Often when organizations think about Insider Threat Management, they tend to bucket it into security. This makes sense; Insider Threats are by definition security threats. The tools and budget and personnel for managing Insider Threats often come from the security department. However, as we wrote last year, “privacy and cybersecurity are joined at the hip.”
In the always-online culture we inhabit, maintaining employee privacy while also maintaining a strong and resilient security posture is critical for companies, vendors, and governments. Today, as part of our time-saving tips series, we delve into how to strike the tricky balance of privacy and security.
If you’ve ever read up on productivity techniques, you may have heard of the concept of “batching.” Batch all of your email correspondence in the morning, and save the phone calls for the afternoon. While it’s not always possible, whenever there are tools to be chosen or action items to tick off the list for security, it’s a good idea to take privacy into consideration at the same time. Here are our tips.
Know Your Regulations
If your business operates in a highly regulated industry or must meet compliance obligations for any reason, it’s key to understand privacy laws, including their timelines for release and how long it takes to get compliant.
For example, when GDPR rules were released in April of 2016, companies had two years to become compliant before they went into official effect. Yet many, many businesses were not able to meet this deadline, leaving them vulnerable to massive potential fines. The California Consumer Privacy Act went into effect this month, but many businesses are still scrambling to understand its implications and take appropriate measures.
Time-Saving Tip: Other state-specific and international privacy regulations will come into play in the next few years, so it’s important that businesses’ compliance and legal departments stay on top of these regulations and communicate clearly with the security and technology teams about what will be required to meet them.
Educate Employees About Privacy
As with security, awareness and education should be at the heart of any successful privacy policy. A survey we released in June of last year found that most employees handle sensitive information daily. However, there are big differences from country to country in the understanding of how to securely handle this data.
For example, employees in the UK are far more aware of privacy regulations around protecting this data. In the U.S., more than half (52%) of employees aren’t aware of any privacy laws dictating how organizations manage sensitive data. Meanwhile, in the UK, only 17% of people are unaware of these laws. Beyond this one-third of U.S. respondents said they aren’t aware of any privacy policies their organization abides by.
Clearly, there is an opportunity for better training, especially in the U.S. Sixty-seven percent of employees in the UK feel they have ample training to ensure that customer data is protected in line with regional regulations versus 47% of employees in the U.S.
Time-Saving Tip: Bake privacy training into any security training that you hold. They are naturally connected, since cybersecurity processes and tools naturally overlap with those designed for privacy (at least if you choose the right tool).
Don’t Neglect Employee Privacy
Much of the attention when we talk about privacy focuses on user privacy—in other words protecting the interests of end-consumers. However, employee privacy matters too. And, as a recent survey of ours demonstrated, it’s not widely practiced. Forty-five percent of U.S. employees aren’t very confident their organization is taking the proper steps to protect their own personal information compared with 38% in the UK.
More and more businesses are using tools like Proofpoint ITM to monitor and record the activities of employees. The goal is to protect critical business and customer data from unauthorized access, theft, and accidental disclosure, as well as to comply with industry requirements.
However, with new privacy regulations on the market and renewed media attention on issues of cybersecurity and privacy, there are serious concerns being raised about employee privacy in the workplace. However, activity monitoring in the context of cybersecurity does not need to come at the expense of privacy.
When done right, security isn’t a matter of watching each and every move every employee makes, keeping tabs on websites visited or what content viewed. In addition to that level of surveillance being onerous if not impossible, it’s also not the point.
Instead, organizations can create rules for activity monitoring. This way, they only flag activity when specific behaviour is detected. From there, organizations can customize exactly who is allowed to view these alerts and codify escalation procedures that respect employee privacy even when wrongdoing is suspected.
Time-Saving Tip: When teams work to develop privacy policies to protect end-users, they should develop parallel policies for employees at the same time.
Taming the Two-Headed Beast
Privacy and cybersecurity are inseparable. If a data breach exposes customer and/or employee data, this obviously decreases privacy. Companies must protect both privacy and security, and the balance lies in implementing security policies with teeth while also respecting user and employee privacy.
At Proofpoint, we take a privacy-centric approach to security. We are passionate about showcasing how privacy and cybersecurity can be successfully brought together for organizations of all sizes and types. It’s really just a bonus that tying security and privacy this tightly together also results in saved time.
To learn more about how to incorporate privacy best practices into your Insider Threat management program, check out our eBook:
Download the Ultimate Guide to Building an Insider Threat Management Program