As every CISO knows, balancing data security and privacy is a tough ask.
On the one hand, you are desperate to protect sensitive assets and implement all the DLP practices you possibly can. You are striving to secure new cloud channels that operate outside the traditional security perimeter, well aware of the risks of spear phishing, ransomware, and other threats to data security.
Equally, you know that privacy matters. You know that you can’t go full 1984 and spy on absolutely everything that is happening within your organization. For one, impinging on employee data security will irk your team. And then there are the legal aspects of employee monitoring.
How can companies protect themselves from digital risks without resorting to employee monitoring methods? By leveraging technology that ensures both data security and privacy – technology that provides full visibility into threats, without exposing the private content of digital interactions.
The Challenge of Modern Channels
In recent years, third-party cloud channels have become essential to modern business. Tools like Slack and Microsoft Teams are central to internal operations. Executives need to perform brand-building on LinkedIn. Sales teams need to reach out on WhatsApp. And so on.
All of these channels generate messages and digital interactions at a volume and velocity that manual review cannot possibly keep up with.
And any one of these messages or interactions could present a threat to data security: a phishing link, or spoofed domain, or an act of social engineering, or any other threat.
For example, earlier this year, it was revealed that “at least 10,000 UK nationals have been approached by fake profiles linked to hostile states, on the professional social network LinkedIn, over the past five years, according to MI5.”
Moreover, the challenges of cloud channels have been exacerbated by the pressures of the pandemic:
- The shift from the office environment to work-from-home setups forced employees to utilize insecure legacy routers and IOT devices.
- Bad actors exploit the anxiety and vulnerability of human employees around the COVID-19 situation and the quest for a vaccine.
- Differences in preferred communication channels between groups and cultures have only grown wider (for example, the Chinese market demands WeChat, whereas the Latin American market demands WhatsApp).
As a result, third-party cloud channels are now a serious security concern. In fact, our 2020 Digital Risk Survey revealed that 57% of executives identify collaboration platforms such as Slack and Teams as the tech stack causing the most concern. 47% worry about social media and other marketing platforms.
The Problem with Stricter Security
The threat surface is bigger than ever. As a result, for teams looking to guarantee data security, it is tempting to simply tighten the screw. No more secrets! Monitor everything, oversee everything, maximum surveillance. Whether it’s employees or executives, the reasoning goes, we simply have to get more invasive in order to protect the organization from threats to our data.
However, this is not the way to balance the competing goals of data security and privacy.
For one, employee monitoring is not generally well-received by employees themselves. It feels like an invasion, or an imposition. It suggests a lack of trust.
What’s more, it is often illegal. Not long ago, retail company H&M was slapped with a record-breaking GDPR fine of €35 million ($41.3 million) for illegal employee surveillance in Germany. A year before that, HSBC was also fined for monitoring an employee’s bank account.
In certain cases, the use of remote employee monitoring software is legal in Europe (as long as it doesn’t violate The Electronic Communications Privacy Act of 1986). But it’s a real balancing act. The laws are generally laxer in the US, but there’s no guaranteeing things will stay that way.
And in the case of executives, there is a good chance they will simply reject any form of employee monitoring. They will circumvent it, avoid it, find a different app.
Balancing Data Security and Privacy with the Right Solution
The answer lies in achieving complete oversight, while preserving the secrecy of the digital interactions being monitored.
This sounds like an oxymoron, but consider it this way: Imagine that, buried in a long WhatsApp exchange between a sales rep and a prospect, there is a phishing link. To protect the company against this phishing link and the threat to data security it poses, the company needs to detect the malicious link. However, everything surrounding the link is irrelevant. The conversation that is occurring, the words being used – none of this matters. All that matters is the toxic link. As long as the system can detect this link, there is no requirement for it to break privacy and “read” the messages.
The same would go for an executive’s LinkedIn messages. The worry is the PDF file, sent by a contact posing as a conference organizer, that contains malware. The system needs to scan, vet, and quarantine this malicious file – but the surrounding conversation is irrelevant. No-one has any need to know what was being said in the messages. The system needs detection, but not comprehension of context.
To effectively balance data security and privacy, companies need solutions that allow them to scan messages for risks, without revealing the content of those messages.
Balancing data security and privacy is a subtle challenge. Blunt solutions are not worth the ethical or legal employee monitoring issues that they create.
Here at SafeGuard Cyber, we’ve created a TotalPrivacy mode within our platform.
With TotalPrivacy mode, users can single out the digital risk – a link, a digital document, or an executable file – within the surrounding private conversation. However, the private conversation remains 100% private. The system can flag and prevent the entry/exit of files, all while ignoring background conversation details.
This way, companies establish:
- Total threat visibility
- Total blindness to message content
Companies can flag and capture risks without capturing content.
Protecting your company doesn’t have to mean impinging on the privacy of your people. With the right balance of data security and privacy, companies can ensure that an ethical data security policy for employees is not at risk. You can stay secure (and legal), without making unfair demands of your people.