Comment: Securing the mobile workforce and your company's data

Heavy snowfall in the UK this winter means increased use of mobile devices for workers
Heavy snowfall in the UK this winter means increased use of mobile devices for workers

The festive period was extended this year as extreme weather conditions prevented most of us getting into the office. England’s heavy snowfall was well documented and, although some local councils failed in their efforts to keep the roads clear and the transport network flowing, many employees did plan ahead for snowy days. They accessed the corporate infrastructure using mobile devices, such as netbooks and BlackBerry devices, to ensure that the corporate wheel kept churning, albeit slightly slower than usual.

According to a report in The Times, business groups warned that the cost of absenteeism to the economy due to the January snowfalls could reach £2bn, but that could just be the tip of the iceberg if the sensitive data that was accessed during the big freeze floods out into the public domain.

In January, the Information Commissioner’s Office (ICO) revealed it was to be granted new powers, which has been approved by the Secretary of State for Justice and laid before Parliament. From the start of the new tax year (April 6), the ICO can order organisations to pay £500 000 as a penalty for serious breaches of the Data Protection Act (see box) – a framework of rights and duties that are designed to safeguard personal data. For a data breach to attract a monetary penalty, the Information Commissioner must be satisfied there has been a serious breach likely to cause damage or distress that was either deliberate or negligent, and that the organisation failed to take reasonable steps to prevent it.

Principle Seven of the Data Protection Act states:
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

 

It is in the organisations favour to embrace an employee’s enthusiasm when spending their own time completing tasks at home – especially when snowed in, or even sick in bed, and physical presence in the office isn’t feasible. The hard bit is to do so securely.

Mobile devices may be a positive technological achievement for most, but they burden the information security professional with concern because of the increased security risk that they pose. Small USB memory sticks are easily available, often without any security features, which people can use to carry and transfer massive amounts of data. Worms and other malware are being discovered that target iPhones. One example is a worm that targets iPhones to steal banking data and enlists the device in a botnet, although at the moment this is thought to be limited to the Dutch online bank ING. Tens of thousands of laptops are stolen every year, which highlights just how easily sensitive corporate data can be breeched when stored on the growing number of mobile devices. With this in mind, data protection needs to become a high priority on the corporate agenda, as the growing workforce are literally taking matters into their own hands and utilising personal devices to facilitate the need for portable access to information.

Locking down the mobile workforce

  • Educate the workforce on the risks this practise exposes to the organisation
  • Facilitate a process to allow workers to access corporate information securely
  • Choose the right level of protection for your data, and balance this with ease of use for your employees (If it’s inadequate, then why waste your money? Make it too complicated and it will be circumnavigated.)
  • Provide the workforce with a tool to carry data – an employee will use the secured device if provided with one
  • Employ an encrypted solution that is capable of locking down all your valuable data so that if your mobile device is lost or stolen, then it will remain confidential

There is a multitude of technology designed to secure data and prevent it from falling into the wrong hands.

The ICO recommends that portable and mobile devices used to store and transmit personal information should be protected via approved encryption methods that are designed to guard against the compromise of information. The belief in this technology is so strong that, where data breaches occur and encryption has not been used to protect the data, it publicly states that enforcement action will be pursued.

Organisations can now sign the Personal Information Promise to demonstrate their commitment to protecting people’s personal information by visiting the ICO’s website.


Origin Storage will be exhibiting its encrypted notebook solutions(stand D50) at Infosecurity Europe 2010 on 27- 29 April in its new venue: Earl’s Court, London. The event provides a free education programme, exhibitors showcasing new and emerging technologies and offers practical and professional expertise. For further information please visit www.infosec.co.uk.

Andy Cordial is the managing director of Origin Storage. He started his computer industry career in 1987 working for tape manufacturer Everex Systems. Cordial then moved into computer distribution in 1989 and established his first computer company, XL Distribution. XL merged with Datrontech in 1992 where he worked in their management team. Cordial saw Datrontech through flotation on LSE and then left to start Upgrade Options plc in 1996. He went on and sold Upgrade Options (MBO) in 2003 and invested in Origin Storage. Cordial helped build Origin Storage into a £5.2m business and has seen it enter the Times Fast Track 100.  

What’s hot on Infosecurity Magazine?