A combination of changing business culture, the rapid evolution of technology and the tightening of regulation means that maintaining IT compliance in the eyes of bodies such as the Financial Conduct Authority (FCA) is a full-time consideration. For many companies, the challenge of compliance is brought into sharp focus by the adoption, in whole or part, of a Bring Your Own Device (BYOD) culture within the organisation.
While BYOD policies have fairly well documented cost, productivity, and practicality benefits, it also poses very real challenges to data security, protection, and your overall compliance.
- Enhanced risks to the security of sensitive data
- Potential for data theft from disgruntled or departing employees
- Risk associated with devices falling into wrong hands - when users upgrade or exchange devices, for example
- Potential for devices accessing the network with inadequate security measures in place.
All of which are issues that, given a robust BYOD policy, can be addressed.
However, while BYOD may present challenges to your IT compliance, your responsibilities are somewhat more far-reaching.
Using multiple devices may exacerbate the threat of security breaches if left unchecked or poorly managed; but the threat posed from cyber-attack is multi-layered, requiring robust attention across your entire system; regardless of who owns the devices.
With more than 230,000 attacks on SMEs in the UK in 2016, 90% of which sought to take control of connected devices, cyber-crime is a threat to the livelihood of companies of all sizes, posing a major challenge when it comes to demonstrating compliance.
Responsibility for the protection of sensitive data in an organisation falls squarely on the leaders or owners. To remain compliant, you need to demonstrate diligence that you’ve taken all reasonable and available preventative measures.
This might include:
- Ensuring security software is regularly maintained
- Patches and updates are installed regularly
- Periodic penetration testing to check for weaknesses.
Internet of Things
The connected world is moving beyond our traditional computer devices. The Internet of Things (IoT) allows for devices and equipment to send and receive data online, its uses and potential being ever more explored across all manner of industries. Reports suggest that, by 2019, there may be as many as 23 billion connected devices worldwide.
The opportunities that such innovation brings, however, comes with increased threats to data security, and by consequence, new compliance challenges.
IoT is a complex beast, with the potential for greater vulnerabilities due to greater volumes of data moving across a wider array of devices and channels. Companies investing in this technology need to be aware of the new risks associated and incorporate this into their security and safety policies.
Software as a Service
Using Software as a Service (SaaS) for data management is akin to using a third-party resource within the business. Third-parties and use of cloud-based services are not prohibited by the FCA, but they are bound by certain regulations that need to be adhered to.
Things to consider when using SaaS include:
- Demonstrable levels of robust security
- Demonstrable data loss and recovery actions
- Fully understanding where and how data is stored
- Access to data MUST be available at all times for both client and legally authorised inspectors / auditors
Understanding your responsibilities when it comes to IT compliance is an ongoing and essential aspect of your business. New IT cultures, such as BYOD, undoubtedly bring challenges to secure data and stay compliant. But, as new technology is adopted, such as SaaS and IoT, so new vulnerabilities emerge. Vulnerabilities that need to be identified, challenges that need to be met, to ensure your business remains safe, secure, and within the law.