Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Workplace Data Privacy Vs. Security: The New Balance
Threaded  |  Newest First  |  Oldest First
Anthony Schimizzi
100%
0%
Anthony Schimizzi,
User Rank: Apprentice
4/23/2014 | 11:25:52 AM
Sensitivity make this difficult
This is always an area where people tend to tip-toe around due to its sensitivity and diverse differences between different corporations and culture.  While security should be the main focus, studies have shown that productivity, efficiency, and employee morale is higher in corporations that allow for a more "free-use" Internet Access Policy instead of a corporate "lockdown" policy.  With the "free-use" policy, the security engineers and management need to define what is acceptable.  I have read places that allow facebook surfing at work, but have locked down writing posts, status updates, playing games, etc.  I am an advocate for the employee to be able to use personal email (with the right security controls) and for the occasionally browsing to the Internet while keeping in mind, you have no privacy in a corporate setting.  How else do you think I can get to darkreading during work hours :)
dmelnick
100%
0%
dmelnick,
User Rank: Author
4/23/2014 | 4:39:01 PM
Re: Sensitivity make this difficult
Anthony, thanks for joining the conversation. Better still if you did it from work. I really liked how you highlighted the tip-toe problem. I see this at the Board and C-Suite level where on the one hand the leadership want the environment protected from Internet risk (whether IP loss, Cyber Theft/Fraud, Data Breach, etc), but on the and on the other hand they are not prepared to enforce a policy that shuts down Internet access (with a few exceptions, e.g. Bank tellers, certain government facilities).

This tip-toe problem, or the contradiction of executives turning a blind eye to personal web-use while simultaneously expecting IT/Security to lock down Internet use (Over 70% of companies restrict personal Internet use in their acceptable use policies) PLACES IT/CIOs/CISOs in a very difficult position. It also leads to selective enforcement, employee morale issues, and ultimately malware/security events (since we still allow the risky user behaviour).
theb0x
100%
0%
theb0x,
User Rank: Ninja
4/23/2014 | 5:14:47 PM
Workplace Data Privacy Vs. Security: The New Balance
I see how there are many issues with this in the workplace but a properly written acceptable use policy that clearly states all email sent from a company computer is sole property of that company should be expressed. I am also a strong beleiver of Application/Website whitelisting and GeoIP filtering. This is a company computer we are talking about. An employees behavior and actions wheither intentional or non-intentional may compromise a companies security, data, and reputation. When a computer becomes infected with malware, this is a huge loss in employee productivity, Company profit and results in most cases hours of downtime and this is all because they went to a website or opened an email that may not have been work related. These security controls need to be enforced because without them people just do what they please.
dmelnick
100%
0%
dmelnick,
User Rank: Author
4/23/2014 | 6:44:26 PM
Re: Workplace Data Privacy Vs. Security: The New Balance
I hear you, and there is no doubt that in the US, with proper notice and consent, usually in the form of an Acceptable Use Policy (AUP), a company clearly has the right to monitor and control employee Internet use. There is also no doubt that employee Internet use is a clear threat vector for a number of well understood risks. In fact this approach of draconian AUP followed by monitoring and control practices represents the preferred response to these risks. 

But there are high costs to this strategy. And the approach has limitations. In fact, I argue that we have hit diminishing returns with the next generation levels of monitoring and control. As Anthony suggested we are controlling sub-sections/apps WITHIN Facebook, end point monitoring that applies rules to all personal correspondence, and intermediating HTTPs activity of employees' banking and personal webmail (let's face it, outside of the security community, most employees don't realize they are subject to that level of monitoring).

Any global company that has faced EU requirements realizes our current strategy of security at all costs, with no right to privacy for the individual doesn't work. As a citizen, I believe security at the expense of my privacy and individual right to freedom is too high a price. In the US we have a right to privacy, but we interpret freedom as meaning we have the freedom to choose to give up that privacy for the price of a paycheck. That is not freedom.

What if there was a better way? What if we could have Security and Privacy? 
theb0x
100%
0%
theb0x,
User Rank: Ninja
4/23/2014 | 7:36:08 PM
Re: Workplace Data Privacy Vs. Security: The New Balance
Well said. What if a company just segmented their network traffic? You want to go on facebook? You want to check your personal email? Okay, BYOD and use this network and we will not provide you a firewall or monitor your traffic, but will be subjected to bandwidth throttling.
dmelnick
100%
0%
dmelnick,
User Rank: Author
4/23/2014 | 7:46:35 PM
Re: Workplace Data Privacy Vs. Security: The New Balance
You nailed it. My whole vision to changing the playing field. If we segmented personal web-use (the highest risk activity) from business activity. And then we isolated or contained the personal use, the remaining business activity would be lower risk and noone would object to extensive monitoring and control. 

