward for hackers to intercept data on such networks and when the employee is abroad, there are added risks in that the servers may be in countries which are not deemed to have “adequate levels of protection”. A mobile data roaming package for employees may be expensive, but could prove an invaluable investment.
In practice, mobile device security can be difficult to control both in terms of fast-changing technology and user practices, which are often casual and not mindful of data security. However there are steps that employers can take to minimise the risk of breaches and to protect themselves from the worst happening.
This article first appeared on www.realbusiness.co.uk.
For further information, please contact James Murray, or visit our Data Protection page.