CDSA

M&E Journal: Navigating the New Security and Privacy Frontier

By David Melnick, Founder and CEO, WebLife Balance

For the last several years, a global debate has been heating up over the right to personal privacy. Driven by rapid technological advancements and the reality of big data, we are beginning to question everything we’ve come to believe about our privacy rights—both at home and at work. For organizations, the near ubiquitous use of cloud and mobile technologies, the increasing prevalence of BYOD policies, and employees’ need to access the web, and often social media, to do their jobs, has fundamentally changed the way employees interact with the corporate network.

These technological, social, and cultural shifts are quickly dissolving the boundaries between personal and professional time and space, putting the corporate network under increasing distress. The evidence abounds:

* A threat to both employees and organizations, ransomware increased 35 percent in 2015, and zero-day vulnerabilities, an indicator of attacks to come, were up 125 percent. (2016 Internet Security Threat Report, Volume 21)

* Increased experience and skill of hackers, both individuals and state-sponsored, led to a record number of data breaches (4,149) reported in 2016, exposing over 4.2 billion records, approximately 3.2 billion more records than the previous record high exposed in 2013. (Jan 2017, Risk Based Security, 2016 Data Breach Trends)

* Web use liability losses are up, despite the presence of Acceptable Internet Usage Policies. AUP enforcement is compromised by privacy concerns, especially in the U.S.

* In their 2016 BYOD and Mobile Security Report, Crowd Research Partners found that “enterprise security risks and mobile data breaches are on the rise,” while “one in five organizations suffered a mobile security breach, primarily driven by malware and malicious Wi-Fi.”

The privacy paradox

While the privacy debate has been heating up, it is clearly still in its infancy, as research shows that what people say and do about their data and privacy are often at odds. Lured by the promise of immediate access to the things we want to buy, share and consume, recent studies have found that while many of us are opposed to sacrificing our privacy in principle, the reality is we do so voluntarily and willfully every day—all in the name of a paycheck, notoriety, convenience and consumption.

According to the EMC Privacy Index, several paradoxes exist between what people say they want with regard to their privacy and how far they’re willing to go to protect it. Globally, 27 percent indicated they are willing to trade privacy for convenience, and in 15 countries more than 30 percent and as many as 61 percent of respondents are willing to compromise their privacy in return for access to the things they want to share, buy, and do online.

Above it all, CIOs and CISOs have less control than ever over corporate networks due to “consumerization” trends that prioritize employee preferences for communications technology access and usage, often to the detriment of network security. Thus, tensions are growing between employers who, to manage cyber threats, are increasing the nature and extent of their employee surveillance, and employees, whose expanding reliance on the internet for personal activities has led to a heightened concern over their personal privacy. In response, courts, regulators and lawmakers have begun to implement new regulations to more formalize and codify the individual’s right to privacy.

Regulators to the rescue?

As lawmakers play catch-up with this shifting landscape, there is a groundswell of public awareness around our resulting loss of personal privacy. Europe is leading the way with a strengthening of its Data Protection Directive in the form of the new General Data Protection Regulation (GDPR.) Announced in December 2015 and approved by the EU Parliament in April 2016, GDPR enforcement will begin on May 25, 2018, after which non-compliant organizations are subject to heavy fines.

More than three years after the Edward Snowden/NSA disclosures, the U.S. is still struggling to find its comfort zone regarding personal privacy protection. In 2012, the Obama administration put forward a proposal for a “Consumer Privacy Bill of Rights,” but in February 2016 The New York Times wrote, “Four years later, however, the effort has produced few new data controls for consumers, even as advocates say the need is greater than ever because of the advent of internet-connected technologies that collect data on people’s sleep habits, the temperature in their houses and the like.”

Similarly, many hoped the 2014 Supreme Court decision Riley v. California would foreshadow broader privacy legislation for consumers and employees in the workplace, but since then efforts to advance consumers’ and employees’ privacy rights have largely stalled in Congress.

Regardless of where you work, however, chances are your employer must comply with confusing and, if they operate in multiple countries/jurisdictions, conflicting privacy laws. This makes advising management and the board on security and privacy risks more complex and difficult

Navigating the new frontier

Avoiding the adoption of emerging technology, tightening up acceptable use policies, or implementing monitoring systems that may make employees feel resentful and mistrusted are not the answer. In fact, organizations, employees, and other stakeholders can realize immense benefits by enabling and embracing personal privacy to strengthen their security.

Companies willing to champion employee privacy will not only enjoy a leadership position in the privacy debate and increase their chances of compliance with forthcoming personal privacy legislation, but they will also reap the compelling byproducts of increased security and diminished liability.

About 20 years ago, employees began to get access to the internet in the office. Today, it’s become mission-critical for most jobs, so employees expect it. And, absent policies or effective enforcement to the contrary, most access it for personal use —banking, shopping, social media, email—at some point during the work day, leaving the corporate network and customer assets exposed to the whims of employees’ judgment and behavior.

Thanks to this trend, we now live in a world where 30 percent to 40 percent of internet access is spent on non-work-related browsing and 60 percent of all online purchases are made during working hours, per IDC. Additionally, the U.S. security company Palo Alto Networks maintains web browsing is the No. 1 cause of undetected malware.

Furthermore, workplace internet misuse costs U.S. businesses $178 billion in lost productivity annually, per the U.S. security company Websense. In attempting to manage these risks, many companies try to “lock down” what employees can access and increase the monitoring of employee activity.

Tension and mistrust between employers and employees is growing over personal web use at work and fear of inappropriate monitoring. Organizations are faced with increasing threats to corporate assets, and traditional approaches to employee monitoring are also leading to increased security risk.

Monitoring systems offer false hope, because 100 percent containment is not possible. Nonetheless, per Neil McDonald of Gartner Inc., by the end of 2016, 20 percent of enterprises will implement containment mechanisms for end users handling untrusted content and code, up from less than one percent in 2013. Unfortunately, the lock-down approach has practical limitations and may lead to regulatory noncompliance.

New approaches find common ground

Why not acknowledge the reality that employees are going online during working hours and consider separating or isolating personal activity from business assets? If we can govern personal internet use, we can empower employees and engage them to strengthen organizational security.

“Adopting a risk management approach that embraces employee privacy fundamentally changes how organizations approach employee internet use and allows companies and employees alike to accomplish their joint goals securely, protect their rights and maximize the opportunities offered by our ever-connected world,” offered Gail Ann Lasprogata, associate professor of Business and International Law, Albers School of Business and Economics, Seattle University.

Employers can mitigate employee web use risk. One way to achieve this is by implementing a personal portal for employees so that your network and information assets are shielded from any high-risk online activity in which employees may engage.

The logical separation of an employee’s personal internet use at work from business assets eliminates the need for the information security team to focus on lowrisk personal activity, allowing more time for the more important things IT needs to worry about. It also allows CISOs to exercise all necessary “endpoint” (laptop, desktop) technical security controls without worrying about privacy issues.

Embrace the reality that they are going to use the web at work for personal reasons, and provide them with a contained, personal network that complies with privacy requirements, reduces corporate liability and strengthens organizational security. By giving them a private, secure space to conduct this activity, you can empower employees to become the greatest resource in your security arsenal.

Click here to translate this article
Click here to download the complete .PDF version of this article
Click here to download the entire Spring 2017 M&E Journal