Analytics // Security Monitoring
4/23/2014
10:00 AM
David Melnick
David Melnick
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Workplace Data Privacy Vs. Security: The New Balance

Is it time to rethink the traditional lock-down approach to employee use of corporate networks at work?

Over the last 15 years, security interests have largely silenced the data privacy debate, leaving companies and employees around the world paying a high price. Today, this focus on security has created a backlash, one that I predict foreshadows a new balance in workplace privacy and security that will tilt more toward individual protection.

But first, let’s talk about the present. Individual privacy and security of the company network are under increasing distress for three main reasons.

  1. More worktime online: Employees now spend on average nearly two hours per day in personal web use at work. According to the Palo Alto Networks Modern Malware Review, this activity originates 90 percent of malware threats and exposes organizations to a loss of trade secrets, data breaches, and financial theft.
  2. Cyberthreats on the rise: The growing experience and training of hackers (both individuals and state-sponsored) has led to record numbers of malware incidents and data breaches, resulting in record high losses and related costs, according to the Open Security Foundation data loss database
  3. Employee privacy rights activism: Companies, regulators, and employees around the world are starting to pay attention to corporate end-user monitoring and what employees have a right to keep private while using computers and networks at work. In Europe, for example, regulators have begun to set limits on the use of end-point monitoring solutions such as Data Loss Prevention (DLP), due to potential conflicts over employee privacy rights.

To my mind, the crux of the privacy issue is that employees and employers seem to have competing goals. Employers’ focus is on ensuring corporate security, increasing productivity, and reducing liability for bad employee behavior like cyber loafing, gambling, or accessing pornography. Employees struggle with balancing a need to use corporate infrastructure for online activity (like personal email) but still want to protect their personal information and reputations.  

These goals do overlap, but in an attempt to navigate this environment, many employers (both wittingly and unwittingly) violate employee rights to privacy every day. Worse still, many companies have responded to the "new normal" by clamping down on employee web use by applying employee monitoring systems and unrealistic, unclear Acceptable Use Policies. This creates an unspoken tension in the workplace and takes employers into the territory of potential unfair trade practices under FTC Title 5, which states that if an organization has a policy but doesn’t follow it, the organization is engaging in a deceptive trade practice. In addition, the traditional lock-down approach delivers only modest gains in organizational security and little reduction in employer liability.

There has to be a better way
In Europe, more than 50 global jurisdictions have signed omnibus privacy laws, providing greater protection for individuals in the workplace and signaling an increase in the number of privacy laws worldwide.  In the US, the White House last year published a 62-page privacy whitepaper that includes a Consumer Privacy Bill of Rights with recommendations on handling individuals’ personal data pertaining to issues of control, transparency, respect for context, security, access and accuracy, limits on data collection, and accountability.

Are you ready for the changes that are coming? Will you become an advocate for your employees? Do you think corporations have trampled employee rights in their efforts to protect the enterprise? What should employees be allowed to do at work? Do companies have adequate transparency into their policies and goals with regard to security and employee privacy?

Rather than living with the status quo, employers should seek to strike a new balance -- leveraging privacy to achieve security and broader risk management goals. By honoring their employees’ right to privacy, companies can restore trust, preserve employees’ dignity, and engage them in security.

The conflict between security and privacy is nothing new. What’s new is the revelation that employee privacy can actually be a vehicle to better security and that you don’t have to sacrifice one for the other. Privacy as a complement to security -- that should become the new normal.

