THE RISK TO YOUR BUSINESS IN THAT MOBILE ON YOUR DESK
PAUL MATHER – DIVISIONAL OPERATIONS DIRECTOR SAYS;
GDPR (the General Data Protection Regulation enforceable from May 2018) talks a lot about data protection by design. Businesses must use the principle of accountability, ensuring that data protection is at the forefront of everything they do. They’re obliged to adequately protect the data that they hold, yet many will approach this in different ways.
According to a recent cyber report, by the end of last year, more than 90% of cyber-attacks sought to take control of connected devices in the workplace.
Scary stuff, but let’s look at one facet of the Recruitment industry as an example. I often hear of agency owners concerned that their consultants could ring fence “highly placeable” candidate CVs in their email inbox rather than putting them on a centralised system. Aside from the obvious business impact of this, the data subject in question has sent their CV to your agency. That makes the agency responsible for securing that data. Now think about how many agencies let their consultants Bring Your Own Device (BYOD) into the work environment and hook up their phone/tablet to their work emails. That candidate’s CV in the example we just mentioned which, don’t forget, the agency is responsible for, is now potentially out in the wild and outside the agency’s direct control. Now consider if that consultant’s unprotected phone with its cached emails then gets stolen….this could now be considered a breach.
I use recruitment as an example industry, but the above scenario is typical of events that can occur in any industry, so what should you do about it? Should you ban all devices from the workplace? It’s a tough call and a debate that has many facets. On one hand, it can be shown that overall productivity and customer satisfaction can be boosted if staff have access to work functions on a more mobile basis. Then you have the “it’s great for my work/life balance if I can clear my emails on the train on the way into work which means I don’t have to work so late” verses the “staff shouldn’t have to work outside their core hours, nor feel obliged to, which having access to emails etc outside the office promotes”. Both arguments have merit but, none the less, if your business does allow BOYD it should have a BYOD policy and that policy should consider very strongly the security implications of such practices.
To give you an idea, we’ve been looking at BYOD as part of our internal GDPR compliance process. All our non-BOYD portable systems are encrypted in conjunction with multi layered security. We are looking at options to enact systems whereby in order to use a BYOD device it has to meet certain criteria such as encryption, system locks with appropriate password strength and remote wipe facilities. Device access will be switched off for users by default, unless there is a proven business case for it to be turned on (which will, of course, be audited).
There are, unfortunately, no easy answers and it will be a very fine line between appropriate levels of protection for the data you hold and not excessively holding back the productivity of your organisation.