I was at my local gym the other day and noticed that the management has installed cameras in the changing rooms. Needless to say, the cameras are not the issue, but rather who has access to the footage and this is where privacy protection comes in. This got me thinking of the trade-off that many organizations face as they try to balance privacy with security.
Unfortunately, one of the foundations of security is that you need to have visibility into what might be malicious behavior. This isn’t the case in IT alone, but also the reason why we do not hire visually impaired security guards in a building – seeing and having visibility is key.
An example is how organizations are starting to consider encrypted traffic to understand what is happening in encrypted tunnels. Over the last couple years, cyber criminals have started to encrypt their communication to hide from the inspection that is being carried out by security devices. From a security perspective, this means that we need to break the encryption to understand if the communication is in fact malicious. Unfortunately, these encrypted channels are also utilized by normal users when they access their e-banking, web-mail and other services. So, in effect, it means that organizations can potentially see what the users are doing, and therefore gain knowledge about the employee which they would not normally have had.
Where Most Organizations Stand Right Now
In general, privacy of the employee is overlooked as many companies are generally more concerned about the security of the organization rather than the privacy of the individual. However, privacy is a topic which will need to be handled in the future as legislation will be picking up in the future. In our information security consultancy team, we already deliver services on the topic and how to create privacy policies.
In other countries in the world, privacy is a bigger concern. For instance, in Germany there are privacy rights which are established in the Bundesdatenschutzgesetz which was actually initiated in the 1960’s and have been updated over the years.
Of course, it is the right of any organization to protect itself, and so it should be. But we are faced with the dilemma where we need to ask ourselves how far we can go. Personally, I am not too worried about organizations breaking privacy, after all, if the employee has something to hide, they can do it outside of business hours on their own private device.
Instead, I am more worried about the privacy issues introduced when governments or state sponsored organizations start to look into your activities on the internet. Wiki Leaks and Snowden’s information on the NSA have showcased how much is actually happening. My concern is actually not so much of my government looks into my data, but more that if they can do it so can someone else.
What Needs to be Done
The solution is to establish a code of conduct for what employees can and cannot do. There are simply some things that are not acceptable on a corporate PC in 2016 compared to 10 years ago. A good example is private e-mails. We know that e-mail is the infection vector for up to 90% of all malware and crypto malwares. Yet most organizations allow users to check their private mails on corporate machines. At Help AG, we have assisted numerous customers in the last 12 month on dealing with crypto malware and ransomware and in almost all cases the infection vector was private e-mail access.
Education plays an essential role as first and foremost, any security policy that impacts employee privacy needs to be well communicated and explained to employees. An organization need to be completely transparent and share with employees what activities are forbidden and permitted and how IT will monitor for offenders. Doing so is actually beneficial as it will deter potentially harmful behavior.
Finally, we can of course provide technical solutions that will assist in identifying corporate data leaving the organization and the sensitivity associated with the same. But ultimately the first step is to understand that not everything an employee wants to do should necessarily be possible.
Nicolai Solling, CTO at Help AG