Over the last few months I have chatted to a number of small-to-medium businesses and it is surprising how relaxed they are about storing and/or emailing business work data at home. Storing data on your own personal hardware opens up a whole can of worms, mainly around policy, legal and technical issues. So what are the problems?
Email
A UK government minister once remarked that emails were as secure as a postcard. Data emailed to him could be intercepted and, given their record for unauthorised access, using Google and Hotmail accounts exposes all data, business or personal, held in the email account to the risk of access.
Laptop/Desktop/Mobile
Data by staff is most likely to be held on a desktop or laptop, both of which are susceptible to a number of threats: theft, loss, disposal or malware infections are just some of the possibilities. Laptops and desktops may be handled by an IT support service which could extract data if they were so inclined.
USB
Quote from ICO: “I can advise, however, that our office would generally expect that portable media are encrypted. In regard to deciding what security measures to take in respect of personal data processed on static equipment, in each case an organisation must take into account such factors as the nature of the data and the harm that might result from any unlawful processing or loss of that data". USB devices by default have no security and if lost of stolen, data can be easily extracted.
Backup
Staff members may use backup methods such as USB devices or other online methods. USB flash drives and hard drives can be lost or stolen or an online service may be insecure.
Severance
Personal hardware such as USB devices, laptops, desktops and mobile phones are clearly the property of staff members but once they leave data can remain. Data that remains on the devices of ex-personnel is open to mis-use and could potentially be used for blackmail or reselling.
Legal
The relevant act is the Information Commissioners Office’s Data Protection Act 1998. By storing data on personal hardware it is very hard to follow the eight principles, especially principle number eight. You can read all eight principles of the Data Protection Act 1998 at
http://www.ico.gov.uk/for_organisations/data_protection/the_guide/the_principles.aspx
Policy
Each company should have its own policy about data privacy and acceptable IT policy, This should stipulate that data should be held inside the company walls or on a company issued laptop. In addition to company policy, each external membership body will have its own guidelines such as Financial Services Authority, Solicitors Regulation Authority, Institute of Chartered Accountants in England and Wales, British Medical Council and the Bar Council.
Disposal
Over the past few years hard drives, laptops, mobile phone and desktop have been found in waste dumps in Asia and Africa. Data deleted or formatted from such hardware can still remain and needs to be removed professionally (by physically shredding or overwriting data). Staff members are generally unaware of this problem and therefore don’t take measures to ensure that data cannot be recovered once disposed of.
Storage
Certain industries have rules that require data to be held within a certain country (UK) or region (EU) ... clearly to transfer data to personal devices makes this hard to enforce. Data may be taken on holiday or transferred to a cloud backup provider in a another country.
Options
1. Set a policy – not always the best solution as one day someone will not follow the policy
2. Provide company equipment – probably the best solution but rather expensive for some
3. Automated control – BYOD or bring-your-own-device is one the latest ‘crazes’ but it is expensive, causes additional problems, administration and a lot of companies say it doesn’t work