balancing employee privacy with data security
TRANSCRIPT
Four Steps to Tackling Data Security and Insider Threat Without Compromising Compliance or Culture
Balancing Employee Privacy with Data Security
2
Security & Privacy: A complicated relationship
In today’s business world, security and employee privacy should go hand-in-hand, where good security controls facilitate employee privacy controls. However, three factors are converging that significantly complicate the relationship between security and privacy:
Protecting data security without becoming “Big Brother”These converging trends increasingly paint employee privacy and data security as adversaries, putting internal stakeholders, ranging from security and IT to legal and HR in a tough place: How do you monitor the activity of your valuable and regulated data without becoming “Big Brother?”
This eBook walks through four critical steps for building an effective data security strategy that doesn’t compromise compliance — or challenge the collaborative culture of trust within your organization.
Tightening Data Privacy Regulations
New regulations like the EU GDPR and the CCPA in the U.S. are putting strict requirements on how employers can monitor and use employee data.
The Emergence of Collaboration Culture
The modern workplace isn’t just idea-driven — it’s fueled by collaborative, cloud- and web-based productivity that accelerates the creation, iteration and advancement of those ideas. Companies’ competitive advantage depends on trusting and freeing employees to work in these new ways.
Increasing Insider Threat
As companies increasingly recognize that their own employees may be their biggest data security risk, they’re working to build strategies around monitoring risky employee actions.
3
INCREASING PRIVACY REGULATIONS ON A COLLISION COURSE WITH DATA SECURITY PRACTICES
The watershed moment in the evolving relationship of privacy and security was the introduction of the EU General Data Protection Regulation (GDPR) in 2018, which dramatically expanded the rights of EU residents to control the collection and usage of their personal data. The GDPR ruling impacts companies in two ways: defining how they can 1) collect and 2) use customer data – as well as employee data. The legislation also comes with teeth, giving regulators power to hand down serious fines for non-compliance.
The U.S. has traditionally taken a pretty hands-off approach to regulating employee privacy rights. But the GDPR inspired the California legislature to begin working on its own landmark legislation, the California Consumer Privacy Act (CCPA). The CCPA took effect on Jan. 1, 2020, and more than a dozen other states have since introduced similar privacy legislation.
For data security teams and the companies they protect, GDPR and CCPA signal a clear trend: data privacy regulations are on a collision course with many of the employee monitoring strategies used in the data security world.
4
Protecting PII is a cross-functional challengeGDPR, CCPA and other new data privacy regulations focus on personally identifiable information, or PII. That PII may pertain to customers, your customers’ customers, direct employees and even third-party contractors. As an organization, you are required to understand where your in-scope PII is — where it lives, who has access to it, how it’s used, etc.
Breaches related to PII get all the attention — and for good reason. A PII breach exposes your organization to significant fines — and, in a privacy-conscious world, can cause serious reputation damage and ongoing revenue impacts. However, the day-to-day management of PII is a constant challenge for organizations, impacting a wide range of internal teams:
LEGALFor many organizations, legal oversees all PII compliance and risk, and wants to know that all requirements are being met.
SECURITY & ITAt the end of the day, no matter what types of PII your organization manages, it is the security and IT team that end up executing the core processes around monitoring, controlling and protecting PII data. Security and IT teams are tasked with implementing the tools and strategies to ensure the organization can:
■ See where PII lives
■ See how it moves — and know if it moves to non-sanctioned locations
■ See who is moving it — and know if non-authorized individuals access it
HRHR typically creates and manages policies around employee privacy and the protection of employees’ PII.
SALESThe sales team often ends up managing PII related to customers (or customers’ customers).
ACCOUNTINGAccounting typically ends up managing some elements of PII, whether relating to customers or employee payroll.
OTHERDepending on where PII lives in your organization, other groups like product development or customer service may play a role in PII compliance.
5
Insider threat is a big risk to PIIInsider threat is one of the biggest data security risks in the modern enterprise — and one of the biggest threats to PII. Ironically, it’s not just customers’ or the company’s sensitive data that’s at risk — employee actions (intentional or negligent) are the biggest threat to exposing employee PII. Most security teams are already wise to the risk insider threat poses to a number of different data types, and they’re in varying stages of implementing an insider threat program to address these risks.
1) Limiting access without stifling productivity
Monitoring and protecting PII comes with the same core challenge facing data security in general: Go too light on securing access, and you’re exposing your data to excessive risk. Go too heavy on securing access, and you end up impeding the productivity and collaboration fueling your business. Finding that balance is growing even more tricky, as the modern collaboration culture drives work beyond traditional internal networks. More and more everyday work happens in the cloud, on devices that are as likely to be in an airplane at 30,000 feet or at a Starbucks as they are to be inside the walls of your main office.
Key Takeaway:
You can’t completely lock down your PII — you need a flexible detection and response tool for monitoring.
