Consumerisation: how to manage the risks
Allowing staff to use personal devices for work can boost productivity and enhance morale. But the process needs careful management
Today we each famously walk around with more computing power and memory storage than was needed to land man on the moon. It might be a mobile phone, an iPod, a BlackBerry, an iPad 2 or just a humble USB stick.
There is now an increasing trend to allow employees to bring all these personal "must-have" items into work. So do you allow your staff to use social networks either through your business systems or via any of these personal devices while in the office?
The risks
Companies face ever-increasing challenges when protecting their proprietary and sensitive information. In the current economic climate, it may be tempting to an employee with a grievance to pilfer a nice juicy data file with a view to selling it on.
Two years ago, according to a survey undertaken by IT security group Cyber-Ark, 58 per cent of British workers would be prepared to take confidential company data if faced with redundancy. The same survey found 40 per cent of UK staff were already taking confidential data -and would use it to help to negotiate a new job.
Businesses are also facing increasing demands from staff to work from home or at other locations that better suit their lifestyles or because the businesses themselves demand more availability from staff out of hours. Mechanisms to use data outside the office have proliferated and policing the potential spread of this data can cause massive security headaches.
The image of the employee sneaking out with a desktop computer tucked under their coat or a hard drive concealed in a sock may seem far-fetched, but for the past few years, staff routinely and for legitimate reasons have walked in and out of companies carrying CDs, DVDs, laptops and USB sticks.
Now smartphones, tablets and all the other gadgetry we each have contain a drive that is easily plugged into a computer onto which can be copied far more information than could ever fit onto a CD, DVD or USB stick. None of these personal gadgets is overt in the way that a PC is.
Consumerisation: how to manage the risks
Allowing staff to use personal devices for work can boost productivity and enhance morale. But the process needs careful management
Aside from the business risk of losing confidential data, other risks include being sued for breach of confidentiality or breach of contract, if the data is actually a client’s or a supplier’s confidential information – not to mention embarrassment in the relationship with the client or supplier. There is also the risk of being fined, sued and investigated for breaching the Data Protection Act if data about living individuals is lost or used in an unauthorised way and if a business has not taken appropriate security measures to protect it. In addition, employees’ misuse of personal devices could expose businesses to other liabilities: for example, infringement of copyright if the devices are being used to make unauthorised copies of software, music or other copyrighted works.
Social media
In 2011, social networking sites are firmly part and parcel of working life. However, the ability to send information or files to “friends” on social networks means there is huge potential for inadvertent – and sometimes deliberate – disclosure of sensitive or valuable information.
Many employees post blogs about their work or about the business in the false assumption that only members of that business or their friends would be interested in reading it. However, information that is shared can be confidential. This is commercially worrying. It may also be a breach of confidentiality obligations owed by the business or a breach of statutory duties, such as data protection obligations.
The business may be liable for such disclosures. Even something as innocuous as change of a job title to “Manager: Project Cure for Cancer” can give insight into sensitive information about something the business is working on.
Also, social networks and mobile phones allow people to share information outside and within applications. But as any user of computers will know, applications are vulnerable – and social networks and mobile phone apps have been known to contain security flaws.
The flaws are usually of three types. First, with social networks there can be a problem with the underlying site itself. Last summer, for example, Facebook sealed a security hole that left users’ names and profile pictures available to unrelated users. Second, many applications contain functionality that can result in users opening up data to a pool of people without realising it.
Third, apps exist that contain malware.
If a business does not risk-manage these issues, it could expose itself to security holes that can lead to legal liability.
The problem is increasing. Almost every day new social network sites open. We are all familiar with the main sites but, at the time of writing, there are more than 1,000 sites acknowledged to be social networking sites of one sort or another.
Furthermore, the number of apps available for phones continues to grow and grow.
The solutions
Any business would be foolish not to take some basic protective measures – some legal and some technical. The technical measures are best because they stop issues arising in the first place. It’s best not leaving it until there is a problem, when
people have to resort to using their legal rights, which will involve time, expense, and possibly reputational damage if matters become public.
Consumerisation: how to manage the risks
Allowing staff to use personal devices for work can boost productivity and enhance morale. But the process needs careful management
Practical solutions include using software security solutions that disable USB ports so people can’t download data onto personal devices without authority. Wireless and wired access can be secured or blocked to stop personal devices connecting to a corporate network. There are also many flavours of network monitoring software that can provide an audit log of data moved, and more sophisticated versions that can spot unusual data flows in terms of amount of data or any unusual destination for it. A crucial part of managing risk is also to ensure that audit logs of movement of data on company networks are kept and randomly examined, where possible.
There are also many preventative measures companies can adopt. First, businesses should check their confidentiality agreements and other contracts and not just sign up to anything – especially if the contracts require “best endeavours” obligations to keep information confidential. Companies should put in place robust confidentiality clauses in employment and consultancy agreements. Businesses should also spot-check that they can comply with the obligations they are signing up to, and if there is a risk of breaching the other person’s confidentiality they should seek to limit their liability in the contract.
Second, businesses should impose tough but reasonable IT security policies on staff. Breaching those policies should be a disciplinary offence. In the final resort, litigation may be necessary. However, this is expensive and a successful result can never be guaranteed. Over the past few years, relatively few court cases have been brought – principally due to the time, expense and reputational damage involved.
When it comes to the use of social networks, there are various strategies a business can adopt to manage risk. Banning their use is one option but in an increasingly competitive commercial environment, such a solution is often not practical or commercially viable. Social networks can work to generate revenue and business.
The better solution is to manage the risk. A business of any size should
appoint a social networking manager to be responsible for setting policy and overseeing use of social networking sites by anyone in the business.
This manager should also ensure that data and information about the company that is contained in social media sites is kept up to date and that historical postings are deleted. This helps to reduce the risk of virtual dumpster-diving, in which commercial information is derived from historical posts. The risk can be managed and reduced if information older than a fixed period, typically five to 10 days, is deleted.
Training
Staff education is a hugely important plank in risk management. A business must properly train its staff as to what is and is not acceptable. This helps to manage expectations and sets boundaries as to what a business will and will not condone.
For chats and interactive functionality, logs should be kept for audit purposes (in the same way that logs are kept of emails) and filters applied – as they are for any other communication.
When it comes to the use of apps on social networking sites or phones, a policy needs to be worked out about what can and cannot be used – in the same way as a business usually has a policy on what software can and cannot be installed on
its computers.
Many apps do have business value. Software controls can be installed to prevent access to inappropriate applications. Perhaps most importantly, rules and policies should be formulated around what information can, and more importantly cannot, be posted on personal phones and social network sites.
The generation now entering the jobs market has grown up in an apparent privacy-free, free-information-for-all environment and has often not been schooled in the need for discretion and the consequences that can ensue if information is misused. Companies must mitigate the obvious risks this presents by putting technical and legal measures in place to protect themselves.
Mark Weston is a partner at Matthew Arnold & Baldwin LLP