By Robert Winter, chief engineer, Kroll Ontrack
Failure to keep customer data safe and secure can result in severe penalties for financial services firms. For example, this year saw Welcome Financial Services (WFS) being fined £150,000 after losing the personal data of half a million of its customers.
Other high profile incidents include the case of two backup storage tapes that were lost by Cattles Group, containing the data of 1.4 million people, mainly customers of Shopacheck loans.
Removable disks and back-up tapes have created risks for banks and insurers for many years, but the new risk to consider is that of employees being allowed to opt into either Bring Your Own Device (BYOD
) or Choose Your Own Device (CYOD) policies.
The risk has been created by the number of employees accessing work information from a remote device within UK businesses. This has soared in recent times, with 10.3 million employees now using personal laptops, tablets and handheld devices for carrying out or storing work data.
The concept of BYOD is popular among employees and corporate management alike – particularly in companies where computing resources and budgets are limited. Seven per cent of UK employees (1.9 million) are carrying around confidential work data on their own mobile or handheld device which has not been supplied by their employer.
Employees know how to use their own devices and can more efficiently manage their work and life in an integrated fashion. Companies can also save money on hardware and simply focus on usage policies and packages for their employee base.
However, despite the benefits, corporations and employees often forget important considerations. What happens if a device is lost or damaged? Will a lost or stolen device be remotely wiped? How will the device data be backed up? Many employees are not aware of the amount of responsibility they are assuming when using their devices for corporate purposes or that their privacy is at risk.
According to Kroll Ontrack research, privacy and security should be major concerns for employers, with employees risking the loss of important work information by using personal devices which are not supplied by their company. It shows that one in eight (12% or 3.1 million) of the UK’s working population have unintentionally lost work data from their work device within the last 12 months, either through malfunction or corruption.
According to the research, and despite the risks of losing confidential work data, one in five (21% or 5.7 million) UK employees admitted that they save critical work information on removable media devices such as flash drives. This figure increases to 27% for those aged between 25 and 34.
One of the biggest challenges for financial services businesses today is to understand and manage the huge quantity of data they hold. Unfortunately, due to an increasingly mobile workforce, the risk of losing confidential data is heightened exponentially, unless the correct preventative action is taken. As a result, businesses are not only jeopardised financially but also run the risk of damaging their reputation.
Organisations clearly need to do much more to help protect their data. Companies must implement thorough policies and procedures to help staff understand rules and security features surrounding BYOD.
Before employees use private devices for work, they should ask some important questions and clarify these issues with their company’s IT department:
- Backup Responsibility: As soon as company data is involved, certain compliance requirements apply. Is it the employees’ responsibility to save their own data at specific intervals or do the company’s IT specialists take care of that? What tool is used to conduct the backup, who makes it available and who monitors compliance?
- Data Loss: Mobile devices are not robust and the memory is easily damaged. If there is no backup and the data is important, a professional expert may be able to help. But who has to arrange for this and who will foot the bill? In addition, many people don’t realise that it is not possible to distinguish between company and private data during the data recovery process. When a data recovery is performed, data will simply be restored. Often times the file names can no longer be read, so all files have to be opened and checked in order to disentangle private and company data. In this case, privacy cannot be maintained.
- Loss of the Device: Two main issues arise if the device is lost or stolen – first, who will replace it, and second, the obligation to inform the employer. Are there rules as to how soon the company must be informed about the loss? Does the company intend to take quick action, such as remotely blocking access or deleting data?
- Remote Deletion: Some companies require employees to install a program on their device that allows data to be deleted remotely in case of loss or theft before they may use the device for company purposes. Many people do not realise that the deletion is not specific to company data, but affects personal data as well. In other words, if employees don’t regularly save all their personal contact information, photos etc. – via their provider’s online services, for example – they may lose them all.
- End of the Employment Contract: Most people change employers sooner or later. What happens to the company data on the private device in that case? Who checks that it has been deleted? Will care be taken to ensure that private data is not lost during the process?
- Convenience or Privacy: Of course it’s convenient to have just one device for both private and professional purposes – only one password, only one charging cable, etc. However, it is still not possible to separate the different kinds of data precisely, so companies often save employees’ private data as well, depending on backup and logging requirements. BYOD often means sacrificing privacy and everyone has to decide for themselves whether it’s worth it.
Kroll Ontrack advises that organisations have a clear data recovery plan in place. When looking for a data recovery provider, they should make sure the selected provider is willing and able to work with them step-by-step, keeping them apprised of the data recovery process and what can actually be recovered. It is also advisable to find a data recovery provider that has the resources to perform emergency, remote or onsite recoveries and from systems that are proprietary or unique to their environment.