Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Workplace Data Privacy Vs. Security: The New Balance
Oldest First  |  Newest First  |  Threaded View
Page 1 / 2   >   >>
Anthony Schimizzi
100%
0%
Anthony Schimizzi,
User Rank: Apprentice
4/23/2014 | 11:25:52 AM
Sensitivity make this difficult
This is always an area where people tend to tip-toe around due to its sensitivity and diverse differences between different corporations and culture.  While security should be the main focus, studies have shown that productivity, efficiency, and employee morale is higher in corporations that allow for a more "free-use" Internet Access Policy instead of a corporate "lockdown" policy.  With the "free-use" policy, the security engineers and management need to define what is acceptable.  I have read places that allow facebook surfing at work, but have locked down writing posts, status updates, playing games, etc.  I am an advocate for the employee to be able to use personal email (with the right security controls) and for the occasionally browsing to the Internet while keeping in mind, you have no privacy in a corporate setting.  How else do you think I can get to darkreading during work hours :)
dmelnick
100%
0%
dmelnick,
User Rank: Author
4/23/2014 | 4:39:01 PM
Re: Sensitivity make this difficult
Anthony, thanks for joining the conversation. Better still if you did it from work. I really liked how you highlighted the tip-toe problem. I see this at the Board and C-Suite level where on the one hand the leadership want the environment protected from Internet risk (whether IP loss, Cyber Theft/Fraud, Data Breach, etc), but on the and on the other hand they are not prepared to enforce a policy that shuts down Internet access (with a few exceptions, e.g. Bank tellers, certain government facilities).

This tip-toe problem, or the contradiction of executives turning a blind eye to personal web-use while simultaneously expecting IT/Security to lock down Internet use (Over 70% of companies restrict personal Internet use in their acceptable use policies) PLACES IT/CIOs/CISOs in a very difficult position. It also leads to selective enforcement, employee morale issues, and ultimately malware/security events (since we still allow the risky user behaviour).
theb0x
100%
0%
theb0x,
User Rank: Ninja
4/23/2014 | 5:14:47 PM
Workplace Data Privacy Vs. Security: The New Balance
I see how there are many issues with this in the workplace but a properly written acceptable use policy that clearly states all email sent from a company computer is sole property of that company should be expressed. I am also a strong beleiver of Application/Website whitelisting and GeoIP filtering. This is a company computer we are talking about. An employees behavior and actions wheither intentional or non-intentional may compromise a companies security, data, and reputation. When a computer becomes infected with malware, this is a huge loss in employee productivity, Company profit and results in most cases hours of downtime and this is all because they went to a website or opened an email that may not have been work related. These security controls need to be enforced because without them people just do what they please.
dmelnick
100%
0%
dmelnick,
User Rank: Author
4/23/2014 | 6:44:26 PM
Re: Workplace Data Privacy Vs. Security: The New Balance
I hear you, and there is no doubt that in the US, with proper notice and consent, usually in the form of an Acceptable Use Policy (AUP), a company clearly has the right to monitor and control employee Internet use. There is also no doubt that employee Internet use is a clear threat vector for a number of well understood risks. In fact this approach of draconian AUP followed by monitoring and control practices represents the preferred response to these risks. 

But there are high costs to this strategy. And the approach has limitations. In fact, I argue that we have hit diminishing returns with the next generation levels of monitoring and control. As Anthony suggested we are controlling sub-sections/apps WITHIN Facebook, end point monitoring that applies rules to all personal correspondence, and intermediating HTTPs activity of employees' banking and personal webmail (let's face it, outside of the security community, most employees don't realize they are subject to that level of monitoring).

Any global company that has faced EU requirements realizes our current strategy of security at all costs, with no right to privacy for the individual doesn't work. As a citizen, I believe security at the expense of my privacy and individual right to freedom is too high a price. In the US we have a right to privacy, but we interpret freedom as meaning we have the freedom to choose to give up that privacy for the price of a paycheck. That is not freedom.

