Threat from staff left to their own devices

Studies found that the security threat goes beyond the use of hardware devices. Picture: Ian Rutherford

According to a survey of UK high street retailers published by Barclays, the presents most likely to be found under the Christmas tree this year are mobile devices and techie-related gadgets. So, less than two days from now, the sound of wrapping paper being ripped off many presents will be followed by a chorus of ooohs and aaaahs then, shortly thereafter, by a cacophony of electronic beeps as another tidal wave of digital devices power up and connect to the internet.

Worryingly, however, these exclamations of joy from the recipients may be replaced in the New Year by cries of despair from their employers as recently-acquired personal devices, such as smartphones and tablets, make their way into the workplace, bringing with them a further increase in the problems faced by organisations coping with the trend to BYOD – “Bring Your Own Device”.

It is difficult enough for businesses to cope with external threats to their IT security but it now seems for many that the most potent threat comes from within, as younger employees who have grown up in the constantly-connected internet age constitute an ever-increasing percentage of the workforce.

In a recent survey conducted by network security firm Fortinet (across 20 countries amongst employees aged 21-31), more than half said they would find a way to bypass any company policy banning use of their personal devices. The survey also showed that the security threat goes beyond use of hardware devices; 63 per cent of respondents use a personal cloud storage account for work-related purposes, including swapping files between their work computer and their own PC or tablet.

Another major concern for organisations is that it appears many employees are less effective at looking after work devices than their own. This vulnerability has been revealed in the survey “Britain’s Culture of Carelessness with Mobile Devices”, carried out by Trend Micro and Vision Critical, which reports that smartphone users are over twice as likely to lose a work device as a personal device. Just 11 per cent of respondents had lost their personal smartphone while over a quarter, 27 per cent, had up to three work devices lost or stolen.

Almost half, 44 per cent, of smartphone users interviewed are more concerned about losing personal content, such as photos and banking details, than worrying about enabling cybercriminals to access sensitive business data. Indeed, just 3 per cent were concerned about the theft of corporate data.

So, where do companies stand in respect of their liability should one of their employees lose a smartphone, tablet or laptop containing confidential information? Apart from the dangers made evident by the surveys quoted here, there has been a very clear message issued to UK organisations by The Information Commissioner’s Office (ICO). The ICO has made it clear that organisations must address employee use of personal devices for work purposes in their data protection policies.

The Royal Veterinary College, to provide a recent example, is one organisation that has been shown to have had an inadequate policy regarding this issue. The college had to give an undertaking to the ICO following a data breach involving the theft of an employee’s personal camera memory card in December 2012. The memory card included stored photographs of six job applicants’ passports. The college had no guidance in place on the storage of personal information for work purposes on personal devices.

Under the seventh data protection principle of the Data Protection Act 1998, data controllers are obliged to take appropriate technical and organisational measures against unauthorised processing and accidental loss of personal data. Following the loss of the employee’s memory card the Royal Veterinary College has undertaken to provide mandatory training to staff, recording and monitoring of such training, encryption of portable devices, and physical and other appropriate security measures to ensure compliance with the seventh principle.

This instance was highlighted by the ICO because it is keen to have all organisations understand that they should update data protection policies and provide staff with guidance and training to account for this trend in employees bring their own devices to work and using them as part of their business toolkit.

Essentially, that advice recognises the starting point in how organisations can address this conundrum; employers need to embrace the fact that, whether they like it or not, employees will see BYOD as a key component in the way they live their lives, 24/7.

• Jennifer Wylie is a senior solicitor in the corporate department at Gillespie Macandrew and an active user of digital media. www.gillespiemacandrew.co.uk