Mobile devices and data security risks
Most people nowadays own their own mobile devices that can be used for business purposes, and employers are often asked to allow their use at work. Agreeing can bring benefits such as increased flexibility and efficiency, improved morale and job satisfaction, and even a reduction in costs.
But the fact that the devices are owned and maintained by the employee, rather than the employer, and that the devices can be used remotely from the workplace, means that businesses have significantly less control over where, and the way in which, the devices are used. Coupled with the upsurge in hacking and other criminal activity, the benefits of mobile devices are matched by risks to a business’s IT systems, reputation and confidential information.
What should you, as a business, do to combat the risks? First of all, consider security measures to prevent unauthorised or unlawful access to your systems or data. This could include requiring the use of a strong password, using encryption, and ensuring that access to the device is locked or data automatically deleted if an incorrect password is used too many times. You should also decide what data may be stored by employees on their personal devices.
Some software allows remote management of mobile devices. Typical features include automatically locking the device after a period of inactivity, executing a remote wipe of the device and preventing the installation of unapproved apps.
But if you want to monitor employees’ use of their own devices, bear in mind that you must make your reasons clear; and explain the benefits of monitoring. Make sure that monitoring is proportionate, especially during periods of personal use for example at weekends.
The biggest cause of data loss is still the loss or theft of a device. You should ensure a process is in place for quickly revoking access to a lost or stolen device. Registering the devices with a remote location and wipe facility is obviously prudent in this context.
You should also ask your employees to avoid using public or cloud-based sharing which have not been fully assessed. These systems may be vulnerable, and you should consider providing guidance to employees on how to assess the security of Wi-Fi networks (such as those in hotels or cafes).
Finally you should think about how you will manage data held on an employee’s device if they leave.
Robert Enticott, Partner, Head of Business Services and Commercial Property.George Ide