Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics //

Security Monitoring

4/23/2014
10:00 AM
David Melnick
David Melnick
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Workplace Data Privacy Vs. Security: The New Balance

Is it time to rethink the traditional lock-down approach to employee use of corporate networks at work?

Over the last 15 years, security interests have largely silenced the data privacy debate, leaving companies and employees around the world paying a high price. Today, this focus on security has created a backlash, one that I predict foreshadows a new balance in workplace privacy and security that will tilt more toward individual protection.

But first, let’s talk about the present. Individual privacy and security of the company network are under increasing distress for three main reasons.

  1. More worktime online: Employees now spend on average nearly two hours per day in personal web use at work. According to the Palo Alto Networks Modern Malware Review, this activity originates 90 percent of malware threats and exposes organizations to a loss of trade secrets, data breaches, and financial theft.
  2. Cyberthreats on the rise: The growing experience and training of hackers (both individuals and state-sponsored) has led to record numbers of malware incidents and data breaches, resulting in record high losses and related costs, according to the Open Security Foundation data loss database
  3. Employee privacy rights activism: Companies, regulators, and employees around the world are starting to pay attention to corporate end-user monitoring and what employees have a right to keep private while using computers and networks at work. In Europe, for example, regulators have begun to set limits on the use of end-point monitoring solutions such as Data Loss Prevention (DLP), due to potential conflicts over employee privacy rights.

To my mind, the crux of the privacy issue is that employees and employers seem to have competing goals. Employers’ focus is on ensuring corporate security, increasing productivity, and reducing liability for bad employee behavior like cyber loafing, gambling, or accessing pornography. Employees struggle with balancing a need to use corporate infrastructure for online activity (like personal email) but still want to protect their personal information and reputations.  

These goals do overlap, but in an attempt to navigate this environment, many employers (both wittingly and unwittingly) violate employee rights to privacy every day. Worse still, many companies have responded to the "new normal" by clamping down on employee web use by applying employee monitoring systems and unrealistic, unclear Acceptable Use Policies. This creates an unspoken tension in the workplace and takes employers into the territory of potential unfair trade practices under FTC Title 5, which states that if an organization has a policy but doesn’t follow it, the organization is engaging in a deceptive trade practice. In addition, the traditional lock-down approach delivers only modest gains in organizational security and little reduction in employer liability.

There has to be a better way
In Europe, more than 50 global jurisdictions have signed omnibus privacy laws, providing greater protection for individuals in the workplace and signaling an increase in the number of privacy laws worldwide.  In the US, the White House last year published a 62-page privacy whitepaper that includes a Consumer Privacy Bill of Rights with recommendations on handling individuals’ personal data pertaining to issues of control, transparency, respect for context, security, access and accuracy, limits on data collection, and accountability.

Are you ready for the changes that are coming? Will you become an advocate for your employees? Do you think corporations have trampled employee rights in their efforts to protect the enterprise? What should employees be allowed to do at work? Do companies have adequate transparency into their policies and goals with regard to security and employee privacy?

Rather than living with the status quo, employers should seek to strike a new balance -- leveraging privacy to achieve security and broader risk management goals. By honoring their employees’ right to privacy, companies can restore trust, preserve employees’ dignity, and engage them in security.

The conflict between security and privacy is nothing new. What’s new is the revelation that employee privacy can actually be a vehicle to better security and that you don’t have to sacrifice one for the other. Privacy as a complement to security -- that should become the new normal.

David has worked for 25 years with US and global companies, advising them on strategy, risk-based priorities, and effective governance of highly sensitive and regulated data. He is a CIPP/E/US, CISA, and CISSP and has authored several books through McGraw-Hill Publishing and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
dmelnick
100%
0%
dmelnick,
User Rank: Author
4/23/2014 | 4:39:01 PM
Re: Sensitivity make this difficult
Anthony, thanks for joining the conversation. Better still if you did it from work. I really liked how you highlighted the tip-toe problem. I see this at the Board and C-Suite level where on the one hand the leadership want the environment protected from Internet risk (whether IP loss, Cyber Theft/Fraud, Data Breach, etc), but on the and on the other hand they are not prepared to enforce a policy that shuts down Internet access (with a few exceptions, e.g. Bank tellers, certain government facilities).

This tip-toe problem, or the contradiction of executives turning a blind eye to personal web-use while simultaneously expecting IT/Security to lock down Internet use (Over 70% of companies restrict personal Internet use in their acceptable use policies) PLACES IT/CIOs/CISOs in a very difficult position. It also leads to selective enforcement, employee morale issues, and ultimately malware/security events (since we still allow the risky user behaviour).
Anthony Schimizzi
100%
0%
Anthony Schimizzi,
User Rank: Apprentice
4/23/2014 | 11:25:52 AM
Sensitivity make this difficult
This is always an area where people tend to tip-toe around due to its sensitivity and diverse differences between different corporations and culture.  While security should be the main focus, studies have shown that productivity, efficiency, and employee morale is higher in corporations that allow for a more "free-use" Internet Access Policy instead of a corporate "lockdown" policy.  With the "free-use" policy, the security engineers and management need to define what is acceptable.  I have read places that allow facebook surfing at work, but have locked down writing posts, status updates, playing games, etc.  I am an advocate for the employee to be able to use personal email (with the right security controls) and for the occasionally browsing to the Internet while keeping in mind, you have no privacy in a corporate setting.  How else do you think I can get to darkreading during work hours :)
<<   <   Page 2 / 2
Commentary
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
Edge-DRsplash-10-edge-articles
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
News
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-34390
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel function where a lack of checks allows the exploitation of an integer overflow on the size parameter of the tz_map_shared_mem function.
CVE-2021-34391
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel&Atilde;&macr;&Acirc;&iquest;&Acirc;&frac12;s tz_handle_trusted_app_smc function where a lack of integer overflow checks on the req_off and param_ofs variables leads to memory corruption of critical kernel structures.
CVE-2021-34392
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel where an integer overflow in the tz_map_shared_mem function can bypass boundary checks, which might lead to denial of service.
CVE-2021-34393
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in TSEC TA which deserializes the incoming messages even though the TSEC TA does not expose any command. This vulnerability might allow an attacker to exploit the deserializer to impact code execution, causing information disclosure.
CVE-2021-34394
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in all TAs whose deserializer does not reject messages with multiple occurrences of the same parameter. The deserialization of untrusted data might allow an attacker to exploit the deserializer to impact code execution.