Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Careers and People
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
Workplace Data Privacy Vs. Security: The New Balance
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
dmelnick
dmelnick,
 User Rank: Author
4/25/2014 | 12:10:01 PM
Re: australian privacy
I think Australia is a great example of emerging privacy law, as they have followed in the wake of EU data protection laws to ensure they were deemed adequate by the EU, or in other words able to transfer EU protected protected personal information to Australia because their data protection laws were sufficient. They, like New Zealand, are an example for other countries in South East Asia.
Ciderblush
Ciderblush,
 User Rank: Apprentice
4/25/2014 | 9:40:04 AM
australian privacy
Recently australia set up a department to govern and ensure greater security in personal privacy, including that used by corporations and businesses. massive change from 20 years ago. part of this is the governance of information archived or accidentally released, preventing a wikileaks - hopefully. A large part is protection of individuals. To make people feel safe. Even ten years ago a crim didnt feel safe because of the life they had lived. They didnt think they could start again. Usually private information is carried out of a place on a usb or documents.
MedicalQuack
MedicalQuack,
 User Rank: Apprentice
4/24/2014 | 1:28:43 PM
World Privay Forum - The Scoring of America-it covers it all
If you have not seen it...worth a read as the world is looking at the US and how data sellers and proprietary scoring is hurting consumers...

 

http://ducknetweb.blogspot.com/2014/04/world-privacy-forum-report-scoring-of.html
dmelnick
dmelnick,
 User Rank: Author
4/24/2014 | 11:14:36 AM
Re: Workplace Data Privacy Vs. Security: The New Balance
Marilyn, the US vs. EU question around privacy generally and employee privacy specifically is very interesting. A few years ago I would have described the EU and US as both modeling different regulatory approaches to the topic as a part of a global battle for defining what privacy should mean. At this point, I would say the EU has won the global battle for hearts and minds. The US' big global contribution to the regulatory landscape has been Data Breach Notification (started in CA who would have known that public notification/humiliation would have motivated behavior so effectively). Beyond that I just think the EU has a more mature thinking about how to balance corporate/governmental interests against individual rights to a private life.

As a history major, I can't help but acknowledge Europe's unique recent history as a way of understanding how they have thought so deeply about the importance of protecting individual's privacy. In the book, IBM and the Holocaust, Edwin Black argues the birth of the information age was the census work performed by IBM and Germany during the 1930s where they created the capability to cross tabulate peoples religion, occupation, geography, etc. Europe deeply understands the risks of technology deployed without safeguards for individual freedom, and to their credit has led the way in influencing regions around the world to implement basic rights and protections. 
Marilyn Cohodas
Marilyn Cohodas,
 User Rank: Strategist
4/24/2014 | 9:55:54 AM
Re: Workplace Data Privacy Vs. Security: The New Balance
Dave, it seems from your blog that Europe is ahead of the US in terms of employee privacy rights. Do you have a sense of why that is, and who are the industry leaders?
ChrisB093
ChrisB093,
 User Rank: Strategist
4/24/2014 | 9:35:37 AM
The need for a clear security policy
It might seem obvious but our research found that 29% of the IT professionals we surveyed (250 in UK and 250 in US) told us their organizations doesn't have a security policy in place. It's great to have a policy that covers the 'why' as well as the 'what' in terms of any restrictions you are putting in place. This gives all employees a better understanding of the severity of what your an organization is trying to tackle and what their actions might lead to - even accidently.

Clearly documented policies and consistently remind all users of them. This helps users come to understand what your policies are and why they are in place.

For more information on how to help mitigate insider threats to reduce the risk of security breaches, the insider threat manifesto is now available http://www.isdecisions.com/insider-threats-manifesto/
dmelnick
dmelnick,
 User Rank: Author
4/23/2014 | 7:46:35 PM
Re: Workplace Data Privacy Vs. Security: The New Balance
You nailed it. My whole vision to changing the playing field. If we segmented personal web-use (the highest risk activity) from business activity. And then we isolated or contained the personal use, the remaining business activity would be lower risk and noone would object to extensive monitoring and control. 

