We’ve all become so used to switching between devices that most of us don’t think twice about sending a work-related SMS from our personal mobiles or googling something not related to work on our company-supplied laptop. Most of the time this is not a problem, but it can quickly become one if these actions pose a data security risk to the individual or the organisation they work for.
The escalating cost of cybercrime is one of the main reasons companies need to be vigilant about data management on mobile devices, whether company or employee owned. In 2016, the global cost of cybercrime was estimated at $500 billion (€406 billion) and this is expected to reach $2 trillion (€1.63 trillion) by next year. The malicious intent behind ransomware and hacking is deliberately nasty, but unintentional lapses can also have potentially devastating consequences if a device loaded with company data gets damaged, lost or stolen.
"Mobile devices have now become the 'go to' work device for many employees who rely on them to communicate with the office and with clients while working remotely," says Inés Rubio Alcalá-Galiano, who heads the eDiscovery and digital department of Dublin-based cybersecurity and information resilience providers, BSI. "They regularly access company data and store it on their device and, managed incorrectly, this can result in a potential data breach.
“Employees can typically be the weakest link in information security and we are all susceptible to human error,” she adds. “Everyone assumes their device is secure but if software is not updated regularly and protection policies are not in place the risk of a data breach increases greatly.”
Protective measures
Many companies already have protective measures in place. Where they fall down, Alcalá-Galiano says, is in not policing them. She recommends quarterly reviews to ensure rules are amended based on current business needs, standards and procedures.
“The implementation of security software and ensuring that a mobile device management tool is in place are good first steps but it’s vital that any software is managed proactively to ensure it doesn’t lose its protective value. It’s also important to ensure that there are tools in place to remotely wipe any data from devices if they are lost or stolen,” she says.
At this stage, most people are wary of opening dodgy links or clicking on attachments from unfamiliar sources. And security savvy companies ring-fence their systems to ensure employees can’t perform certain functions. But data can be leaked inadvertently in the most innocent of ways. For example, do you check your device for work while travelling on the Luas or in the pub?
“People need to be aware of who is around them when accessing a mobile device in a public area where others can watch your screen and see your password or work notifications pop up,” Alcalá-Galiano says. “Likewise doing something as ordinary as downloading an app can potentially compromise data if the terms and conditions are not read properly and that app is accessing your private or work data.
“Additionally, when an employee moves to a new job and takes their device with them, it can be difficult to separate personal and work data if clear guidelines on how things should work in this situation haven’t been introduced. Difficulties can arise, for example, if the new company is a competitor of the person’s previous company and can get access to its data.”
Few employers are interested in pictures of your dog or if your web activity suggests an addiction to bargain hunting on eBay. However, if they have supplied your device and there is a data breach, it is possible that the device may become part of a “subject access request” which means its history may be reviewed. In these circumstances it is highly likely that everything will be gone through including your personal photos, messages, emails and browsing habits.
Nothing to hide
“People often say ‘I don’t care about this because I have nothing to hide’,” Alcalá-Galiano says. “But when it actually happens and they discover their boss or another senior manager is going to see something that shows them in a less than good light, then they may care. It’s paramount that employees understand what they’re signing up for if they accept a device from their employer and that they also realise the implications that BYOD (bring your own device) may have.”
In May this year new EU rules on data protection come into force. Known as GDPR (general data protection regulation), these rules are designed to harmonise data privacy laws across Europe and reshape how organisations in the region approach data privacy.
One of the key changes from previous rules is that organisations that don’t comply speedily could face fines of up to 4 per cent of turnover – or €20 million, whichever is greater – for serious infringements. Lesser transgressions, such as not having records up to date, will cost 2 per cent of turnover.
These rules apply to both controllers and processors meaning clouds will not be exempt from enforcement.
“With the impending arrival of GDPR on May 25th, organisations need to be more aware of the fact that mobile devices are data sources and that, as such, they are within the scope of subject access requests and other GDPR requirements. This is why it’s more than ever important to have the appropriate protection and retrieval policies in place,” Alcalá-Galiano says.