Can your staff’s mobile device increase your risk? In a 2015 survey commissioned by the Information Commissioner’s Office (ICO), we learned that almost 50% of employees use their personal smartphone, tablet computer or laptop for work purposes. With almost 50% of adults anticipating purchasing a new mobile device over Q4 2017 and Q1 2018, this represents a phenomenal security risk to any organisation.
With BYOD (Bring Your Own Device), the Compliance Officer or DPO must be aware that this raises some very frightening opportunities for significant data breaches and the allied financial penalties: that ‘factory reset’ doesn’t delete the data, but rather it just hides the pointers the user sees.
U.S. based Blancco Technology Group is the de facto standard in data erasure and mobile device diagnostics. In their published reports, they cite that, ’41 percent of the global IT professionals surveyed reported that they don’t maintain documentation of the defined processes/technology used to remove outdated or irrelevant customer data’, and ’60 percent of global organizations said it would take them up to 12 months to develop and implement the necessary IT processes and tools to pass a Right to be Forgotten audit’.
40 percent of the used mobile devices contained leftover data from the original owners, including thousands of emails, text/SMS messages, instant messages, call logs, photos and videos.
So, when Blancco purchased a large batch of hard drives and mobile telephones from the likes of ebay and Amazon, they ran some tests and discovered that 40 percent of the used mobile devices contained leftover data from the original owners, including thousands of emails, text/SMS messages, instant messages, call logs, photos and videos. So now imagine you are, for example, running a care home: it’s almost inevitable that there will be messages exchanged about a service user / resident. Now consider what happens when that device is replaced and is gifted to a friend or relative, or sold on ebay?
There are tools which can assist with data identification and protection but the key is to minimise the amount of data transferred to or held on the device. This can be done in several ways: virtualising applications and streaming them to the device; allowing access but implementing a policy to prevent users downloading sensitive organisational data; or mandating Mobile Device Management (MDM) on all mobile devices to remove corporate data if the device is lost or stolen, using encryption to secure sensitive data.
If an organisation believes that PII already exists on corporate mobile devices, software tools such as Druva inSync can scan files and data as part of the device’s backup and recovery process to identify potential PII and other sensitive data. Once located, the data can then be protected or deleted in line with company policy. This capability is available as a service from organisations such as Fordway, and in addition to backup and restoration offers compliance and legal hold with scalable, encrypted backup storage.