Using insider threat tools to protect PII: A tricky balance
Insider threat tools are an increasingly popular — and controversial — solution for protecting PII. Security teams know that they need tools and processes in place that give them visibility and monitoring capabilities, so they can determine how PII is moving within and outside of the organization. There are several data security tools that can add visibility and protection for PII — but security teams need to consider two major concerns:
6
2) Protecting a culture of trust
Beyond functionally limiting productivity, security teams also need to be mindful of how data security measures are perceived by staff. No security team wants to become “Big Brother” to their users. From a practical perspective, allowing an adversarial relationship between security and users to develop only increases the problem of user non-compliance and workarounds. But today, more than ever, you can’t afford to damage the culture of trust within your organization. At a time when executives in every industry are championing employee empowerment, making bold claims of “our people are our strength,” companies are making it a top priority to encourage creativity, collaboration and innovation. Security policies and security tools play a major role in protecting (or detracting from) the culture of trust that attracts, retains and empowers employees.
Trust is the foundation that enables the culture of collaboration — and it is critical that your employees feel that their company (including the security team) puts trust in their ability to work in productive new ways.
Key Takeaway:
Trust is the foundation that enables the culture of collaboration — and employee perception of security policy is critical to trust.
7
So, how do you strike the right balance? How do you secure your PII and other valuable data without overstepping on employee privacy? How do you gain the visibility to monitor risky activities and identify insider threats without damaging your company culture or stifling employee productivity? The good news is that it can be done. The right tools exist, and, when done right, an insider threat program doesn’t have to become “Big Brother,” excessively impede productivity and collaboration, or negatively affect your organization’s culture.
Here are four foundational steps to creating an effective insider threat strategy that protects your business and achieves compliance, without compromising on privacy, trust and culture:
1. Gain support from the top down
2. Focus on monitoring the right things
3. Build a program focused on seeing what matters most
4. Communicate, communicate, communicate
4 STEPS TO CREATING AN INSIDER THREAT STRATEGY THAT DOESN’T COMPROMISE PRIVACY
7
8
GAIN SUPPORT FROM THE TOP DOWN.
Gaining robust support and buy-in for your insider threat program is the essential first step to protecting the culture of trust within your organization. Support from key stakeholders at all levels will also help you navigate roadblocks and other issues as you create, implement and manage your insider threat program.
Start at the top
It’s true for any data security program — and any major business initiative: to succeed, you need the support of business leadership. It’s the C-suite that ensures the program gets the continuous funding it needs, as well as the political backing to overcome any speed bumps that arise.
How to do it:
Obtaining that support is best achieved by articulating to executive leadership the real-world risks to the organization so that they understand the threats and how important it is to fund and support such an effort. This will require detailing the types of data risks your organization faces as well as the impact to the organization if that data is compromised, and the strategy for mitigating those risks.
Get key stakeholders on board
An effective insider threat program relies on real-time partnerships between security, IT, HR, legal and other teams within your organization. These different groups are essential to insider risk management processes around your highest-risk scenarios, such as employee onboarding and offboarding, new product development, and organizational changes like M&A. Without these stakeholders cooperating to give the security team the information and access you need, you’ll be flying blind.
How to do it:
Start by detailing how an insider threat incident, such as the exposure of PII or trade secrets, will impact relevant stakeholders — from creating added hassles to jeopardizing their work. With their personal and professional interest established, focus on clearly defined accountability — what each stakeholder is accountable for delivering or executing in the overall insider threat program.
1.
9
FOCUS ON MONITORING THE RIGHT THINGS.If it sounds obvious, it bears repeating because too many companies get this step wrong: Make sure your insider threat program is focused on monitoring the right things — not looking in the wrong direction or trying to look in every direction. Here are considerations to help you hone the focus of your insider threat program:
Identify your regulated data.
Start by identifying all types of regulated data (PII or otherwise) that lives within your organization. Clearly defining regulated data relevant to your organization is key and this gives you a solid starting point for what your insider threat program needs to protect. As you build out your insider threat program to address regulated data, you may expand to include non-regulated, unstructured data — your trade secrets, IP and other proprietary and sensitive information that drives your business.
Identify your biggest risks.
Once you know what you’re protecting, work on understanding what you’re protecting that data from. Start by identifying the departments, systems, devices and people that have authorized access to your protected data. Then consider the common situations that present the greatest risks to that data. In most organizations, the biggest insider threat risks center on departing employees, onboarding employees, access privileges to high-value data, and major organizational changes like an M&A.
Focus on the data — not the people.
Because it’s people who pose the risk, many companies’ security programs focus on their people — using employee monitoring tools like user and entity behavior analytics (UEBA). Due to its intensive employee monitoring, this approach has implications on employee privacy and culture — and it’s simply the wrong focus. It’s the data you’re responsible for protecting. It’s the data you should be watching. For example, you don’t need to see everything your employees are doing on their web browsers — you just need to see web browser activity that touches your protected data.
2.
10
BUILD A PROGRAM FOCUSED ON SEEING WHAT MATTERS MOST.Much of your insider threat program will consist of data security policies and employee training and awareness — and those policies will need to be enforced with technology. To simplify your program, you can begin building a program around seeing the data that matters most. There is no single tool that provides all the capabilities you need to protect every type of regulated, valuable or sensitive data in your organization. However, an effective insider threat program will complement an overall data security strategy with a combination of security tools that each play essential roles. In general, insider threat programs typically consist of tools that fill three different functions:
Logging and alerting
If you defined sensitive systems as the focus, this is often a natural way to build out your program. Make sure you are capturing all relevant logging activities (this is sometimes tricky with SaaS applications) and set up alerts for activities deemed riskier.
