August 14, 2015
How firms must hanker for the days when the issue of corporate data security could usually be addressed simply by asking what somebody had in their bag when they left the building or were fired. Amongst other things, the practice of Bring Your Own Device (BYOD) means that the ways for data to leak out of the organisation are now numerous, if not generally malicious. A new cluster of reports has emerged that highlight how carelessness, indifference, cultural ineptitude and the complexities of unmanaged, privately owned technology make it increasingly difficult for firms to maintain the security of their data. While some of the sources of this leakage are generally well known, a couple that are not generally acknowledged is the apathy of employees when it comes to keeping work files safe and secure and the lax attitude of employers when breaches occur.
According to a new study published by Kasperksy Lab, only one in ten workers make any sort of serious attempt to keep their devices and data secure. The study found that many employees of large and medium-sized business now use their own mobile devices for work, with 36 percent of respondents saying that they stored work files on them, and 34 percent keeping work-related email messages.
The study also found there is a growing trend to have confidential and commercially sensitive data stored on personal devices including passwords to corporate email accounts (18 percent), networks or VPNs (11 percent).
Employees can also display an equally lax attitude towards the disposal of their devices at the end of their useful lives according to a small scale ad hoc study by regulatory advisory firm Proven Legal Technologies. The firm purchased a handful of second hand smartphones on eBay and uncovered confidential data, including information that their former owners assumed had been deleted. Data included confidential business records and intellectual property, colleague and client contact details, web searches and location data.
UK Councils are some of the worst culprits
It’s not just individuals who have a laissez faire attitude towards this kind of thing. According to a Freedom of Information request submitted by privacy campaigner Big Brother Watch, the UK’s local authorities suffered a recorded 4,236 data breaches in the three years to April 2014. These included 401 cases of data theft, 628 cases of data being shared inappropriately on emails, letters and faxes, 159 instances of data being shared with an unauthorised third party, 99 cases of unauthorised people accessing or disclosing data and 658 cases where the data involved related to personal details about children.
This would be concerning in itself, but the FOI request also asked questions related to the consequences for the people involved in the breach of data security. These included possible prosecutions under the Data Protection Act (DPA), the number of people that had their employment terminated as the result of a DPA breach, then number who were disciplined internally, the number who resigned and the number of instances where no action was taken.
Of the data breaches disclosed by the local authorities, 68 per cent of cases resulted in no disciplinary action whatsoever and when action was taken, 2.1 per cent resulted in resignation or dismissal. Just one court case relating to the data protection act has taken place, when an employee of Southampton Council was successfully prosecuted by the Information Commissioner’s Office (ICO) for having ‘transferred highly sensitive data to his personal email account.’
The study, A Breach of Trust: How local authorities commit four data breaches every day, claims that the data breaches themselves are not the only cause for concern, because of the apparent absence of consequences for those who have broken the law or their terms of employment.
According to the report, this “highlights a number of major issues which need to be resolved. Until proper punishments for the misuse of personal information is implemented the problem has the potential to grow, particularly as the gathering of data increases year on year with new technologies and a move to paperless systems. Imposing tougher penalties for the most serious of data breaches has received widespread support from a variety of organisations and individuals, including the ICO, the Justice Select Committee and the Home Affairs Select Committee,” it adds.
Based on the report’s findings, Big Brother Watch propose a number of policy recommendations which would prevent and deter data breaches from occurring:
- The introduction of custodial sentences for serious data breaches.
- Where a serious breach is uncovered the individual should be given a criminal record.
- Data protection training should be mandatory for members of staff with access to personal information.
- The mandatory reporting of a breach that concerns a member of the public.
- Standardised reporting systems and approaches to handling a breach.
- The extension of the ICO’s assessment notice powers to cover local authorities.