Enterprise security teams have a namesake job to do – secure their organizations – but it does not have to come at the expense of their colleague’s privacy. The challenge is that security and privacy are vastly different philosophies. One is about the protection of sensitive information from threats while the other entails how sensitive data is collected and managed. How, then, do organizations balance the requirements and expectations of both sides and keep their data secure while ensuring that the company refrains from violating privacy laws?
Employees: The data is yours so it’s not our responsibility, is it?
Today’s ultra-connected ecosystem makes it understandably challenging for companies to keep employees from conducting personal business on endpoints nearest to them, whether it’s personal or corporate-issued devices. This includes using third-party websites to check email, updating social media profiles, and downloading apps and software on company-issued devices. At the same time, security perimeters continue to erode with the increase in remote workers and virtual offices, the use of cloud services, and trends in BYOD.
For instance, cloud service tools such as Dropbox and Google Drive provide employees with much-welcomed productivity and efficiency gains while helping to streamline workflows. However, these tools are not inherently secure because the default account settings may not provide sufficient protection for files saved and shared in the cloud. In addition, the URLs established to access and share the files can be indexed by search engines, allowing them to be found in the public domain by external parties through a simple search. Even the most security-aware employee may unknowingly fall prey to these types of innocent mistakes.
Employees must realize that they need to meet their companies in the middle by taking an active role in protecting their digital privacy, which ultimately safeguards corporate assets to a degree. To accommodate IT security teams, the solution is as simple as realizing that corporate security is everyone's responsibility. With this in mind, employees should minimize personal business on corporate endpoints and proactively refrain from any behavior that may be deemed a security risk.
Nonetheless, it’s human nature to make innocent mistakes and unknowingly become a negligent insider - those who are not aware they are the cause of network vulnerability. In fact, an assessment conducted by Dtex revealed that a majority - 68 percent - of breaches are caused by negligence. For all the efficiency and productivity employers want to enable, they must account for the fact that often security is an afterthought for much of the workforce.
Enterprises: We will take the lead
Enterprise organizations naturally view the security of its data, intellectual property, employees and other sensitive assets as top priority. They deploy myriad security solutions to cover the wide range of security breaches such as malware and phishing scams, to ransomware and network attacks. The problem is that even companies with the most sophisticated security systems may not have full context into what is happening on and off their networks. Combine this with the understanding that one of the largest vulnerabilities to an organization is its own insiders, and you have a perfect storm for potential security breaches. But at the same time, employee privacy, whether for ethical reasons or by law, must be considered.
It starts with enterprises encouraging employee cooperation instead of ordering strict compliance. Implementing clear protocols and education programs on the safe use of external cloud services or which websites are safe to visit and those to avoid are great ways to minimize opportunities for the insider threat to become widespread. Nevertheless, employers should consider that not all employees will follow protocols 100 percent of the time and recognize that some employees may innocently make mistakes.
To navigate this and adhere to even the strictest privacy laws there are options for organizations that avoid the “big brother” approach. Security tools are available today that forgo keylogging, screenshots and keeping records of identifying information. Some have optional anonymization processes that strip out metadata that would be used to identify an individual and only look at anomalous behavior at the endpoint. This type of user behavior intelligence enables security teams to gain actionable information that allows companies to proactively tackle incidents at the source yet only identify specific individuals if the need arises. The bottom line is there are options for balance.
It takes two to tango
The coexistence of security and privacy in the enterprise is not a pipe dream so long as the employer and employees contribute to make it a reality.
The enterprise must do its part to respect and maintain employee privacy, knowing that some employees may innocently or mistakenly create security vulnerabilities. Organizations should inform employees when and where data will be collected and alert them to any changes. In addition, to protect against insider threats stemming from negligent, malicious or compromised users, businesses should also have holistic visibility into user and endpoint behavior to detect activities that may deviate from the standard. What’s more is many organizations do not realize that this type of behavior monitoring can be done anonymously given today’s latest tools and technologies. Employee privacy is protected until an anomaly is detected.
At the same time, employees need to shoulder some responsibility in helping to maximize the value of security protocols set by their employers that help minimize opportunities for breaches. Security is a business-wide responsibility—and at the intersection of security and privacy lie visibility, transparency and trust.
About Christy Wyatt
Christy is Chief Executive Officer of Dtex Systems and serves as a member of the board. Most recently Christy was Chairman, CEO and President of Good Technology the global leader in mobile security across the Global 2000.