Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Careers and People
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
Workplace Data Privacy Vs. Security: The New Balance
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
dmelnick
dmelnick,
 User Rank: Author
4/25/2014 | 12:10:01 PM
Re: australian privacy
I think Australia is a great example of emerging privacy law, as they have followed in the wake of EU data protection laws to ensure they were deemed adequate by the EU, or in other words able to transfer EU protected protected personal information to Australia because their data protection laws were sufficient. They, like New Zealand, are an example for other countries in South East Asia.
Ciderblush
Ciderblush,
 User Rank: Apprentice
4/25/2014 | 9:40:04 AM
australian privacy
Recently australia set up a department to govern and ensure greater security in personal privacy, including that used by corporations and businesses. massive change from 20 years ago. part of this is the governance of information archived or accidentally released, preventing a wikileaks - hopefully. A large part is protection of individuals. To make people feel safe. Even ten years ago a crim didnt feel safe because of the life they had lived. They didnt think they could start again. Usually private information is carried out of a place on a usb or documents.
MedicalQuack
MedicalQuack,
 User Rank: Apprentice
4/24/2014 | 1:28:43 PM
World Privay Forum - The Scoring of America-it covers it all
If you have not seen it...worth a read as the world is looking at the US and how data sellers and proprietary scoring is hurting consumers...

 

http://ducknetweb.blogspot.com/2014/04/world-privacy-forum-report-scoring-of.html
dmelnick
dmelnick,
 User Rank: Author
4/24/2014 | 11:14:36 AM
Re: Workplace Data Privacy Vs. Security: The New Balance
Marilyn, the US vs. EU question around privacy generally and employee privacy specifically is very interesting. A few years ago I would have described the EU and US as both modeling different regulatory approaches to the topic as a part of a global battle for defining what privacy should mean. At this point, I would say the EU has won the global battle for hearts and minds. The US' big global contribution to the regulatory landscape has been Data Breach Notification (started in CA who would have known that public notification/humiliation would have motivated behavior so effectively). Beyond that I just think the EU has a more mature thinking about how to balance corporate/governmental interests against individual rights to a private life.

As a history major, I can't help but acknowledge Europe's unique recent history as a way of understanding how they have thought so deeply about the importance of protecting individual's privacy. In the book, IBM and the Holocaust, Edwin Black argues the birth of the information age was the census work performed by IBM and Germany during the 1930s where they created the capability to cross tabulate peoples religion, occupation, geography, etc. Europe deeply understands the risks of technology deployed without safeguards for individual freedom, and to their credit has led the way in influencing regions around the world to implement basic rights and protections. 
Marilyn Cohodas
Marilyn Cohodas,
 User Rank: Strategist
4/24/2014 | 9:55:54 AM
Re: Workplace Data Privacy Vs. Security: The New Balance
Dave, it seems from your blog that Europe is ahead of the US in terms of employee privacy rights. Do you have a sense of why that is, and who are the industry leaders?
ChrisB093
ChrisB093,
 User Rank: Strategist
4/24/2014 | 9:35:37 AM
The need for a clear security policy
It might seem obvious but our research found that 29% of the IT professionals we surveyed (250 in UK and 250 in US) told us their organizations doesn't have a security policy in place. It's great to have a policy that covers the 'why' as well as the 'what' in terms of any restrictions you are putting in place. This gives all employees a better understanding of the severity of what your an organization is trying to tackle and what their actions might lead to - even accidently.

Clearly documented policies and consistently remind all users of them. This helps users come to understand what your policies are and why they are in place.

For more information on how to help mitigate insider threats to reduce the risk of security breaches, the insider threat manifesto is now available http://www.isdecisions.com/insider-threats-manifesto/
dmelnick
dmelnick,
 User Rank: Author
4/23/2014 | 7:46:35 PM
Re: Workplace Data Privacy Vs. Security: The New Balance
You nailed it. My whole vision to changing the playing field. If we segmented personal web-use (the highest risk activity) from business activity. And then we isolated or contained the personal use, the remaining business activity would be lower risk and noone would object to extensive monitoring and control. 

The trick is containing personal use. BYOD definitely provides that capability if they do not use the corporate infrastructure/network. The WebLife solution also provides a mechanism for companies on corporate assets. 

I think you are on the right track. Believe it or not, your idea represents bold new thinking. 
theb0x
theb0x,
 User Rank: Ninja
4/23/2014 | 7:36:08 PM
Re: Workplace Data Privacy Vs. Security: The New Balance
Well said. What if a company just segmented their network traffic? You want to go on facebook? You want to check your personal email? Okay, BYOD and use this network and we will not provide you a firewall or monitor your traffic, but will be subjected to bandwidth throttling.
dmelnick
dmelnick,
 User Rank: Author
4/23/2014 | 6:44:26 PM
Re: Workplace Data Privacy Vs. Security: The New Balance
I hear you, and there is no doubt that in the US, with proper notice and consent, usually in the form of an Acceptable Use Policy (AUP), a company clearly has the right to monitor and control employee Internet use. There is also no doubt that employee Internet use is a clear threat vector for a number of well understood risks. In fact this approach of draconian AUP followed by monitoring and control practices represents the preferred response to these risks. 

But there are high costs to this strategy. And the approach has limitations. In fact, I argue that we have hit diminishing returns with the next generation levels of monitoring and control. As Anthony suggested we are controlling sub-sections/apps WITHIN Facebook, end point monitoring that applies rules to all personal correspondence, and intermediating HTTPs activity of employees' banking and personal webmail (let's face it, outside of the security community, most employees don't realize they are subject to that level of monitoring).

Any global company that has faced EU requirements realizes our current strategy of security at all costs, with no right to privacy for the individual doesn't work. As a citizen, I believe security at the expense of my privacy and individual right to freedom is too high a price. In the US we have a right to privacy, but we interpret freedom as meaning we have the freedom to choose to give up that privacy for the price of a paycheck. That is not freedom.

What if there was a better way? What if we could have Security and Privacy? 
theb0x
theb0x,
 User Rank: Ninja
4/23/2014 | 5:14:47 PM
Workplace Data Privacy Vs. Security: The New Balance
I see how there are many issues with this in the workplace but a properly written acceptable use policy that clearly states all email sent from a company computer is sole property of that company should be expressed. I am also a strong beleiver of Application/Website whitelisting and GeoIP filtering. This is a company computer we are talking about. An employees behavior and actions wheither intentional or non-intentional may compromise a companies security, data, and reputation. When a computer becomes infected with malware, this is a huge loss in employee productivity, Company profit and results in most cases hours of downtime and this is all because they went to a website or opened an email that may not have been work related. These security controls need to be enforced because without them people just do what they please.
Page 1 / 2   >   >>


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2023-33196
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
CVE-2023-33185
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
CVE-2023-33187
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
CVE-2023-33194
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
CVE-2023-2879
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file