Are your employees handling your data responsibly?

Written with:Ankura logo

New NCSC guidance on shadow IT

The National Cyber Security Centre has issued new guidance on managing ‘shadow IT’.

Shadow IT, sometimes called 'grey IT', is any unapproved tools and technologies used in an organisation for business tasks. These aren't managed by the official IT department or policies, so they pose a risk of data breaches and malware spread.

Shadow IT also encompasses cloud services – for instance, employees saving business data in their personal cloud accounts for convenience.

Practices like this challenge your business’s risk management because it's hard to protect what you don't know exists.

Mostly, shadow IT arises when employees try to work more efficiently by using tools they're familiar with, or when official tools fall short.

Common reasons for shadow IT use include:

  • insufficient storage space;
  • difficulty sharing data externally;
  • lack of access to necessary tools or services;
  • no official video chat or messaging solutions;
  • slow or complex processes for requesting official resources;
  • official tools lacking desired features; and
  • unawareness of the risks from using personal devices or tools.

You can read the full guidance, including further examples of shadow IT and tips for mitigating the risks it poses, here.

Your business data is one of the most valuable assets you possess. You know this and so do others, which is why you take steps to keep your data safe and secure. But have you thought about the vulnerabilities to your business that can be created by the behaviours and attitudes of your employees?

Data is created at an astonishing rate. The estimated daily volume of newly created data is more unfathomable today than it was yesterday, and it will be outdated by tomorrow. This is a problem for every business because employees create data every day.

People also read data; they interpret it; they share it; they store it; they manipulate it; they delete it; and so on. Data can be widely used and misused.

As employers, it’s becoming increasingly important that we get a handle on the data to which our employees (and other workers among our staff) have access, and that we fully understand what they are doing with it, and regardless of whether their handling of it is legitimate and in good faith, where our data vulnerabilities arise.

We asked Ankura Managing Director, Rob Jones, one of THE experts on data security and data forensics, to collaborate with us on producing this guide, because when it comes to what’s happening to your data without you knowing it, Rob’s pretty much seen it all ...

...and he and his colleagues are already predicting (and preparing businesses for) tomorrow’s new and evolving data-related risks.

What are the risks?

So, when we talk about data risks relating to employees, what sorts of risk are we talking about?

“The way that your employees handle your data is increasingly important because data incidents, such as thefts of information or data breach are now more commonplace and the way that we use data is becoming more regulated,” Rob points out in response to this question. "There are two types of risk, and everyone needs to take both of them seriously."

1. The commercial risks

Confidential know-how, like customer records, strategic business plans, technical designs or data describing components for novel solutions, are among the most desirable forms of data that may be targeted for export.

Often, they're targeted by people very well known to you, for example, employees leaving to set up new ventures or to join competitors who are looking to gain the advantage by poaching both your talent, and what they can lay their hands on.

The more established and successful you become, the greater the risk that your data may also be targeted by criminals who wish to use it for financial gain, for example, through counterfeiting operations or others who are engaged in 'industrial espionage' - which is just a very grand term for them simply spying on your business in order to steal its secrets and either duplicate or hold you to ransom over them.

And that's before you get to any potentially embarrassing emails, instant messages, pictures or other data, which might also be targeted by people whose motivations may not always be correctly, or legitimately, founded.

All of these types of incident are serious, more common than many of us might imagine, and they can be highly damaging to your brand, your business, your reputation as a competent management, and the trust invested by your customers, partners and investors.

2. The non-compliance risks (breaking the law)

As well as a moral and a commercial responsibility to protect your data, you are also required by law to behave responsibly:

  • Not properly protecting your business secrets and your operations could, in certain cases, be considered a breach of the legal obligations that directors owe to their business.

    That kind of finding may invalidate your insurance cover and even remove the usual protections that a limited company structure provides, causing directors instead to be held personally liable, on an unlimited basis, for the damage that is caused.

  • not ensuring the safe-keeping of personal data and avoid data breaches can have serious consequences too under the UK's data protection laws. If you are not on top of these, rules you could end up with a hefty fine.

    “There are legal rules about what data we must create, keep, share and destroy”, Rob says, pointing to the fact that “it is all too easy to be a victim to those rules and to face penalty because of your own actions, or those of your employees.

“To be data-smart, and well protected, you need to have rules of your own”, Rob advises. "Ones which are proportionate and that make sense for the kind of business you have, and the risks to which you may be exposed. And you'll need to make sure that you've got in place sensible systems and processes to give these rules maximum success in protecting you."

What can employers do to get a better handle on those risks and ensure we stay compliant?

“You need to put in place those rules,” Rob laughs.

So, we asked him to shed more light on what those rules are, and how we can apply them in practice. Here’s what Rob told us:

Your employees will need proper guidance (and tools) to know:

1. How (and when) to create documents

When you are creating documents, be on your guard. Remember it’s not just about your word-processed documents and spreadsheets. A document is anything that is recorded, so at the point of creation, imagine that you will have to show every email, text message, photograph, note, presentation, web page, social media post, video or voicemail to a judge or a journalist.

If it has the potential to be misunderstood or to embarrass or cause any other type of trouble, then you should exercise caution.

2. What information they should create, access, share and store

Exercise similar caution when assessing information that is available to your employees.

