Alan Calder, Chief Executive, IT Governance
With EU privacy laws on the verge of being significantly tightened, financial institutions are wise to ask themselves how to ensure the safety and security of customer data in a world where staff use of mobile devices is inexorably on the rise.
It is no secret that easy communication combined with access to data on the move offers a multitude of efficiencies, which is why, according to the 2011 iPass Report, 95% of workers are now thought to have smartphones. Unfortunately, however, there are also many potential vulnerabilities to mobile working, especially in terms of data protection. All too often, we learn that personal information on a stolen laptop, for example, has been accessed and sold for illegal purposes, exploited in a case of identity theft – or simply publicised to betray privacy.
Indeed, according to data provided by the Metropolitan Police's National Mobile Phone Unit, 250,000 – 300,000 company-issued and personal devices are being stolen and reported to the police on an annual basis, not to mention the hordes of lost and misappropriated smartphones and mobile phones that go unreported. If these devices contain saved user name and password data, but have not been encrypted and are without password protection, it is clear that such negligence leads to easy pickings for fraudsters and exposes organisations to significant risks.
Tightening privacy laws
The punishments for those companies and institutions guilty of these avoidable acts of negligence are set to intensify, thanks to the way in which both technological progress and globalisation have changed how data is collected, accessed and used. In January 2012, the European Commission (EC) proposed a comprehensive reform of the EU's 1995 data protection rules, with the aim of strengthening online privacy rights and, at the same time, boosting Europe's digital economy.
In addition to requiring technical measures such as the encryption of e-mail, this law will remove divergences in enforcement. The upshot of this is that the current fragmentation and costly administrative burdens on institutions should be lessened, pointing to hoped-for savings for businesses of an estimated €2.3 billion a year, according to the EC's Justice department. The department also notes that the new rules will help reinforce consumer confidence in online services, providing a much-needed boost to growth, jobs and innovation in Europe.
Another, perhaps less palatable, knock-on effect is, however, that the data protection regulatory environment is set to become far more demanding. Under these circumstances, a company's chief information officer (CIO) might be forgiven for finding the protection of the data employees take out of the door to be an all-too Herculean task. For better or for worse, however, mobile computing and communication is here to stay, and so are the associated data protection vulnerabilities. The objective is not to abandon the idea of the mobile enterprise in despair, but to find a way to achieve all the benefits of staff mobility without taking any unnecessary data protection risks.
Where is the threat?
In the modern world, there are so many forms of removable storage media that enable enormous quantities of data to be literally carried around – data that ranges from SMS / text histories to private and business contacts, financial data or even confidential corporate e-mails and sensitive voice-mails. And, with Bring Your Own Device (BYOD) policies now becoming a commonplace for both public and private sector organisations in the UK, privately-owned devices such as laptops, memory sticks, iPads and smartphones have immense potential to expose personally identifiable company data to security breaches.
While these devices create opportunities in the way we do business, they are also all subject to loss, theft and damage. Furthermore, they open doors to electronic attack. New technologies, in particular, bring new risks, as hackers immediately seek ways to exploit weaknesses before the appropriate electronic shields are put in place.
Potentially, everybody is vulnerable. Moreover, without adequate safeguards, every company not only risks a data protection breach, and all that that entails, but also the consequent regulatory punishment. All UK organisations that hold or process personal data must comply with the EC's new legislation. However, if you are not really sure if your organisation is compliant with the proposed EU Data Protection regulation, which requires organisations to take all appropriate technical measures to protect personal information, there is every chance that you are currently falling far short of requirements.
One of the most vital steps to protect what is known as your organisation's 'porous perimeter' is to encrypt personal data on all removable and portable media, such as laptops. Carrier networks have good encryption of the 'airlink' in every case, but the remainder of the chain between client and enterprise server remains open unless explicitly managed. Always use a virtual private network (VPN) connection when dealing with sensitive data, and ensure that any such data is only available to authorised users. Encryption of corporate smartphones, if possible to the FIPS 140-2 standard, is another must, as this restricts access to individuals with the correct encryption key. The physical destruction of redundant computer drives, magnetic media and paper records, for example, is another must and in line with a clear data retention timetable. The industry best practice covering this area is the ISO27001 international standard, which sets out how to manage data systems securely.
The right technologies and processes are inevitably essential to ensuring the best possible information security, but never forget the value of the right corporate culture too. Make sure that you win the 'hearts and minds' of your employees: if excellent policies are ignored, then those same policies become worthless.
Through proper training, staff can become your best allies in the war against data loss. At the moment, for example, most people seem to complacently imagine that mobile phones are immune to viruses. The sensible data hygiene approach is to be as cautious when using a mobile phone as you are when using a PC. For example, staff should not connect unsecured wireless networks, visit arbitrary websites or download any unauthorised content and, when it comes to smartphones, for example, should use remote 'wipe and apply' encryption in addition to standard security steps. Ultimately, all employees must be trained to follow and enforce security policies, in and out of the office, by understanding their value and necessity.
Poor information security should be one of the most pressing concerns for a modern company or organisation. The implementation of a business-driven access control policy, alongside the use of the latest security software and a staff culture of responsibility, will help to minimise the risks. Make sure that your organisation is taking the safe route toward a mobile future.
Alan Calder is chief executive of IT Governance, the single-source provider for books, tools, training and consultancy for IT governance, risk management and compliance, and the author of 'IT Governance: An International Guide to Data Security and ISO27001/ISO27002', now in its fifth edition
tel: +44 (0) 8450 701750