In the past few years, you likely have heard someone arguing online in favor for more security or in favor of maintaining privacy. It is a debate that is not just among everyday users but can be found in executive board rooms and the halls of congress and parliament. Across political lines, the both security and privacy are enshrined, but it would seem the perception to many leaders is that a necessary trade-off exists between the two. Similar debates have been had before especially when it came to tracking productivity.
You may wonder what exactly has been the cause of this tension in recent years. The answer is simply cyber attacks, from both external actors and trusted insiders. New cyber attacks and data breaches seem to be a weekly news story now, and a top priority for policymakers. In June the ransomware, NotPeyta struck over 200,000 devices and deleted data from the networks of multinational companies. Smaller companies are not exactly safe from these threats and can be used as a means to get to larger organizations. It is possible to name all companies
Naturally, these cyber attacks have caused panic in the international community. Cyber crime is not going anywhere, and as long as it is here so will the debate between cyber security measures and employee privacy. The privacy of your employees cannot be ignored if you want to retain top talent in your organization. The resistance from staff is not because they don’t want to be secure, but more because they may feel you do not trust them, or that their privacy is being taken away from them.
Does Privacy Outweigh Safety? Both Sides
Consider this scenario: An experienced project manager named John, who has been very dedicated to your organization for the last eight years, comes to work like he always does. As he is preparing for the day, he notices an email from a vendor he does not recognize. He opens the email, and it is about an unpaid invoice that was supposedly sent a few weeks ago. The email directs him to see an attached word file. He opens the file like any other, by enabling edit mode and enabling macros. As he is looking at the invoice, he notices another company’s name on it and kindly replies to the sender that he has the wrong email address. John then starts his typical day. Five weeks later sensitive information is stolen and then encrypted locking his company out of their files. The source of the attack is later identified by an IT forensics firm to be malware on John’s computer that infected the network.
Should John’s company have been monitoring his emails continuously? Should they have given him so many permissions? These questions and much more lay at the heart of the war between cyber security and employee privacy. What’s more important employee privacy or the organization’s security? From core this question the dichotomy arises between safety and privacy. This dynamic facilitates a mentality of scarcity, and the allocation of resources are devoted to one or the other; security usually wins out.
The justification for the safety over privacy is often made under the banner of insider threat. One of the most significant cyber security concerns today is insider threat. An insider threat is where anyone in your organization or connected to it have access to sensitive information, and the potential to leak data or cause a data breach. So insider threat can be employees, managers, suppliers, the executive team, and even yourself. Insiders can be both negligent or malicious actors, although incidents involving malicious actors has decreased over time, thankfully.
The cost of a data breach as a result of insider threat can be millions, so security acts as a deterrent against that. Remember John from above, that scenario was loosely based on events that happened in March 2017 with Chipotle. The breach caused millions of credit card numbers to be stolen by cyber criminals for about three weeks unnoticed. This is what an insider breach looks like. If the employee had been skeptical of the email and not downloaded anything from it, Chipotle would not have been breached.
Businesses understand what is at risk now and have been increasing their investments into cyber security every year. Some companies have even invested into more passive solutions such as employee monitoring software which is are typically packed with tracking solutions. Some of them allow businesses to establish a baseline behavior and follow if an employee acts outside of their normal behavior. This is usually a background process that does not disrupt employee workflow. On company computers, most employees have come to expect this. However, other devices are becoming a concern such as personal mobile devices that connect to the company network or personal computers. There are some issues when it comes to informing employees that all their activity is being tracked. This is where the gray area takes over.
While employed in the private sector employees understand that they have fewer rights to privacy. Employee’s expectation of privacy is a reasonable one, but they often know or learn from experience that the law is not on their side in many cases. However, employees can leave at will for whatever reason they wish. Often when there are many obvious security measures in place employees will take it personally and at times may perceive that you do not trust them. This has an impact on productivity overall. Employees in the private sector often do have four types of lawsuits they can claim privacy violations on. These are unreasonable intrusion into private life, public disclosure of private information, false portrayal, and use of an individual’s name or likeness.
Often the issue of privacy and cybersecurity are the result of poor communication and clarity of security policy. When it comes to cybersecurity, everything relies on expectation setting and some transparency. Being honest with employees will maintain trust between the company and them. Let’s explore some ways you can have a comprehensive cybersecurity policy while upholding employee privacy.
Best Practices: Balancing Cyber Security and Privacy
For this balancing act, it helps to consult with legal experts, security experts, and human resource experts to gain comprehensive insight as to where you can balance your needs for safety and your employee’s needs for privacy. The following is a collection of recommendations from all three.
Principle of Least Privilege
The principle of least privilege limits access to information for employees on a need-to-know basis. So, for example, a project manager many need to input project transactions somewhere but that does not mean they need access to the entire company’s transaction history and banking information. Many companies practice this intuitively, however being actively aware of it will segment your roles and information based on need. This in the long run protects your business and allows you to focus your employee monitoring efforts on a particular segment of data and employee interactions with it.
Your security policy and the reason for its development may be 100% crystal clear to you, but for employees, this is not the case. Considering that most employees do not have an active concern for cyber security the way you do, they will interpret the security measures in a much different manner. To avoid trust issues or a negative work environment, you need to communicate your privacy and safety policy in simple terms that employees can understand. It will really help if you describe your privacy and security policies during onboarding.
Security technology has developed to a point where there is no need to interrupt the workflow of your staff. In the past security and oversight was made clear and provided a visible deterrent to employees. However, this also created trust issues and malicious actors always found a way around the monitoring. Employee monitoring software today offers baseline behavior development and tracking deviations from the established norm, all while running in the background. In addition to that you have the ability to monitor the computer, application usage, and even chat logs while on a company device. For you, information is pouring in over their activity, while on their end all they see is their typical workstation. It is advised that you only use what you need and do not use the technology to pry into an employee’s personal life. On a workstation at the office, you have the option to control nearly everything. If an employee needs to work from home or remotely it is advised to have them log in to a remote workstation and run the monitoring software on there. Above all do not use this technology on their personal devices.
Cybersecurity does not have to be at war with privacy; they can exist together. Good communication and understanding employee anxieties about monitoring will go a long way to establishing trust. Try to design a cybersecurity policy with privacy in mind and a clear line between work and personal spaces.