The trick is containing personal use. BYOD definitely provides that capability if they do not use the corporate infrastructure/network. The WebLife solution also provides a mechanism for companies on corporate assets. 

I think you are on the right track. Believe it or not, your idea represents bold new thinking. 
theb0x
theb0x,
 User Rank: Ninja
4/23/2014 | 7:36:08 PM
Re: Workplace Data Privacy Vs. Security: The New Balance
Well said. What if a company just segmented their network traffic? You want to go on facebook? You want to check your personal email? Okay, BYOD and use this network and we will not provide you a firewall or monitor your traffic, but will be subjected to bandwidth throttling.
dmelnick
dmelnick,
 User Rank: Author
4/23/2014 | 6:44:26 PM
Re: Workplace Data Privacy Vs. Security: The New Balance
I hear you, and there is no doubt that in the US, with proper notice and consent, usually in the form of an Acceptable Use Policy (AUP), a company clearly has the right to monitor and control employee Internet use. There is also no doubt that employee Internet use is a clear threat vector for a number of well understood risks. In fact this approach of draconian AUP followed by monitoring and control practices represents the preferred response to these risks. 

But there are high costs to this strategy. And the approach has limitations. In fact, I argue that we have hit diminishing returns with the next generation levels of monitoring and control. As Anthony suggested we are controlling sub-sections/apps WITHIN Facebook, end point monitoring that applies rules to all personal correspondence, and intermediating HTTPs activity of employees' banking and personal webmail (let's face it, outside of the security community, most employees don't realize they are subject to that level of monitoring).

Any global company that has faced EU requirements realizes our current strategy of security at all costs, with no right to privacy for the individual doesn't work. As a citizen, I believe security at the expense of my privacy and individual right to freedom is too high a price. In the US we have a right to privacy, but we interpret freedom as meaning we have the freedom to choose to give up that privacy for the price of a paycheck. That is not freedom.

What if there was a better way? What if we could have Security and Privacy? 
theb0x
theb0x,
 User Rank: Ninja
4/23/2014 | 5:14:47 PM
Workplace Data Privacy Vs. Security: The New Balance
I see how there are many issues with this in the workplace but a properly written acceptable use policy that clearly states all email sent from a company computer is sole property of that company should be expressed. I am also a strong beleiver of Application/Website whitelisting and GeoIP filtering. This is a company computer we are talking about. An employees behavior and actions wheither intentional or non-intentional may compromise a companies security, data, and reputation. When a computer becomes infected with malware, this is a huge loss in employee productivity, Company profit and results in most cases hours of downtime and this is all because they went to a website or opened an email that may not have been work related. These security controls need to be enforced because without them people just do what they please.
Page 1 / 2   >   >>


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The 10 Most Impactful Types of Vulnerabilities for Enterprises Today
Managing system vulnerabilities is one of the old est - and most frustrating - security challenges that enterprise defenders face. Every software application and hardware device ships with intrinsic flaws - flaws that, if critical enough, attackers can exploit from anywhere in the world. It's crucial that defenders take stock of what areas of the tech stack have the most emerging, and critical, vulnerabilities they must manage. It's not just zero day vulnerabilities. Consider that CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilitlies in widely used applications that are "actively exploited," and most of them are flaws that were discovered several years ago and have been fixed. There are also emerging vulnerabilities in 5G networks, cloud infrastructure, Edge applications, and firmwares to consider.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2023-1142
PUBLISHED: 2023-03-27
In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use URL decoding to retrieve system files, credentials, and bypass authentication resulting in privilege escalation.
CVE-2023-1143
PUBLISHED: 2023-03-27
In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use Lua scripts, which could allow an attacker to remotely execute arbitrary code.
CVE-2023-1144
PUBLISHED: 2023-03-27
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contains an improper access control vulnerability in which an attacker can use the Device-Gateway service and bypass authorization, which could result in privilege escalation.
CVE-2023-1145
PUBLISHED: 2023-03-27
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 are affected by a deserialization vulnerability targeting the Device-DataCollect service, which could allow deserialization of requests prior to authentication, resulting in remote code execution.
CVE-2023-1655
PUBLISHED: 2023-03-27
Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.4.0.