What if there was a better way? What if we could have Security and Privacy? 
theb0x
100%
0%
theb0x,
User Rank: Ninja
4/23/2014 | 7:36:08 PM
Re: Workplace Data Privacy Vs. Security: The New Balance
Well said. What if a company just segmented their network traffic? You want to go on facebook? You want to check your personal email? Okay, BYOD and use this network and we will not provide you a firewall or monitor your traffic, but will be subjected to bandwidth throttling.
dmelnick
100%
0%
dmelnick,
User Rank: Author
4/23/2014 | 7:46:35 PM
Re: Workplace Data Privacy Vs. Security: The New Balance
You nailed it. My whole vision to changing the playing field. If we segmented personal web-use (the highest risk activity) from business activity. And then we isolated or contained the personal use, the remaining business activity would be lower risk and noone would object to extensive monitoring and control. 

The trick is containing personal use. BYOD definitely provides that capability if they do not use the corporate infrastructure/network. The WebLife solution also provides a mechanism for companies on corporate assets. 

I think you are on the right track. Believe it or not, your idea represents bold new thinking. 
ChrisB093
50%
50%
ChrisB093,
User Rank: Strategist
4/24/2014 | 9:35:37 AM
The need for a clear security policy
It might seem obvious but our research found that 29% of the IT professionals we surveyed (250 in UK and 250 in US) told us their organizations doesn't have a security policy in place. It's great to have a policy that covers the 'why' as well as the 'what' in terms of any restrictions you are putting in place. This gives all employees a better understanding of the severity of what your an organization is trying to tackle and what their actions might lead to - even accidently.

Clearly documented policies and consistently remind all users of them. This helps users come to understand what your policies are and why they are in place.

For more information on how to help mitigate insider threats to reduce the risk of security breaches, the insider threat manifesto is now available http://www.isdecisions.com/insider-threats-manifesto/
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
4/24/2014 | 9:55:54 AM
Re: Workplace Data Privacy Vs. Security: The New Balance
Dave, it seems from your blog that Europe is ahead of the US in terms of employee privacy rights. Do you have a sense of why that is, and who are the industry leaders?
dmelnick
100%
0%
dmelnick,
User Rank: Author
4/24/2014 | 11:14:36 AM
Re: Workplace Data Privacy Vs. Security: The New Balance
Marilyn, the US vs. EU question around privacy generally and employee privacy specifically is very interesting. A few years ago I would have described the EU and US as both modeling different regulatory approaches to the topic as a part of a global battle for defining what privacy should mean. At this point, I would say the EU has won the global battle for hearts and minds. The US' big global contribution to the regulatory landscape has been Data Breach Notification (started in CA who would have known that public notification/humiliation would have motivated behavior so effectively). Beyond that I just think the EU has a more mature thinking about how to balance corporate/governmental interests against individual rights to a private life.

As a history major, I can't help but acknowledge Europe's unique recent history as a way of understanding how they have thought so deeply about the importance of protecting individual's privacy. In the book, IBM and the Holocaust, Edwin Black argues the birth of the information age was the census work performed by IBM and Germany during the 1930s where they created the capability to cross tabulate peoples religion, occupation, geography, etc. Europe deeply understands the risks of technology deployed without safeguards for individual freedom, and to their credit has led the way in influencing regions around the world to implement basic rights and protections. 
MedicalQuack
50%
50%
MedicalQuack,
User Rank: Apprentice
4/24/2014 | 1:28:43 PM
World Privay Forum - The Scoring of America-it covers it all
If you have not seen it...worth a read as the world is looking at the US and how data sellers and proprietary scoring is hurting consumers...

 

http://ducknetweb.blogspot.com/2014/04/world-privacy-forum-report-scoring-of.html
Page 1 / 2   >   >>


Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32089
PUBLISHED: 2021-05-11
** UNSUPPORTED WHEN ASSIGNED ** An issue was discovered on Zebra (formerly Motorola Solutions) Fixed RFID Reader FX9500 devices. An unauthenticated attacker can upload arbitrary files to the filesystem that can then be accessed through the web interface. This can lead to information disclosure and c...
CVE-2020-24586
PUBLISHED: 2021-05-11
The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted us...
CVE-2020-24587
PUBLISHED: 2021-05-11
The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and...
CVE-2020-24588
PUBLISHED: 2021-05-11
The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated. Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802....
CVE-2020-26139
PUBLISHED: 2021-05-11
An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and...