Organizations monitor their computer networks for a host of reasons — from gaining insight into availability, performance, and failures, to identifying potential cybersecurity vulnerabilities and exploits. In the process, they often collect more data than actually needed on employees, customers, prospects, vendors, and more. The prevailing attitude is that because the data exists, is easy to capture, and relatively cheap to store, why not collect it? But given the expansive capabilities of today's technology, combined with how integrated it is in every aspect of our lives, there's a danger of either purposefully or inadvertently collecting unnecessary and private data.
More Data Means More Risk
This issue will only increase as monitoring technologies continue to improve and have the ability to gather wider perspectives and unique personal characteristics. As it stands, companies collect plenty of direct data on individuals and use third-party enrichment to add fuller details, some of which are more intrusive than necessary. As layer upon layer of diverse data is captured, it's likely the insights will increasingly cross privacy boundaries and create risk.
All data scooped up during monitoring — including financial information, communications, intellectual property, personnel files, contracts, and other confidential materials — has the potential to enter the public domain, either by hacking or human error. A recent cautionary tale is a Department of Defense server misconfiguration that spilled out email messages and sensitive personal details of federal employees. While this information was required for military security clearances, many companies are collecting similar data without a legitimate need, creating an unnecessary threat of exposure.
Hackers regularly exploit personal data to open up authentication information that allows them to monetize their cybercrimes, which has been made easier and more lucrative thanks to cryptocurrencies. There are also nation-state actors, corporate espionage, and even politically motivated organizations seeking to obtain intellectual property to better their position. This doesn't have to be a proprietary company secret. They may be seeking a process, application, engineering diagram, or even simple text messages.
When Monitoring Seems Like Surveillance
Another concern with excessive data collection is the impact on employees. When companies and vendors gain insights that are unnecessary to the core monitoring mission, it can alarm employees. This is especially true as the boundaries between work and home blend together, making personal devices increasingly available to corporate data collection.
Additionally, if the data being collected cannot be tracked to a specific goal, employees may mistake legitimate network and security monitoring for surveillance, especially as employee monitoring tools have become more widely used with the onset of remote work. These tools have a different purpose than network and security monitoring tools, but that's not always clear to workers.
Taking Control of the Data
When it comes to network and security monitoring, there's a strong case to be made for collecting and analyzing data at a discrete micro level. But when viewed at a macro level, where more personal and unnecessary information is collected and connected with other data sources, the case can lose its validity. This often happens when chief information officers (CIOs) and others get so caught up in monitoring technology's advanced capabilities that it clouds their good intentions and leads to questionable outcomes. Here are a few steps to help prevent data from getting the upper hand:
● As an organization, it's important to change how data is viewed. For many leaders, every data point is seen through a business mission lens and not from the perspective of privacy. The key is to identify each data point being collected and determine if it's a piece of core information or enrichment information. In most cases, data collected strictly for enrichment purposes is more difficult to justify.
● Given advancements in data analysis, it's not simply about reviewing the information being fed into the system. It's about how the algorithms are being trained, and what controls are in place to define what's confidential and how to keep it that way. Without those controls, the algorithm may use unnecessary data points, resulting in outputs that answer questions never intended to be asked.
● In addition to improving data consistency and quality, a data governance team can be invaluable in helping educate employees and others about what is and what isn't being monitored, and why. They can also develop and enforce company data policies and ensure compliance with standards and regulations to prevent privacy lines from being crossed.
● When it comes to vendors, there should be a clear directive that the data being collected needs to be tied to the services being provided. IT leaders should make these three requests of vendors:
—Provide a detailed account of all data being collected, how it's being collected, how often it's being collected, and how it's being used.
—Describe the access mechanism being used to collect data and determine if, and to what extent, it allows the collection of unnecessary data.
—Explain if there are options to opt out of having specific data points collected and, if so, any implications that may result if taken.
A thorough review of data monitoring and collection procedures will likely reveal that most organizations are overreaching and putting the company, its employees, and its customers at risk. It's time to accept that the chance of getting hacked today is no longer exceedingly low. This intensifies the need for companies to take the necessary steps to rethink their data collection and monitoring strategies, and put best practices in place to protect employee privacy and corporate integrity.