The increase in corporate mobile device use, fuelled by Bring Your Own Device (BYOD) and advances in technology, means there are many more ways in which data can be lost, whether through employee mistakes or malicious theft and sale of confidential information.
As a result, GRC (Governance, Risk and Compliance) is one of the biggest issues facing companies at the moment. Unfortunately, the average business hasn't realised this and remaining on the right side of the law can be a real problem.
Under the Data Protection Act 1998, when a business loses personal data, the Information Commissioner's Office (ICO) has the power to fine it up to £500,000 and even in extreme cases send individuals to prison.
In addition the Act has criminal offences – 654 prosecutions have been commenced in the last six years by the Crown Prosecution Service alone. What makes this an even bigger issue is that personal data has a wide definition – namely, any information that can be used to identify an individual.
For many businesses, their current device policies and approaches, such as BYOD or Corporately Owned Personally Enabled (COPE), can no longer handle the current compliance landscape.
A proper policy and procedure must consist of more than telling staff how to access emails on their personal devices because that won't protect the data stored on them. Firms need to take a holistic, three stage approach to ensuring that data is kept secure, consisting of education, policy and technology.
But what do each of these steps consist of, and how can businesses implement them without impacting their mobile device use?
1. Implement a policy
Businesses need to have a clear data and device policy communicated to their staff and actioned. Within this, there must also be clarity on how data is classified and distinct data classification protocols.
These shouldn't be written in overly legal or technical language, but rather in a tone that all employees will understand. That way, both the company and employees are kept fully in the loop on what they're allowed to do with their devices. Having a good policy in place ensures it is clear when employees have breached that policy.
2. Train and educate employees
The human factor is often the weakest link in a company's data security, which is why it's so important that employees are sufficiently trained and educated to avoid security slip-ups. It's vital to be able to demonstrate to your employees the impact that poor data security practices can have on the whole company, so that they understand why their support is necessary.
However, it's not as simple as pinning a piece of paper with a list of rules to the office wall or downloading a training package from the internet. Data security best practices need to be engaging, relevant, and tailored to the jobs people are doing.
3. Utilise a technology solution
Despite setting out a cohesive device policy and thoroughly educating staff, there is still a vital third element. Employees will break the rules, both accidentally and purposefully. This is why it's so important to have an underlying technology software solution which can protect the business in the event of a data breach.
Businesses need to be able to persistently track, manage and secure all devices used at work, as well as the data stored on them. Most importantly the technology used will also allow a company to prove that compliance processes are being properly enforced and adhered to.
In light of the serious problems data breaches can cause, such as loss of reputation, a fine from the ICO and even possible criminal consequences, companies can't take their data security for granted. And with such a clouded compliance environment, it's now essential to take a three-pronged approach to make sure all bases are covered. Your policy has to be clear and accessible, the BYOD training you give your employees must be relevant to them and the organisation, and there must be proper data protection software in place.
Mobility can have countless business benefits, but it must be managed properly to counter risk and comply with regulations. And if a breach should occur, the employer may be able to escape sanctions if it can prove that it did everything it could – policy, training, and technology – to prevent the breach.
- Jonathan Armstrong is data regulation advisor for Absolute Software and technology lawyer at Cordery
