- the Internet;
- directly to other individuals
- Wi-Fi enabled objects that are passively collecting your mobile device exhaust, and/or images of you, as you pass by them;
- unlimited numbers of unknown others slurping data through their mobile apps; and
- growing numbers of other “smart” internet of things (IoT) devices that are automatically taking the data generated and passing it along to unlimited others.
1. Determine your risksDo a high-level risk evaluation that includes, among other actions, answering the following questions:
- What types of devices (computing, storage and smart) are employees using? How many of them are owned by the business and owned by the employees or others?
- Which ones are used while doing work activities?
- Which ones collect data in some manner?
- Which ones store business information?
- What mobile apps are used on the devices? What data are they collecting, and to whom are they sending/sharing data?
- In what geographic locations and types of environments are the devices being used?
- What security controls are used in all those locations?
- Who has access to all the data?
- How can data be removed from those devices?
- What kind of training and awareness communications do employees receive for using all types of devices?
- What types of confidentiality contracts do employees sign when starting work?
- What are employees required to do when leaving employment with the business?
2. Establish documented security and privacy policies and proceduresNow you need to establish documented security and privacy policies to mitigate those identified risks to acceptable levels, providing the rules for all the types of tech that your employees use that could impact your business. Then document procedures to support those policies. Remember: if your policies and procedures are not actually documented, they don’t exist. That's the case at least to clients, regulators and auditors who will review your information security and privacy programs. Policies and procedures for the issues related to employees using their own devices in a wide range of locations should include (but should not be limited to):
- Requirements for employees to sign non-disclosure and confidentiality agreements upon the start of employment.
- Requirements to get data from computing devices when employees leave the company.
- Clearly worded requirements for the types of technologies that can and cannot be used when doing business activities.
- Clearly worded requirements for where business information, including information about customers, employees, patients and other types of personal information used within the business environment, can and cannot be posted, shared, stored, etc.
- Employee exit procedures to review the employees’ legal obligations for not using the data for other purposes to ensure the soon-to-be ex-employee understands the things those folks cannot do with the business information they had access to and the legal ramifications of taking business information and using it elsewhere.
- Requirements for employees using their own devices, in unlimited locations, to get training for the security and privacy requirements.
3. Identify tools to support the policies and proceduresThere are a wide range of tools to consider such as (but not limited to):
- Encryption for data at rest, data in transit, and data being collected.
- Data logging tools to track business, customer, employee, patient and other data that is related to the organization
- Remote data wipe tools to remove data from ex-employee, stolen and lost devices.
- Firewalls and anti-malware tools required on all types of devices.
- Performing periodic privacy impact assessment (PIAs), risk assessments and audits.
4. Provide training for the requirementsYour employees will not know what to do unless you provide them with effective training. Providing effective training is key; don’t just point employees to a document and call that training…it is not. There are many ways to provide effective training.
5. Send occasional awareness remindersThe longer it has been since training, the less often employees will think about how to secure information and protect privacy. You must provide ongoing frequent communications to remind employees of the need to work in a way that protects data and privacy. There are many ways to provide ongoing information security and privacy awareness communications.
6. Monitor complianceAfter you establish rules for how to use computing devices and how to manage business data along with personal data, you need to make sure those rules are effective. You can’t just put the rules out there and assume everyone is following them. Some will choose not to certainly, but then there will be others who didn’t understand or notice the rules, those who will forget the rules and those who will make mistakes that will create incidents and even breaches involving business information. You must monitor the effectiveness of your policies and procedures for how employees must work with their own devices in every location.
ConclusionBusinesses must keep up with the times to know the current and emerging risks based on current and emerging public trends for using a wide range of technologies and computing devices. Businesses must then make sure the rules for using such technologies are documented and then ensure those rules are followed.