Michael Brown, vice president of technology at Auvik, has it right in my opinion: “On one end of the spectrum, monitoring an employee’s every action provides deep visibility and potentially useful insights, but may violate an employee’s privacy. On the other hand, while a lack of monitoring protects the privacy of employee data, this choice could pose significant security and productivity risks for an organization. In most cases, neither extreme is the appropriate solution, and companies must identify an effective compromise that takes both visibility and privacy into account, allowing organizations to monitor their environments while ensuring that the privacy of certain personal employee data is respected.”
The key word in Brown’s observation is “compromise” and I am going to add “transparency.” Employees who understand why and how their engagement is being monitored, and how that monitoring may indeed turn into surveillance when probable cause exists, will have a greater understanding of the need to protect the entity as a whole by monitoring all who engage.
Collecting data comes with an obligation to protect data
The adage is that if you collect it, you must protect it. Every CISO knows this, and every instance where information is collected should have in place a means to protect that information. With this thought in mind, John A. Smith, founder and CSO of Conversant, proffered some thoughts which are easily embraceable:
- Adhere to regulations and compliance requirements.
- Understand that compliance isn’t enough.
- Measure your secure controls against current threat actor behaviors.
- Change your paradigms.
- Remember that most breaches follow the same high-level pattern.
Smith’s comment about changing paradigms piqued my interest and his expansion is worthy of taking on board, as a different way of thinking. “Systems are generally open by default and closed by exception,” he tells CSO. “You should consider hardening systems by default and only opening access by exception. This paradigm change is particularly true in the context of data stores, such as practice management, electronic medical records, e-discovery, HRMS, and document management systems.”
“How data is protected, access controls are managed, and identity is orchestrated are critically important to the security of these systems. Cloud and SaaS are not inherently safe, because these systems are largely, by default, exposed to the public internet, and these applications are commonly not vetted with stringent security rigor.”
Limiting access to information can also feed security issues
Perhaps I am an anomaly, but when I go to a website and want to read an organization’s whitepapers or research and am asked to provide identifying information to do so, I tend to close the browser and move along. If I really am interested, and there is no other way to obtain it, I will begrudgingly fill out the form to get the download. If I have a generic web-based email account, I am often rejected with an admonishment that this information is only for those with proper “business” accounts. Marketing seems to stand between spreading knowledge and feeding a sales funnel.