Having general rules in place that require your staff to:

  • only use information obtained legally, from a trusted source, and
  • if the information contains personal data, to cross check that they have express consent (or another exceptional reason, recognised by UK law), to access and use it

can help you to direct them and you away from unwanted trouble.

3. What information they should not create, access, share or store

Conversely, having clear rules that prohibit the use of risky resources (such as the dark web) will help you to keep your business safe from cyber-attacks. These rules have the added benefit that you can discipline your staff if they are found to have breached the rules.

4. How and where information must be stored

There are times when you will need to access your business data quickly and the easier you can do this, the better. You might need to do this, for example, if an individual requests sight of their personal data that you're holding, or if a court, regulator or other body requires you to disclose materials in your possession.

You might need to retrieve substantial data because you're taking on investment or loan finance, undergoing a procurement process with a major customer, restructuring your business, or selling it to someone who will want to review your operations to understand whether it presents any unacceptable risks, etc.

Every document created in your business must be accessible to you and stored in a way that achieves the aim of rapid retrieval, by appropriate staff, with minimum fuss.

"It's also good contingency planning to ensure that more than one suitable member of staff can access material belonging to your business", points out Rob.

"If, for whatever reason, you need to search your documents, and if this is not easy to do, it may become a distraction that you cannot afford – especially if you have to engage a third party to do it for you," he warns.

5. How information must be moved (if it is necessary to do so)

In the same way that gold is moved by armoured guards, make sure that your data is protected during transit.

In these circumstances, your armour-plating is the way that you package your data up for transmission.

Make sure it is adequately encrypted.

Only use transmission and encryption methods/ solutions that are recognised as lawful and secure within the UK - especially where personal data is being transferred. Servers and tools provided by non-UK-based businesses should be carefully reviewed, to ensure that they are legally compatible with the UK's rules.

And make sure you have secure back-up in the event that a main system fails.

6. With whom information may be shared

It's wise to categorise the data that you’re sharing on a daily basis. Make sure your staff know what they can share with the public and what they must only share internally, as well as any variations on these (for example, more may be shared among senior management than the wider staff).

When it comes to disclosures of important data to others, having a non-disclosure agreement (NDA) is a very sensible tool for providing a framework to share more sensitive information on a limited basis.

And while they're not bullet-proof, NDAs are generally effective at reminding people to act in good faith and with integrity when you share confidential information with them. Make sure you include indemnity and liability clauses that set penalties for disclosure at sufficiently demotivating levels too - these can be particularly good at reminding people not to break your confidence.

7. How long information should be kept for

Too much data can slow you down, make you less agile and expose your business to unpleasant health risks.

Make sure you understand the minimum lawful term for which you must keep certain classes of data.

Ensure that your storage arrangements are managed in a way that enables you to securely and lawfully delete data when it is no longer required.

8. What to do when someone in authority asks for copies of documents

Do not panic when someone in authority requests documents. This could be a regulator or a court.

Work through the request systematically and thoroughly. You will be expected to be honest and transparent in your response. However, it's highly recommended that you take advice, to ensure that you're interpreting the scope of any such request correctly, and not too broadly - to include everything possible - or too narrowly.

If you need help getting hold of your data easily, you can get folks like the team at Ankura to help you work out a plan for producing the information requested. They generally work in tandem with your legal advisers to make this process as efficient as possible.

9. There should be a legitimate purpose for keeping and using certain types of data (especially personal data)

The rules relating to data privacy require you to keep information about individuals safe. For example, keeping customer contact details may be perfectly reasonable (because you may need to contact those customers as part of your overall service, or for product recalls, etc). However, if the information you gather is excessive (e.g. hanging on to records of people who have died) or not well managed (sending messages to old addresses), you'll likely fall foul of the UK's data protection laws.

Would you expect to find these rules set out somewhere, all in one place, like a business policy document for example?

It is a good idea to make sure that all of these rules are included in your business' data-related policies or your staff handbook, that all employees can readily access and be required to read.

New joiners should be alerted to this as part of their induction too, and existing staff should be reminded about them on an annual basis, at least, so there can be no excuses for not being familiar with them.

Want to access this guide?

Already have a Farillio account?Sign In

Get unlimited access to 100s of legal resources by signing up to Farillio today.

  • Manage your legal documents online
  • Well written legal templates by our partners
  • Guides to help you understand law
  • Legal help available every step of the way
Sign up

Read the full guide

Farillio members have access to all our online content

Farillio is THE trusted resource for businesses and households with:

  • Self-serve guides
  • How-to-do-it videos
  • Interactive documents and checklists
  • On-demand advice without hefty fees

If you need to do something complicated fast, we can take you through it, in plain English.

Many household names have chosen Farillio for their customers or members so we may be included in a service or product you've already purchased.

Already have a Farillio account?

Sign in

While we can connect you with some very fine advisers in the UK, and we collaborate with them to provide you with great materials, Farillio itself is not a law firm. We do not directly provide legal advice ourselves. All resources are available for you to use (according to our terms and conditions), but those resources are not legal advice to you and neither are they a substitute for you taking legal advice from a lawyer.

Farillio Inc.

© 2017-2023 Farillio Limited.

Farillio Notice