As part of our transformation from an industrial to an information society, we are witnessing a global privacy revolution. The sophistication and proliferation of smartphones, the pervasiveness of social media, the “always-on” ethos that has emerged, and the blurred lines between our personal and professional lives mean there are opportunities for our privacy to be compromised every day, both at work and at home. As information security and privacy professionals, we have a unique opportunity to change the security industry forever by collaborating and championing privacy as the security enabler it truly is.
Featured Download: A New Approach to Managing Employees’ Personal Internet Use at Work
As lawmakers play catch up with the technological shifts taking place that put our privacy in the crosshairs, a groundswell of public awareness is rising around personal privacy that has profound economic, political, civil liberty and security implications.The right to privacy in all spheres of life is pretty solidly protected in Europe, which is leading the way with a revamp of the Data Protection Directive to accommodate modern technology and globalization.
But one year after the Snowden revelations, the US is still struggling to define the scope of personal privacy protection and has stood up budding, fragile legislation such as the USA Freedom Act. Thankfully, the proposed “Consumer Privacy Bill of Rights” and the recent Supreme Court’s decision in Riley vs. California foreshadow broader privacy legislation, which may well bleed over into the workplace.
Personal web use at the workplace gives rise to 90% of malware threats, exposing companies to loss of trade secrets, data breaches, and ﬁnancial theft. And cyber threats are up.[i] Increased experience and training of hackers has led to record numbers of malware incidents and data breaches, resulting in record high losses and related costs.[ii]Additionally, companies facing inappropriate web use (e.g., cyber loafing, gambling, or accessing pornography) increase their liability, which is costing US businesses $178 billion annually in lost productivity.[iii]
As global privacy laws continue to evolve, one of the most difficult challenges companies face remains the different, sometimes conflicting privacy-related obligations across jurisdictions. Complicating the situation is that the line between personal and work life continues to blur. People are conducting personal business at work and professional business at home. A constant barrage of work-related messages is becoming a “new normal,” according to recent research from the Center for Creative Leadership (CCL). The CCL recently surveyed approximately 500 executives, managers, and business professionals, more than three-quarters of whom used smartphones for flexible-work situations. Respondents who had smartphones used them for work purposes an average of 13.5 hours per day and nearly five hours on weekends, for a total of 72 hours per week.[iv] This “new normal”[v]is driving an unspoken, intensifying tension around security and workplace privacy.
Faced with trying to secure organizations in light of these realities, the information security community is developing tools to “lock down” and monitor employees and implement stricter Acceptable Use Policies, but the employee threat surface continues to expand, while trust between employers and employees erodes.
As an information security professional, what can you do? You can become an advocate for employee privacy as part of the security solution. Embrace the reality that employees are going to access the corporate network for personal use and grant them access to a contained but easy-to-use personal network that complies with privacy requirements, reduces corporate liability and strengthens organizational security. By giving them a private, secure space to conduct web browsing at work, you can avoid monitoring, restore their trust, reduce your employer’s liability and empower employees to become the greatest tool in protecting the organization – more effectively than even the best security awareness program ever could.
Bio: David has worked for 25 years with US and global companies, advising them on strategy, risk-based priorities, and effective governance of highly sensitive and regulated data. He is a CIPP/E/US, CISA, and CISSP and has authored several books through McGraw-Hill Publishing and Macmillan Publishing including PDA Security: Incorporating Handhelds Into Your Enterprise.
[i] See 2013 Internet Threat Report, Volume 18
[ii] See www.datalossdb.org
[v] See http://www.gartner.com/newsroom/id/2028215