How to Balance Insider Threats and Employee Privacy

Recent headlines are replete with extremely costly and disruptive examples of insider threats playing a prominent role in high-profile data breaches.

For instance, in September 2019, an American Express employee accessed and stole copious amounts of customer data that he intended to use to perpetrate identity fraud. As a result, the financial services enterprise was forced to notify its customers of a self-inflicted wound that placed their personal information at risk.¹

Meanwhile, a former Yahoo employee pled guilty to accessing and stealing sexual images from more than 6,000 customer accounts. The breach was a horrific invasion of privacy that included some of the employee’s personal friends and colleagues.²

Of course, few insider threats are as costly as the one that compromised the data of 4.2 million members of Desjardins, the largest federation of credit unions in North America, ultimately costing the cooperative US$108 million.³ The employee responsible for the breach was fired, but that retroactive response will not offset recovery costs or restore the enterprise’s tarnished reputation.⁴

These events, when coupled with the thousands of incidents of accidental sharing, make it clear that, for many enterprises, the most significant cybersecurity threat is not an abstraction that exists outside the enterprise. It is most likely sitting in the cubicle next door.⁵

Given the dynamic nature of today’s threat landscape and the increasing cost of failure when it comes to data security,⁶ it is not surprising that 98 percent of enterprises monitor their employees’ digital behavior.⁷ However, these initiatives are coming to fruition at a time when data privacy is at the forefront for government regulators, legislators and employees. In short, although employee monitoring software can help prevent a costly data breach, its implementation can backfire if it is not handled correctly.

The following considerations can ensure a proper deployment of employee monitoring software, helping the organization achieve a privacy-friendly approach to insider threat prevention.

Pick a Purpose

With today’s incredibly capable employee monitoring software, the insights an enterprise can glean are almost endless. While this expansive versatility makes software adoption simple, it can be a hindrance when trying to protect employee privacy.

For example, an enterprise deploying employee monitoring software to protect the enterprise’s data may assess and evaluate data access points, data movement or unusual network activity. In contrast, an enterprise assessing productivity is likely to be more interested in knowing how much time employees spend on websites or using applications.

To ensure that employee privacy is an integral part of employee monitoring, the focus of monitoring can be narrowed by identifying its purpose. Once this priority has been established, an enterprise can choose the right software with the most prescient configurations to promote a seamless rollout.

Align Process With Purpose

Clearly identifying the purpose of monitoring helps enterprises make decisions about how to achieve desired outcomes without compromising employee privacy.

When instituting employee monitoring to protect enterprise and customer data, executives should take the time to understand information flows. This can identify specific pain points and vulnerabilities that may contribute to a data breach.

As privacy regulations become more onerous and widespread, many enterprises have no choice but to ensure employee privacy when implementing any workplace monitoring initiatives. In the United Kingdom, the Information Commissioner’s Office recommends that enterprises conduct data protection impact assessments to determine the efficacy of their initiatives.⁸ These assessments promote critical thinking about employee monitoring so that adverse impacts and additional obligations can be evaluated before implementation.

In short, privacy-focused enterprises do not let monitoring programs run out of control. Instead, they align their processes with their purposes, while prioritizing intentionality at all times.

Communicate Standards

Secret monitoring is not the solution to data loss prevention. Indeed, there is little evidence that undisclosed monitoring is effective in protecting enterprise data. It can negatively impact employee morale and place enterprises in a dubious legal position.

Instead, open and clear communication with employees should be prioritized. Failure to communicate expectations sets employees up for failure and it can foster a negative workplace culture that offsets many of the gains derived from employee monitoring.

In general, employees need to know the following:

• Purpose of the new monitoring initiative
• Software used to collect their data
• Plan for managing, securing and evaluating their information
• Expectations for personal data management and accessibility

Ultimately, employee monitoring works best as a collaboration. All stakeholders can contribute to the process, and privacy-oriented enterprises can use the information obtained to determine best practices and propagate a culture of data security.

Choose the Best Technology

Enterprises have no shortage of options when it comes to employee monitoring. As employee monitoring becomes a new workplace standard, many new products provide in-demand features at an affordable price.⁹

Employee monitoring software can significantly reduce an enterprise’s exposure to data loss events, but failing to secure this information at the expense of employee privacy is a nonstarter in today’s business world. So, when choosing software, make privacy the first priority.

