As a result, GRC (Governance, Risk and Compliance) is one of the biggest issues facing companies at the moment. Unfortunately, the average business hasn’t realised this and remaining on the right side of the law can be a real problem.
Under the Data Protection Act 1998, when a business loses personal data, the Information Commissioner’s Office (ICO) has the power to fine it up to £500,000 and even in extreme cases send individuals to prison.
In addition the Act has criminal offences – 654 prosecutions have been commenced in the last 6 years by the Crown Prosecution Service alone. What makes this an even bigger issue is that personal data has a wide definition – any information that can be used to identify an individual.
For many businesses, their current device policies and approaches, such as BYOD or Corporately Owned Personally Enabled (COPE), can no longer handle the current compliance landscape.
A proper policy and procedure must consist of more than telling staff how to access emails on their personal devices because that won’t protect the data stored on them. Firms need to take a holistic, three stage approach to ensuring that data is kept secure, consisting of education, policy and technology.
But what do each of these steps consist of, and how can businesses implement them without impacting their mobile device use?
Implement a policy
Businesses need to have a clear data and device policy communicated to their staff and actioned.
Within this, there must also be clarity on how data is classified and distinct data classification protocols.
These shouldn’t be written in overly legal or technical language, but rather in a tone that all employees will understand.
That way, both the company and employees are kept fully in the loop on what they’re allowed to do with their devices.
Having a good policy in place ensures it is clear when employees have breached that policy.
Train and educate employees
The human factor is often the weakest link in a company’s data security, which is why it’s so important that employees are sufficiently trained and educated to avoid security slip ups.
It’s vital to be able to demonstrate to your employees the impact that poor data security practices can have on the whole company, so that they understand why their support is necessary.
However, it’s not as simple as pinning a piece of paper with a list of rules to the office wall or downloading a training package from the internet. Data security best practices need to be engaging, relevant and tailored to the jobs people are doing.