David has worked for 25 years with US and global companies, advising them on strategy, risk-based priorities, and effective governance of highly sensitive and regulated data. He is a CIPP/E/US, CISA, and CISSP and has authored several books through McGraw-Hill Publishing and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
dmelnick
100%
0%
dmelnick,
User Rank: Author
4/25/2014 | 12:10:01 PM
Re: australian privacy
I think Australia is a great example of emerging privacy law, as they have followed in the wake of EU data protection laws to ensure they were deemed adequate by the EU, or in other words able to transfer EU protected protected personal information to Australia because their data protection laws were sufficient. They, like New Zealand, are an example for other countries in South East Asia.
Ciderblush
100%
0%
Ciderblush,
User Rank: Apprentice
4/25/2014 | 9:40:04 AM
australian privacy
Recently australia set up a department to govern and ensure greater security in personal privacy, including that used by corporations and businesses. massive change from 20 years ago. part of this is the governance of information archived or accidentally released, preventing a wikileaks - hopefully. A large part is protection of individuals. To make people feel safe. Even ten years ago a crim didnt feel safe because of the life they had lived. They didnt think they could start again. Usually private information is carried out of a place on a usb or documents.
MedicalQuack
50%
50%
MedicalQuack,
User Rank: Apprentice
4/24/2014 | 1:28:43 PM
World Privay Forum - The Scoring of America-it covers it all
If you have not seen it...worth a read as the world is looking at the US and how data sellers and proprietary scoring is hurting consumers...

 

http://ducknetweb.blogspot.com/2014/04/world-privacy-forum-report-scoring-of.html
dmelnick
100%
0%
dmelnick,
User Rank: Author
4/24/2014 | 11:14:36 AM
Re: Workplace Data Privacy Vs. Security: The New Balance
Marilyn, the US vs. EU question around privacy generally and employee privacy specifically is very interesting. A few years ago I would have described the EU and US as both modeling different regulatory approaches to the topic as a part of a global battle for defining what privacy should mean. At this point, I would say the EU has won the global battle for hearts and minds. The US' big global contribution to the regulatory landscape has been Data Breach Notification (started in CA who would have known that public notification/humiliation would have motivated behavior so effectively). Beyond that I just think the EU has a more mature thinking about how to balance corporate/governmental interests against individual rights to a private life.

As a history major, I can't help but acknowledge Europe's unique recent history as a way of understanding how they have thought so deeply about the importance of protecting individual's privacy. In the book, IBM and the Holocaust, Edwin Black argues the birth of the information age was the census work performed by IBM and Germany during the 1930s where they created the capability to cross tabulate peoples religion, occupation, geography, etc. Europe deeply understands the risks of technology deployed without safeguards for individual freedom, and to their credit has led the way in influencing regions around the world to implement basic rights and protections. 
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
4/24/2014 | 9:55:54 AM
Re: Workplace Data Privacy Vs. Security: The New Balance
Dave, it seems from your blog that Europe is ahead of the US in terms of employee privacy rights. Do you have a sense of why that is, and who are the industry leaders?
ChrisB093
50%
50%
ChrisB093,
User Rank: Strategist
4/24/2014 | 9:35:37 AM
The need for a clear security policy
It might seem obvious but our research found that 29% of the IT professionals we surveyed (250 in UK and 250 in US) told us their organizations doesn't have a security policy in place. It's great to have a policy that covers the 'why' as well as the 'what' in terms of any restrictions you are putting in place. This gives all employees a better understanding of the severity of what your an organization is trying to tackle and what their actions might lead to - even accidently.

Clearly documented policies and consistently remind all users of them. This helps users come to understand what your policies are and why they are in place.

For more information on how to help mitigate insider threats to reduce the risk of security breaches, the insider threat manifesto is now available http://www.isdecisions.com/insider-threats-manifesto/
dmelnick
100%
0%
dmelnick,
User Rank: Author
4/23/2014 | 7:46:35 PM
Re: Workplace Data Privacy Vs. Security: The New Balance
You nailed it. My whole vision to changing the playing field. If we segmented personal web-use (the highest risk activity) from business activity. And then we isolated or contained the personal use, the remaining business activity would be lower risk and noone would object to extensive monitoring and control. 

The trick is containing personal use. BYOD definitely provides that capability if they do not use the corporate infrastructure/network. The WebLife solution also provides a mechanism for companies on corporate assets. 

