Are Leased Vehicles Part of Your Firm’s IT Risk Assessment Programme?


Mobile-based apps, telematics and the Internet of Things, among others, are all technological advancements that have delivered great convenience to us as consumers. The in-car information systems serve as excellent tools for communication, vehicle tracking, maintenance and servicing. For the individuals, the connectivity they offer make them exceptional entertainment, mobility and physical security instruments. But like with all technologies, in the wrong hands, these tools have a dark side. Increasingly, these technologies are being mis-used by threat actors and so posing a significant risk to individual and organisations’ data privacy.


Many organisations, including law firms, lease vehicles today. Of course, connecting the mobile phone to the vehicle for hands free calling is a no brainer. Given the sophistication of in-car systems, individuals can also view emails on their car screens. From a privacy perspective, this means that all this information – phone book details, GPS details and destinations, potentially sensitive and confidential information (both personal and professional) in the emails and so on – are all stored on the car’s hard drive.

At the end of the lease, at the time of returning the vehicle to the leasing company, does your organisation have a process to ensure that the confidential information is removed from the car?

Organisations must have policies and processes in place to ensure that leased cars are not inadvertently posing a risk to data privacy for both employees and the business. Some considerations:

Risk assess and undertake a reality check of the leased vehicle right at the start
There have been many cases where a newly leased car has had contact phone numbers and emails on the hard drive in the vehicle. Some of these details could constitute as personal identifiable information. Similarly, given the nature of legal work, if a vehicle is being returned at the end of the lease tenure, if not risk checked, potentially the hard drive of the car could be carrying confidential client information such as details of mergers and acquisition, intellectual property, employment tribunal cases and more.

Firm must have formalised processes to ensure that a thorough check of the vehicle is undertaken at the start of the lease to ensure that the vehicle’s system is wiped clean. It’s actually similar to what a firm already does when it assigns PCs and laptops to new joiners.

Define policy for the use of vehicles’ information system
Usage policies for BYOD initiatives is now routine. The same approach must be applied to leased vehicles. Users must know what kind of information they can keep on the vehicle’s hard drive, guided by clearly defined policies that appropriately and realistically address personal and professional requirements. This will provide the users an understanding of what they can and cannot do.

Regular reviews of information systems
The responsibility of the kind of information held on the vehicle rests with the users. Providing specific guidance to users will enable employees to take ownership of the activity. For instance, an element of the policy could be that users have to periodically (e.g. every month) wipe the information system clean so that no confidential business information is held for an extended period of time.

Similarly, if the vehicle needs to be sent to the garage for repair, the onus for ensuring that the car doesn’t carry any sensitive personal and corporate information must rest with the user. A threat actor working in a garage could very easily compromise a business deal, a legal matter and even the firm’s GDPR compliance.

Vehicles today are extremely powerful assets, but they need to be appropriately managed to ensure that they aren’t a risk to individuals who use them and the businesses that lease them. They must form part of your firms’ IT risk assessment programme.

About Shelton Newsham
Shelton Newsham is a manager and lead at the Yorkshire and Humber Regional Cyber Crime Team, advising public and private sector and individuals (including at Board level) on threat mitigation. He is a CRISC, CISM, CIPP/E, CIPM, ISO 27001 ISMS Lead Implementer, ISMS 27001 Auditor and CBCI. With over 18 Years’ experience in law enforcement, Shelton has extensive experience in incident response, critical incident management, intelligence assessments, threats to life, incident investigation, safeguarding the vulnerable, public order, and large-scale operations, working at a strategic level.

Comments

Leave a comment

Your email address will not be published. Required fields are marked *