Securing mobile data: an increasingly complex challenge

22 Nov 2011

The Information Commissioner's Office (ICO) last week came down hard on two UK charities for failing to encrypt personal data held on laptops - but as Jessica Twentyman argues, most organisations need to consider encrypting employees' smartphones and tablet computers, too.

Commenting on the cases, the ICO's acting head of enforcement Sally-Anne Poole said: "The ICO's guidance is clear - any organisation that stores personal information on a laptop or other portable device must make sure that the information is encrypted." The ICO also freely provides guidance to UK companies on its own approach to encryption.

So why is the message not getting through? It's possible that, within charities, there's a feeling that money could be better spent elsewhere, on the organisation's most pressing projects and current campaigns, or simply a lack of in-house expertise to deploy encryption.

But while the ICO has decided not to fine the two charities involved for their non-compliance, it has not held back from holding them up as examples of poor practice. The bosses of both charities have each had to sign an agreement confirming that, in future, their organisations will encrypt all portable and mobile devices used to store sensitive personal information and update their policies and procedures for the storage and use of personal data.

Regardless of the sector in which an organisation operates, the law is the law. But for many companies, it's not just laptops and USB sticks and hard drives they need to worry about encrypting these days - it's the smartphones and tablet computers that employees are buying themselves and bringing to work.

According to Chenxi Wang, an analyst with IT market research company Forrester Research, the increasing use of personal mobile devices in the workplace is posing some increasingly complex security challenges.

In a recent report, Managing the Security and Risk Challenges of Personal Devices in the Workplace, Wang identifies four major data security risks from the use of personal mobile devices.

First, there is the risk of device theft or loss. “From the corporate perspective, device loss could lead to data compromises if sensitive data lives on the device”, the report says.

Second, the mobility and portability of these devices increase the threats to data protection. “To defend against casual data access, you can implement PIN-based entry and device lock. To protect against active attacks, you will need measures like full disk or file encryption”, writes Wang.

Third, she warns, there's the risk of attack from a malicious, but authorised, insider: “If you are concerned with employee misuse or malicious insider threats, encryption alone does not do the job. You need to actively restrict data manipulation operations like cut-and-paste and control which mobile apps can handle the corporate data.”

Finally, data-stealing malware is increasingly attacking mobile devices. Any personal device with the freedom to download mobile apps is a ripe target for infection, she says.

The challenge for IT teams, says Wang, lies in balancing corporate security measures with an employee's freedom to use their device as they choose. "Secure processes such as remote wipe, pin-based entry and centralised management will satisfy many of the security requirements of your organisation. However, when the mobile actions of a user conflict with the interests of the enterprise, this raises notable legal issues surrounding the adoption of personal devices in the workplace."

In other words, it's going to take a company-wide effort to establish a robust mobile policy, one that balances the security requirements of the enterprise with the user's own device experience. Encrypting laptops is just the tip of the iceberg - but it's clearly a must-have for any UK organisation handling personal data that wishes to avoid the censure of the ICO.