The trick is containing personal use. BYOD definitely provides that capability if they do not use the corporate infrastructure/network. The WebLife solution also provides a mechanism for companies on corporate assets. 

I think you are on the right track. Believe it or not, your idea represents bold new thinking. 
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
4/24/2014 | 9:55:54 AM
Re: Workplace Data Privacy Vs. Security: The New Balance
Dave, it seems from your blog that Europe is ahead of the US in terms of employee privacy rights. Do you have a sense of why that is, and who are the industry leaders?
dmelnick
100%
0%
dmelnick,
User Rank: Author
4/24/2014 | 11:14:36 AM
Re: Workplace Data Privacy Vs. Security: The New Balance
Marilyn, the US vs. EU question around privacy generally and employee privacy specifically is very interesting. A few years ago I would have described the EU and US as both modeling different regulatory approaches to the topic as a part of a global battle for defining what privacy should mean. At this point, I would say the EU has won the global battle for hearts and minds. The US' big global contribution to the regulatory landscape has been Data Breach Notification (started in CA who would have known that public notification/humiliation would have motivated behavior so effectively). Beyond that I just think the EU has a more mature thinking about how to balance corporate/governmental interests against individual rights to a private life.

As a history major, I can't help but acknowledge Europe's unique recent history as a way of understanding how they have thought so deeply about the importance of protecting individual's privacy. In the book, IBM and the Holocaust, Edwin Black argues the birth of the information age was the census work performed by IBM and Germany during the 1930s where they created the capability to cross tabulate peoples religion, occupation, geography, etc. Europe deeply understands the risks of technology deployed without safeguards for individual freedom, and to their credit has led the way in influencing regions around the world to implement basic rights and protections. 
ChrisB093
50%
50%
ChrisB093,
User Rank: Strategist
4/24/2014 | 9:35:37 AM
The need for a clear security policy
It might seem obvious but our research found that 29% of the IT professionals we surveyed (250 in UK and 250 in US) told us their organizations doesn't have a security policy in place. It's great to have a policy that covers the 'why' as well as the 'what' in terms of any restrictions you are putting in place. This gives all employees a better understanding of the severity of what your an organization is trying to tackle and what their actions might lead to - even accidently.

Clearly documented policies and consistently remind all users of them. This helps users come to understand what your policies are and why they are in place.

For more information on how to help mitigate insider threats to reduce the risk of security breaches, the insider threat manifesto is now available http://www.isdecisions.com/insider-threats-manifesto/
MedicalQuack
50%
50%
MedicalQuack,
User Rank: Apprentice
4/24/2014 | 1:28:43 PM
World Privay Forum - The Scoring of America-it covers it all
If you have not seen it...worth a read as the world is looking at the US and how data sellers and proprietary scoring is hurting consumers...

 

http://ducknetweb.blogspot.com/2014/04/world-privacy-forum-report-scoring-of.html
Ciderblush
100%
0%
Ciderblush,
User Rank: Apprentice
4/25/2014 | 9:40:04 AM
australian privacy
Recently australia set up a department to govern and ensure greater security in personal privacy, including that used by corporations and businesses. massive change from 20 years ago. part of this is the governance of information archived or accidentally released, preventing a wikileaks - hopefully. A large part is protection of individuals. To make people feel safe. Even ten years ago a crim didnt feel safe because of the life they had lived. They didnt think they could start again. Usually private information is carried out of a place on a usb or documents.
dmelnick
100%
0%
dmelnick,
User Rank: Author
4/25/2014 | 12:10:01 PM
Re: australian privacy
I think Australia is a great example of emerging privacy law, as they have followed in the wake of EU data protection laws to ensure they were deemed adequate by the EU, or in other words able to transfer EU protected protected personal information to Australia because their data protection laws were sufficient. They, like New Zealand, are an example for other countries in South East Asia.


News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31755
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31756
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /gofrom/setwanType allows attackers to execute arbitrary code on the system via a crafted post request. This occurs when input vector controlled by malicious attack get copie...
CVE-2021-31757
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setVLAN allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31758
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setportList allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31458
PUBLISHED: 2021-05-07
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.1.1.37576. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handlin...