This is the second in a three-part series of articles on data security. This article addresses how to limit data-breach risks in portable devices. The first part analyzed employees' role in data protection, and the third part focuses on cross-functional security teams.
Whether on laptops, tablets or smartphones, more employees are taking confidential business information with them nearly everywhere they go—and they may be leaving company data exposed to external threats. Here are some of the associated risks and tips on how companies can protect their data.
Portable devices are particularly susceptible to physical theft because they can be easily stolen if left unattended. Hackers also can steal data from mobile devices remotely, especially when employees connect their mobile devices to wireless networks in coffee shops, airports and other public places.
Working in public places also poses a risk because passersby can see the information on an employee's screen, noted Philip Gordon, an attorney with Littler in Denver. Employers should consider providing privacy screens, he said.
"Mobility, in and of itself, does not create additional issues when adequate technical measures are in place," said Danielle Vanderzanden, an attorney with Ogletree Deakins in Boston. "The key is to ensure that data transfers occur in a safe manner and that all devices used to access the employer's data are properly secured."
Employers can't ensure that all data will be completely secured when employees work remotely, but they can take steps to reduce risks, Gordon said. He suggested that employers set up the following security controls for any devices used to access company networks:
- Password protection.
- Remote wipe capability (to delete data if a device is lost or stolen).
- An inactivity timer that will log off the user.
- An automatic lockdown feature that is triggered after failed log-in attempts.
"Remote access to corporate networks should be permitted only through a secure connection, such as a virtual private network," Gordon added.
Employers should also ensure that all company-owned mobile devices are registered with the employer and require two-factor authentication, said Peter Stuhldreher, an attorney with Reed Smith in Houston.
A multifactor login system adds an additional layer of security by requiring an employee to respond to a text or enter a unique code during the sign-on process. It is a way for the employee to say, "Yes, I am really the one trying to log in," explained Stephanie Rawitt, an attorney with Clark Hill in Philadelphia.
[SHRM members-only HR Q&A: How can I ensure my company protects personal employee information?]
Employers must protect their information and devices with policies, written agreements and extensive employee training, Vanderzanden said. For example, employees should be told to keep devices on them or in a hotel safe at all times while traveling. They should also know that using their personal e-mail is not a secure way to transfer confidential information and will not adequately protect employees' and customers' personally identifiable information.
Many employers allow workers to use their own devices to access company e-mail accounts and other business information. But bring-your-own-device (BYOD) policies present additional data-security challenges.
Although carefully crafted BYOD policies can mitigate risk, the potential security issues with personal devices are more substantial than with company-owned devices, Vanderzanden said. For instance, when employees use their own devices, the employer doesn't have complete control over the types of software, hardware or applications workers use.
Employees' personal devices are more likely to contain apps laced with malware that could infect corporate networks, Gordon noted. Furthermore, employers cannot legally access employee-owned devices without consent. So all employees who participate in a BYOD program should be required to sign a user agreement that includes permission for the employer to remotely wipe its confidential business information from the device, even post-employment, he said.
But employers shouldn't be too quick to delete information from a device. Wiping a device may erase the history of how the employee used the information, Vanderzanden said. For example, the employer wouldn't know if an employee impermissibly copied company information to another device prior to wiping.
When employers distribute and recover employer-owned devices, the employer typically has a better chance of discovering prior transgressions, she said.
Employers can reduce risks by developing BYOD policies with strong confidentiality provisions and that limit the permissible use of company data. Also consider providing workers with an employer-authorized app that has sufficient security features to protect company e-mail and data on the employees' personal devices, Stuhldreher said.
Disconnecting at Termination
Employers should conduct thorough exit interviews with departing employees who had access to confidential or sensitive data, Vanderzanden said. "Exit interviews should be conducted in person so that it is possible to assess the employee's candor."
In addition, she said, it's good practice to maintain a forensic image of the device—in the state in which it was returned to the company—because the image could be "a treasure trove of information" if issues arise in the future, she said. "Such images, of course, should be made before the device is wiped or redeployed to another user."
Policies should include clear requirements for departing employees to promptly return all company-issued devices and return or delete all company information that is stored on any personal devices, Stuhldreher said.