Home News Members News Skibo Technologies warns businesses over security threat to data held on employee-owned IT equipment
Monday, 22 August 2011 10:42
ShareShare on LinkedIn

Skibo Technologies warns businesses over security threat to data held on employee-owned IT equipment

A technology specialist is sounding a warning to business owners who allow staff to use their own IT equipment for work purposes. Mark Mair, managing director of Aberdeen-based Skibo Technologies Ltd, is advising company bosses to think carefully about whether the potential cost savings are worth the risk to the security of sensitive data.

With IT consumerisation growing at a rapid rate, there has been a rising trend in recent years for staff to use their own smart phones, laptops and tablet PCs instead of equipment provided by their employers to access company data. Some companies now even provide their workforce with a technology allowance in much the same way as they receive a car allowance. But Mr Mair warns that if the company wants to investigate suspected inappropriate use of technology or a breach of data security, it could find itself helpless to act.

Skibo has seen a rise in the number of clients asking for advice about suspected data misuse, and Mr Mair points out that only equipment owned by a company can be examined as part of an investigation. He says, “A company might typically replace business computers every four to five years, but consumers are now replacing IT equipment every 18 months to two years. For example, a standard mobile phone contract may be to replace the handset every 18 months, but some people are so keen to get a new or upgraded version that they renew their handset long before the end of the contract. They use the latest technology in a domestic setting, and they want to use it at work too - not equipment that might be a couple of years old.

“There is now pressure on IT departments to allow end users to access company data on their own devices, and while this may save the company the cost of having to provide equipment, they have to consider who owns the device and data on it. For example, would a company be able to remotely wipe the data from a laptop or mobile phone if it does not belong to them? An employer cannot force an employee to hand over equipment if it does not belong to the company, and this will greatly hamper the ability of forensic examiners to access relevant devices.

“In order to effectively and securely manage corporate data I would also advise against providing staff with an IT allowance to purchase and maintain their own equipment. Every new device potentially comes with its own set of security flaws. A standard and approved list of equipment supplied by a company is the only truly effective way of managing security.”

Skibo Technologies recently launched a new forensics service specialising in IT security in response to the growing problem of data misuse. Skibo has staff are trained to standards recognised by the legal system in Scotland and elsewhere, and are called in when firms suspect there has been a security breach. Mr Mair points out that, contrary to popular belief, data simply cannot be deleted – there is always a trail to follow, or digital fingerprint if you like.

He adds, “We have on occasion recovered data that had been deleted months, and in some cases years, ago. Using specialised forensic equipment and software, we can often track activity down to single files and devices to prove that certain activity has taken place. People should not be fooled into thinking there is anonymity in this digital age.

“The critical aspect of any forensic investigation, whether electronic or not, is to secure those devices and data sources that are relevant to the suspected breach. It is important that evidence is captured in a manner that is acceptable to the courts: more cases are lost on procedural errors in capturing data than on the evidence itself.

“We always stress to our clients that the prevention is better than the cure. Our advice would be to retain ownership of all devices on which commercial data could be stored, and to ensure that a clearly written set of policies regarding the use of company IT equipment is set out.

“Businesses face a balancing act between trusting their employees and not adopting a big brother approach to monitoring all activity. Clearly in some environments where data may be more commercially sensitive than others the polices and checks should be adapted to reflect that, but for the most part I would recommend setting out the standards of use expected of staff and making sure that the remedies of dealing with breaches are in place.”

Based on 5 Rubislaw Place, Skibo Technologies provides complete computing infrastructure and collaboration solutions. For further information on Skibo Technologies services, visit www.skibo.com or call 01224 793970.

124 views