Specifically, features such as auto-redaction of personal information, time- or location-sensitive monitoring, or automated data access regulation can secure enterprise data without unnecessarily revealing employee information. The following are some of the other criteria to look for:

• Features—The features and benefits should be compared. Is it easy to use? Ask if the organization needs additional features like time tracking, productivity optimization and payroll management. Does it support anonymization, redaction/black-out, encryption, etc., to protect privacy?
• Business case—Can it deliver on the organization’s business requirements? For example, if the organization has employees or customers in the European Union, organizations must check to see if the employee monitoring system supports EU General Data Protection Regulation (GDPR) compliance requirements such as data retention and erasure policies.
• Flexibility—How configurable is the solution? For example, does it allow the organization to create segregated, role-based access control (RBAC) to reduce data exposure on a need-to-know basis? Can the monitoring objects be configured to allow employee privacy?
• Price vs. value—Does the product/price justify the return? Will it improve the productivity of employees by eliminating application overload, task-switching and idling? Are there any hidden costs such as maintenance, upgrades and support?
• Deployment—How fast can the organization get started? What are the deployment options? Can an enterprise, for example, deploy it on its own data center/on-premise to comply with border restrictions? If it is cloud based, can the vendor ensure business associate agreements (BAA) required by GDPR/US Health Insurance Portability and Accountability Act (HIPAA)-type regulations?
• Vendor reputation—Are they any good? Do they have great customer reviews? What is their experience in the organization’s specific industry?
• Support/service-level agreement—Implementing an employee monitoring and data loss prevention solution can be complicated, especially if an organization does not have in-house resources. Will the enterprise get the help and ongoing support from the vendor?
• Integration—Is the software a monolithic product or can its usefulness be extended? For example, can it be connected to the existing security and incident security information and event management (SIEM) system to orchestrate a unified security system?
• Compatibility—Will it work well with IT systems? Is it compatible with the software employees use?

Conclusion

Data security is much more than an altruistic priority. Consumer sentiment is trending against enterprises that cannot protect their information, so enterprises need a way to protect their customers’ data from malicious or accidental data leaks by its employees. Such threats have cascading consequences for enterprises of every size, yet organizations also need to uphold their employees’ privacy right.

Fortunately, these imperatives are not mutually exclusive. It is possible to protect against insider threats while preserving employee privacy. It just requires an intentional effort to make it happen.

Endnotes

¹ Abrams, L.; “American Express Customer Info Accessed by Employee for Possible Fraud,” Bleepingcomputer, 2 October 2019, http://www.bleepingcomputer.com/news/security/american-express-customer-info-accessed-by-employee-for-possible-fraud/
² Martin, A.; “Yahoo Engineer Admits Hacking Thousands of Accounts to Steal Sexual Images,” News.sky, 1 October 2019, http://news.sky.com/story/yahoo-engineer-admits-hacking-thousands-of-accounts-to-steal-sexual-images-11824338
³ The Canadian Press, “Desjardins Group Says 2019 Theft of 4.2 Million Members’ Data Cost $108 Million,” Global News, 26 February 2020, http://globalnews.ca/news/6599224/desjardins-data-theft-cost-108-million
⁴ Zurkus, K.; “Desjardins Insider Accessed Data of 2.9m Members,” Infosecurity, 21 June 2019, http://www.infosecurity-magazine.com/news/desjardins-insider-fired-for-1
⁵ Pepper, T.; “Alarming Statistics Show Human Error Remains Primary Cause of Personal Data Breaches,” Realwire, 20 August 2019, http://www.realwire.com/releases/alarming-statistics-show-human-error-remains-primary-cause-of-data-breaches
⁶ IBM, 2019 Cost of a Data Breach Report, USA, 2019, http://www.ibm.com/security/data-breach
⁷ Matyszczyk, C.; “In a Startling New Study, Companies Admit to Spying on Employees Far More Than Employees Realize,” Inc, 19 February 2020
⁸ Information Commissioner’s Office, “Data Protection Impact Assessments,” UK, http://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-impact-assessments
⁹ Krouse, S.; “The New Ways Your Boss Is Spying on You,” The Wall Street Journal, 19 July 2019, http://www.wsj.com/articles/the-new-ways-your-boss-is-spying-on-you-11563528604

Isaac Kohen
Is vice president of research and development for Teramind, a leading global provider of employee monitoring, insider threat detection and data loss prevention solutions.