In a Verizon Mobile Security Index 2020 Executive Summary, almost 40% of the organisations surveyed in 2020 said they had experienced a mobile-related compromise and the percentage of companies reporting a compromise has grown by 41% since 2018.
Below we set out what we think are some of the big issues for companies and how these might be overcome.
Employees and the use of mobile phones at work
1. Use of phones for work purposes
It is not uncommon for employees to use their personal mobiles to check work emails or to continue working out of the office, either on work associated trips/meetings or at home. This brings with it the potential for employees to breach Data Legislation and is something that employers should be aware of and ensure that they implement the appropriate mechanisms and procedures to safeguard the personal data of both employees and customers. Personal devices should only be used if an employer can guarantee the security of the data stored on it.
Lost phones can be a problem – if a member of staff leaves a phone (work or personal) on a train, for example, which has on it customer or employee personal data, then (subject to it having the relevant password / encryption mechanisms) this is likely to be a data breach.
However, of more concern is the growing ability of hackers to get hold of a company’s data. This includes methods such as attacks via social engineering, including phishing and other email-based attack techniques, and the continuously evolving innovative use of malware delivered through compromised websites, apps, devices or networks. It has become more difficult for employees to spot whether an email has come from a hacker due to the level of sophistication used.
In the Verizon 2020 Report, it was discovered that only 13% of businesses had all four of the following basic protections: regular security testing; data encryption; need-to-know access and no default passwords.
What should employers do?
- liaise with your IT department to ensure that you have a suitable Mobile Device Management (MDM) solution and that any data stored on employees' personal mobiles that is work related is as secure as the data stored within the company’s own servers, including the use of data loss prevention software, and ensure that these systems are regularly tested and updated
- roll out mandatory GDPR training to all staff, which is repeated and updated annually, to ensure an awareness of how to keep their own data and their clients' data safe and secure
- Consider the use of encryption technology to prevent the loss of data
- Carefully monitor and control any ‘bring your own device’ schemes or ‘corporately owned personally enabled’ strategies
- Ensure you have a mobile security policy in place, including good practices such a setting passwords
- Limit the use of personal devices, if feasible, and/or implement strict data access controls
2. Use of phones for group chats
It is more common today for groups of employees to use instant messaging apps such as Whatsapp and Facebook Messenger to keep up to date with work related information and projects. This has become more prevalent with the advent of Covid 19 and whole teams/offices being required to work from home. However, although many of these apps use encryption, the messages and any documents shared will all still sit in a Facebook datacentre. If the datacentre is breached in any way, the business whose personal data has been leaked (the data controller) will remain liable to any data subjects and the regulator, as per your obligations as a Data Controller.
Businesses may be inclined to set up group chats for various departments, but they must be cognisant of the need to ensure that they have their employees’ permission to do so, as they are essentially sharing the personal details of their staff. Businesses should reserve the right to view business-related group chats on personal devices if required for business purposes – for example, if they need to investigate a complaint of misconduct.
It is also important to consider what happens when employees leave the business. Will employees still be able to access the group and any content shared within it? Even if the leaver is deleted from the group chat, their data may not be fully deleted as the other group members will still have a copy of all the messages sent by the data subject to them and vice versa. Exit procedures should require departing employees to confirm in writing that they have deleted all work related data from their personal device, including colleagues’ contacts and group chats. Employers should, however, ensure that they can access and store information exchanged via group chats, in case it is needed in future litigation.
Employees must be careful when holding sensitive or confidential conversations within the home environment; in particular, they should consider whether there any internet connected and microphone enabled devices in the vicinity (such as Alexa). These devices should be considered compromised, and actions taken to limit any possible exposure.
What should employers do?
- Carry out audits to identify any communication channels/apps that do not comply with Data Legislation
- Use alternative communication methods
- Implement and establish data protection policies for communication channels
- Increase awareness across the business of how to appropriately use group chats and identify issues to ensure GDPR compliance
3. Accidental/malicious leaking of data via mobiles
Carelessness can cause a great deal of damage – many individuals find technology baffling, leading to them either ignore or defer security warnings or not having the correct security settings on their personal devices. In addition, they may unintentionally make ill-considered decisions when choosing apps, not knowing whether such apps are able to see and transfer their information. It is therefore important for employers to ensure, as above, that their staff have the correct level of security and awareness when processing personal data, and in these lockdown times, that will require additional attention in terms of keeping in contact with staff and providing sufficient ‘virtual’ support.
Companies can take all the necessary precautions to ensure that data is secure within their business, but malicious actions by employees / insider data breaches are, unfortunately, a threat that has become more prevalent over recent years.
Everyone in the data world will be aware of the recent Supreme Court decision in the Morrisons’ ‘vicarious liability’ case. In October 2018, the landmark decision of the Court of Appeal found that Morrisons was liable for the actions of a rogue employee who had leaked the payroll data of other employees online – criminally and without the knowledge of Morrisons - as an act of spite against the supermarket following his being disciplined and suspended. Thankfully, for companies, this far reaching decision was overturned by the Supreme Court. Nonetheless, although this is a positive outcome for employers, it does not create a blanket exclusion of vicarious liability in all data cases and employers will still need to be vigilant in the extent of access to data that they give to employees and the protections in place to ensure that data is not misused.
However, innocent employees can cause just as much damage as those with malicious intentions. Human error comprises a significant chunk of data leaks, from employees losing their mobile phones, to pasting confidential information in the wrong place or inadvertently copying third parties into emails/texts or simply forwarding messages to the wrong recipient, through to transferring company files onto a public cloud storage service, or inadvertently downloading/retaining personal data onto personal devices. It is all too easy to take photos on mobiles and share them via a variety of different social media platforms – but what if a photo was taken at work and contained personal data in the background? The list of accidental leakage of personal data is endless.
What should employers do?
- Ensure that employee contracts cover data security obligations and sufficiently cover the consequences for any malicious actions by employees and disciplinary action for misconduct / breaching data security policies and procedures
- Ensure that there is a clear Data Protection Policy and that staff are all aware of it and of the business’ security and information management procedures
- Ensure that there is a suitable Acceptable Use Policy in place and publicised
- Provide regular training and updates to staff on Data Legislation, which should cover the potential impact of their actions, and how they can avoid inadvertent data loss (eg. always double check emails before hitting send)
- Take out insurance to cover yourself in the case of data breaches/cyber attacks
- Invest in technology to minimise the risk of data breaches
- Insure against the cost of a data breach
- Appoint a dedicated Data Protection Office (DPO) or outsource the DPO role so that you have a specialist in this area to advise the business and its employees