Defined processes
As much as we’d like to think technology can solve all of our problems, sometimes the best program starts with a manual process. This could include an onboarding or offboarding checklist, a periodic audit of privileged user activity and employee training.
Special tools
You may decide there are additional tools you want to implement in order to monitor and manage your insider threat program. Depending on the technology implemented, you may get additional alerts, risk ranking, or integrated workflows to help guide your set up.
Build in flexibility
There is no one-size-fits-all formula for an insider threat program. The evolving nature of your organization and your employees’ dynamic ways of working mean that no insider threat program is ever finished. The most effective programs build in flexibility and agility. This includes allowing for additional context, accounting for the potential of human error, and incorporating other stakeholders (legal, human resources, managers, etc.) into the program to ensure you are addressing risk appropriately as it changes over time.
Prioritize seamless integration
You must also consider how well the tools you select will integrate within your environment and work with both internal processes and existing toolsets. For example, if you have an established automated employee off-boarding process, can you connect to those processes so that you have timely, accurate insights into employee status changes? The same holds true when it comes to employee onboarding.
3.
11
COMMUNICATE, COMMUNICATE, COMMUNICATE.Finally, no matter how you decide to build out your program, transparency is a critical ingredient in ensuring efficacy from a data protection standpoint and trust from a company culture standpoint.
Make sure your employees understand…
What You’re Monitoring
Be very clear with employees about what information your program is collecting and monitoring, and how the information is being used. Proactive communication makes a huge difference in fighting the Big Brother perception.
What You’re Not Monitoring
Communicating what information you’re not collecting is just as important as making sure employees understand what you are monitoring. Ultimately, staff should know that an insider threat program has nothing to do with tracking productivity or spying on online shopping. Moreover, employees should understand that your insider threat program isn’t focused on them. It’s focused on the regulated and valuable data that you need to protect. If their activity doesn’t touch that data, they don’t need to worry about anyone watching it.
Why You’re Doing It
Explain what your relevant data security and privacy regulations say — and how your insider threat program addresses regulatory compliance requirements. When employees don’t understand the reason for monitoring, they become fearful or resentful and the culture of trust is damaged.
What They Can (and Can’t) Do
Everyone will feel better about the program if they don’t have to second-guess whether or not they are acting within protocol. Clear and well-communicated acceptable use policies are the answer. Are they permitted to use cloud storage services? If so, which ones? Can data be moved to USB devices and other local, removable storage devices? Can they share data on corporate collaborative platforms such as Slack or Microsoft Teams? What’s the policy for taking data home and/or keeping it in their notebooks? Finally, don’t forget to consider contractors. There is often a different standard applied to third-party users and all involved need to understand that standard.
4.
12
Why It Matters
Beyond “because compliance,” make sure you communicate the value of your insider threat program in terms that resonate with your employees. This includes avoiding regulatory citations and fines, to be sure. It’s important that your employees understand how data risk can impact their day-to-day workflows and jeopardize the success of the business. It’s also important that they recognize how a smart approach to data protection does not inhibit their creative, productive and collaborative ways of working.
What would you want to know?
At the end of the day, the simplest advice for communicating your insider threat program and related monitoring policies with your staff is this: Put yourself in the shoes of an employee. What would you want to know, and what would you consider reasonable? One of the goals of an insider threat program (and a good security program for that matter) is to create allies across the organization as opposed to adversaries. Doing so will better protect your organization and also make your job easier.
12
13
AN INSIDER THREAT PROGRAM THAT SERVES THE INSIDERS
There’s a lot of incendiary rhetoric surrounding the topic of insider threat, painting employees as the biggest enemies and threats to your business. In some sense, it’s true. Employee actions — intentional or negligent — represent one of the biggest risks to your company. The reality is they have access to sensitive data and the organization places trust in them. The irony is that an effective insider threat program really aims to serve the interests of those insiders. A good program is designed to protect employees’ PII, secure the valuable ideas that represent their hard work, and support the overall health, success and growth of the business that signs their checks.
Here’s where the opportunity lies: An insider threat program — or any data security strategy, for that matter — doesn’t have to be a net negative for employees. It doesn’t have to raise uncomfortable questions around privacy and employee monitoring. It doesn’t have to raise frustrating issues with limiting access and productivity. It doesn’t have to put a cloud over a culture of trust and collaboration. With the right combination of tools, strategy and communication, you can build an insider threat program that gives your security team the visibility to monitor, investigate and rapidly respond to data exfiltration. This will also protect the organization’s regulated, valuable and business-critical data — and empower your employees with transparency, trust and freedom to do what they do best.
13
14
Code42.com/resources
The leader in insider risk detection, investigation and response
Corporate Headquarters | 100 Washington Avenue South | Minneapolis, MN 55401 | 612.333.4242 | code42.com
© 2020 Code42 Software, Inc. All rights reserved. | EB2004187