With IT consumerisation growing at a rapid rate, there has been a rising trend in recent years for staff to use their own smart phones, laptops and tablet PCs instead of equipment provided by their employers to access company data.
Some companies now even provide their workforce with a technology allowance in much the same way as they receive a car allowance. But if the company wants to investigate suspected inappropriate use of technology or a breach of data security, it could find itself helpless to act.
I have seen a rise in the number of clients asking for advice about suspected data misuse, and only equipment owned by a company can be examined as part of an investigation. A company might typically replace business computers every four to five years, but consumers are now replacing IT equipment every 18 months to two years.
For example, a standard mobile phone contract may be to replace the handset every 18 months, but some people are so keen to get a new or upgraded version that they renew their handset long before the end of the contract. They use the latest technology in a domestic setting, and they want to use it at work too – not equipment that might be a couple of years old.
There is now pressure on IT departments to allow end users to access company data on their own devices, and while this may save the company the cost of having to provide equipment, they have to consider who owns the device and data on it.
For example, would a company be able to remotely wipe the data from a laptop or mobile phone if it does not belong to them? An employer cannot force an employee to hand over equipment if it does not belong to the company, and this will greatly hamper the ability of forensic examiners to access relevant devices.
In order to effectively and securely manage corporate data I would also advise against providing staff with an IT allowance to purchase and maintain their own equipment. Every new device potentially comes with its own set of security flaws. A standard and approved list of equipment supplied by a company is the only truly effective way of managing security.
On occasion data has been recovered that had been deleted months, and in some cases years, ago. Using specialised forensic equipment and software, specialists can often track activity down to single files and devices to prove that certain activity has taken place. People should not be fooled into thinking there is anonymity in this digital age.
The critical aspect of any forensic investigation, whether electronic or not, is to secure those devices and data sources that are relevant to the suspected breach. It is important that evidence is captured in a manner that is acceptable to the courts: more cases are lost on procedural errors in capturing data than on the evidence itself.
I always stress to my clients that the prevention is better than the cure. My advice would be to retain ownership of all devices on which commercial data could be stored, and to ensure that a clearly written set of policies regarding the use of company IT equipment is set out.
Businesses face a balancing act between trusting their employees and not adopting a big brother approach to monitoring all activity. Clearly in some environments where data may be more commercially sensitive than others the polices and checks should be adapted to reflect that, but for the most part I would recommend setting out the standards of use expected of staff and making sure that the remedies of dealing with breaches are in place.