If you go back to the 1960’s, computers for important tasks like payroll filled an air-conditioned room with endless rows of large boxes with flashing lights, card-readers sorting, and tape-readers spooling. Whenever you see a spy drama recreating the war-room of the Pentagon, you might think such scenes an exaggeration, but that’s how big computers used to be.
Today, you can have vast amounts of processing power and memory from a handheld device with an internet connection to cloud services. Indeed, go out on the road with any member of sales or deliveries, and you will see them routinely updating centrally held records with the new orders or confirmation of receipt by customers. Mobile devices are now the norm.
Although this works well in specific situations, there are real risks in more general use. A member of the office staff or management takes out a mobile device, puts it down for a moment and then is surprised when it disappears. Anything portable is easily lost or stolen. Now ask yourself, “Does my mobile phone or other device have a password?” or did you input the password just before you were about to get the latest emails? The problem is that, without a good password on these devices, anyone with basic hacking skills just opened a door into your company’s data. This can be anything from the latest commercially sensitive accounting data that a speculator would pay handsomely to access, to lists of customers, to credit card details used for collecting payment from customers, and so on. Even if you have encryption for all the data when it is stored in static memory, using an authorized device to move the data to dynamic memory decrypts the text. Anyone with the device can then read the data or download it. At the very least, this is a PR disaster, but it may also expose your company to the risk of fines and civil action for breach of privacy.
As a secondary issue, most mobiles have GPS technology installed as standard or it is possible to track a user’s location by identifying the transmitter towers. Employers therefore have the power to track their employees. Depending on where your company is based, local state laws may allow employees to sue for invasion of privacy if you track movements without actual consent or for no good reason.
So, you need to think very carefully about encryption, about the quality of passwords on mobile devices used outside company premises, and giving yourself the power to wipe the contents of any mobile device that is misplaced. This means both complying with your state’s laws and satisfying your own business insurance company that you have implemented a reasonably secure strategy for preventing data loss altogether, or keeping the value of the loss small. This will allow you to keep the premium rates low. But if you fail to manage these risks properly, you could well find that renewal of the policy is threatened or the premium rates go up dramatically. The most recent news shows even top organizations have been victims of cybercrime. Just because you are small does not give you a free pass. Talk to your business insurances adviser about these issues before you get caught out.