ICO urges firms to crack down on unsecure device use

The Information Commissioner's Office (ICO) has told business data controllers that while remote working and bring your own device (BYOD) policies have many benefits they should "not be shy" about cracking down on unsecure devices.
The data watchdog also suggested that businesses should not go too far in the other direction by intruding on their employees' privacy, though, and that a balance must be struck.
Speaking at a Westminster eForum event on remote working, Simon Rice, the ICO's group manager for technology said data controllers should consider how much information is required on any device at one time and that simple security features should not be ignored.
"If a device does not have what the data controller considers to be a critical measure or if the employee doesn't want to enable it, don't be shy about choosing not to enrol that device," he advised. "Most modern devices allow for password protection and the encryption of data, and it's just a matter of making sure it's switched on at little or no additional cost.
"It's important that a data controller is not reducing a level of security that they've already put in place. If they've already defined the standards, allowing new devices to connect shouldn't reduce that standard."
However, Rice was quick to discredit excessive mobile device management, urging data controllers to take a slightly lighter touch to regulation: "We musn't forget the employees themselves. By definition, some or most of the use of personal devices will be personal. A bring your own device policy should not permit surveillance or excessive monitoring coming through the back door."
The ICO has handed out fines totalling more than £4m to public bodies alone since it was given the power to penalise data mishandling in 2011, with the total brought even higher when private firms are considered.
Rice concluded that while many business processes can take place on personal devices, he said that it would not be considered acceptable for "all types of processing for any type of data" to take place on personal devices. He said that data controllers "must take stock of this, and should not underestimate the time and effort to put those measures in place."
The rise of BYOD policies in organisations is growing all the time. V3 reported this week on plans at Hounslow Council to implement BYOD for both phones and tablets as well as moving to an 'infrastructure free' IT use model within five years.