Another day, another incident relating to documents being disposed of inappropriately. We might never know the level of sensitivity of the information contained in the parliamentary papers that minister Oliver Letwin recently dropped unceremoniously into a public park’s bin, but once again it highlights the pressing issue of how to combat sensitive data falling into the wrong hands.
While most people would have the sagacity not to leave important documents in a park bin, ‘most people’ have, probably, at one time, either left their phone – or increasingly, a laptop or tablet PC – unattended for a few hours, forgotten to collect it, or have lost it completely. It’s a scenario most people have experience of.
The dangers of lost data
The common denominator in both these cases, is information. ‘Lost’ information poses a risk whether it’s a hardcopy, or stored on your mobile device. In the case of the latter, the implications are perhaps even more serious. As mobiles become ever more powerful, users are increasingly blurring the boundaries between their personal use, and their professional use; they might be logged into Facebook one moment, and Salesforce the next.
That means that information confidential to your business can find itself in any manner of unrelated – and possibly inappropriate – places; lost in the back of a taxi cab, a restaurant, or the golf club. Once found, into whose hands could this data and information fall? That the answer to that question can be ‘anyone’s hands’, should be cause for alarm.
What work applications are being accessed?
So what’s the answer? What can companies do to prevent the loss of the device, and unauthorised access to the data on it? Short of physically attaching the device to the user, there’s little that can be done to stop the physical loss of the device; we’re human, we lose things – it happens.
So what policies can be put in place when the device is lost or missing? What safe guards can be put in place to protect the data? Should organisations have an action plan in place that mobile devices users are aware of and have to activate when they lose a phone? (especially if it is provided by their employer as a work-tool).
Protecting sensitive data
If you choose to start with a rudimentary policy to cover what to do in the case of an employee losing a work-related mobile device, it should address some fundamental issues.
First, it might be worth assessing the scale of this risk. Relative to the number of employees how many have access to a mobile device that contains sensitive data? Of those, how many need access to sensitive information on the company’s server, or remote access to email? For those employees the need this flexibility – rather than want it – it is imperative that access to data is protected by a secure authentication solution.
This provides two-factor authentication and e-signature functionality to address the security risks of mobile and online applications. It is accepted that a time-based one-time password (OTP) is the most effective defence against complex cyber attacks.
Not only will two-factor authentication protect authorised staff when they’re accessing essential services, it will prevent unauthorised access if the device is lost.
Second, for those that do use their own mobile devices to access organizational data, it’s sensible to ask that staff request permission before adding applications to their device. This gives organisations an overview of who is using what device, and what work related information they are accessing from that device, which will help determine the level of risk should it go missing.
Third, insist that staff use the security features that included on their mobile device. Screen locks and passwords are easy to activate, and will at least offer rudimentary protection should a device fall into the wrong hands, or if it is left unattended.
Finally, a company needs to have an appropriate response to the worst case scenario of a device going missing. It is imperative that the victim of the loss informs the company’s IT department, and also their mobile service provider. Because devices differ, it is difficult to action a standardised response to locking down lost devices, and therefore the onus is on the user to act quickly and alert their employer to the loss as soon as possible.
A safer way of working – wherever you are
It’s important to remember that today mobile devices are akin to laptops and desktop PCs with respect to the information they contain, and the services they can access. Therefore it is wise to take precautions to minimize the impact of a device being lost…not least if it belongs to a minister who uses a public park as his office.