I think you are on the right track. Believe it or not, your idea represents bold new thinking. 
theb0x
100%
0%
theb0x,
User Rank: Moderator
4/23/2014 | 7:36:08 PM
Re: Workplace Data Privacy Vs. Security: The New Balance
Well said. What if a company just segmented their network traffic? You want to go on facebook? You want to check your personal email? Okay, BYOD and use this network and we will not provide you a firewall or monitor your traffic, but will be subjected to bandwidth throttling.
dmelnick
100%
0%
dmelnick,
User Rank: Author
4/23/2014 | 6:44:26 PM
Re: Workplace Data Privacy Vs. Security: The New Balance
I hear you, and there is no doubt that in the US, with proper notice and consent, usually in the form of an Acceptable Use Policy (AUP), a company clearly has the right to monitor and control employee Internet use. There is also no doubt that employee Internet use is a clear threat vector for a number of well understood risks. In fact this approach of draconian AUP followed by monitoring and control practices represents the preferred response to these risks. 

But there are high costs to this strategy. And the approach has limitations. In fact, I argue that we have hit diminishing returns with the next generation levels of monitoring and control. As Anthony suggested we are controlling sub-sections/apps WITHIN Facebook, end point monitoring that applies rules to all personal correspondence, and intermediating HTTPs activity of employees' banking and personal webmail (let's face it, outside of the security community, most employees don't realize they are subject to that level of monitoring).

Any global company that has faced EU requirements realizes our current strategy of security at all costs, with no right to privacy for the individual doesn't work. As a citizen, I believe security at the expense of my privacy and individual right to freedom is too high a price. In the US we have a right to privacy, but we interpret freedom as meaning we have the freedom to choose to give up that privacy for the price of a paycheck. That is not freedom.

What if there was a better way? What if we could have Security and Privacy? 
theb0x
100%
0%
theb0x,
User Rank: Moderator
4/23/2014 | 5:14:47 PM
Workplace Data Privacy Vs. Security: The New Balance
I see how there are many issues with this in the workplace but a properly written acceptable use policy that clearly states all email sent from a company computer is sole property of that company should be expressed. I am also a strong beleiver of Application/Website whitelisting and GeoIP filtering. This is a company computer we are talking about. An employees behavior and actions wheither intentional or non-intentional may compromise a companies security, data, and reputation. When a computer becomes infected with malware, this is a huge loss in employee productivity, Company profit and results in most cases hours of downtime and this is all because they went to a website or opened an email that may not have been work related. These security controls need to be enforced because without them people just do what they please.
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3407
Published: 2014-11-27
The SSL VPN implementation in Cisco Adaptive Security Appliance (ASA) Software 9.3(.2) and earlier does not properly allocate memory blocks during HTTP packet handling, which allows remote attackers to cause a denial of service (memory consumption) via crafted packets, aka Bug ID CSCuq68888.

CVE-2014-4829
Published: 2014-11-27
Cross-site request forgery (CSRF) vulnerability in IBM Security QRadar SIEM and QRadar Risk Manager 7.1 before MR2 Patch 9 and 7.2 before 7.2.4 Patch 1, and QRadar Vulnerability Manager 7.2 before 7.2.4 Patch 1, allows remote attackers to hijack the authentication of arbitrary users for requests tha...

CVE-2014-4831
Published: 2014-11-27
IBM Security QRadar SIEM and QRadar Risk Manager 7.1 before MR2 Patch 9 and 7.2 before 7.2.4 Patch 1, and QRadar Vulnerability Manager 7.2 before 7.2.4 Patch 1, allow remote attackers to hijack sessions via unspecified vectors.

CVE-2014-4832
Published: 2014-11-27
IBM Security QRadar SIEM and QRadar Risk Manager 7.1 before MR2 Patch 9 and 7.2 before 7.2.4 Patch 1, and QRadar Vulnerability Manager 7.2 before 7.2.4 Patch 1, allow remote attackers to obtain sensitive cookie information by sniffing the network during an HTTP session.

CVE-2014-4883
Published: 2014-11-27
resolv.c in the DNS resolver in uIP, and dns.c in the DNS resolver in lwIP 1.4.1 and earlier, does not use random values for ID fields and source ports of DNS query packets, which makes it easier for man-in-the-middle attackers to conduct cache-poisoning attacks via spoofed reply packets.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?