As well as providing one more potential vector for attack that must be guarded against, many mobile apps, especially when hosted on open platforms such as Android/Google Play, have been found to be particularly susceptible to malware. Combined with the BYOD trend, this is particularly unwelcome news for IT departments.
While the vast majority of survey respondents have some kind of anti-snooping protection in place on their website, such as SSL or two-factor authentication, when it comes to storing the PID, 13 per cent said they do so without encrypting it. This is an obvious risk factor and one that is quite easily rectified by simply encrypting the data. What’s more, the survey results suggest that in the majority of organisations PID is being stored for more than six months.
Looking now at how the information is backed up (figure 2), 17 per cent are using the cloud. However, one quarter of these respondents are unsure about the physical location of the provider. If the cloud company is American or a subsidiary of a US organisation, or if the data passes through US jurisdiction it is subject to the Patriot Act, meaning that the US authorities can access it without prior consent.
[Click to enlarge]
Thirty four per cent keep back-ups on their own premises, which could put them at risk of a breach in the event of fire or flood. That said, however, many breaches that are due to negligence are routinely blamed on third parties – including outsourcers, cloud providers and business partners - so many will prefer to retain the on-premise option.
To err is human
Looking at the recent fines imposed by the ICO, a picture of blundering, short-cutting and forgetfulness becomes apparent.
In October the Greater Manchester Police Force was fined £120,000 for carrying sensitive data on unencrypted USB sticks despite a prior warning. In September, Scottish Borders council had to pay £250,000 when former employees’ pension records were found in a recycling bank, and last year Newcastle Youth Offending Team breached the DPA by failing to encrypt a laptop containing personal data that was later stolen.
Encryption is only part of the answer, however. To guard against data breaches organisations need to fully get to grips with the issue, engaging it on all fronts, especially in staff education. In short, data protection requires a change in culture. It will never be more than an afterthought if it is not taken up vigourously by the board, by appointing data stewards and someone in overall control, such as a chief information security officer (CISO), and by enforcing policy.
Clear policies with legal and liable guidelines are needed for both organisation and employees, to cover all devices whether they are owned by the company or staff, and regular training is needed to keep staff fully aware of their responsibilities.
Finally, technical solutions such as intrusion detection and prevention and anti-malware software need to be kept patched and up to date. Encryption should be automated, where possible, and mobile device management solutions deployed.
For some firms, especially smaller ones, this may represent a significant change in practice. However, in many cases improving data governance will have a knock-on effect of streamlining processes and creating better customer relationships, as well as guarding against an expensive trip to the court.