...
For example, while a member of staff is working from their own computer, it is possible that a social media app recently downloaded or already active could access and use the work contact database, sharing identifiable information of clients which, by law, would need their consent to pass onto a third party. This could inadvertently result in a data protection violation.
Another risk is that the owner of the computer may install apps from insecure sources, perhaps not even realising the risks, and this could make your organisation’s files vulnerable to attacks from malware . Failing to update a device can also leave it open to security threats.
...
The Operating System and apps must be fully supported by the manufacturer and receive security updates.
Software based firewalls are activated and configured correctly.
Security updates must be installed within 14 days.
Cyber Essentials password controls are applied to users own devices (BYODs).
Users logging in on computers and tablets have a day-to-day account, and this is separate to the administrator account.
The device automatically locks when not in use and requires a 6 digit or more pin/pass code to unlock, (use a biometric* if available).
Anti-malware software is installed on devices and kept updated or, for a mobile device, only apps from the manufacture’s respective store are allowed to be installed.
Unused apps should be uninstalled.
If lost or stolen, it must be reported to the business promptly.
*Rooting or *Jailbreaking jailbreaking is not permitted.
A remote erase and tracking app must be installed and activated so you can track a lost device, lock access and erase data. Obtain written consent in advance from the device owner to remote wipe the device in the event of loss, theft or termination of employment.
Clarify how, when and why monitoring will take place and require the device and passwords to be delivered up on reasonable request.
...
Container Apps or Managed Apps are types of software that separate the charity’s organisation’s data and personal data on the device and would enable the organisation to limit monitoring and remote wiping to company data only.
Mobile Device Management software (MDM) allows you to monitor, manage, and secure employees’ or volunteer’s mobile devices. There is a range of price models available for this software.
Desktop virtualisation software, such as Citrix, allows employees or volunteers to securely access data stored on the corporate network using their own device. Organisational data is accessed remotely and stays on a secure server. It may be necessary for staff to agree not to copy the charity’s organisation’s data onto their own device.
So, before allowing private computers and phones to access your charity business information, be aware of the hidden costs (subscription, updates, limitations) and risks around your data and make a balanced judgement. If this is a subject you need support with, seek advice from an independent IT security service company.
Definitions
*The Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulation (GDPR). Strict laws determine how you store people’s contact details and personal information.
*Malware is any software intentionally designed to cause damage to a computer, server, client, or computer network.
*Biometrics are unique identifiers such as fingerprints, face, iris and/or voice, that can be used instead of or in addition to passwords, to make human identity authentication more secure.
*Jailbreaking is the process of removing the limitations put in place by a device’s manufacturer. Jailbreaking is generally performed on Apple iOS devices, such as the iPhone or iPad. Jailbreaking removes the restrictions Apple puts in place, allowing you to install third-party software from outside the app store. Essentially, jailbreaking allows you to use software that Apple doesn’t approve.
*Rooting is the process of gaining “root access” to a device. Similar to jailbreaking, but this is generally performed on Android devices.