I had a few great podcasts this past week, and one of the
questions that I usually ask surrounds the Remote Workforce. My guests last week seem to be in agreement
that the WFH concept is one that is going to be around for a long time to
come.
They also said that the so called hybrid model may or may
not work, but in the end, you truly have to listen to your employees. This is not to say that a CISO has to do everything
that an employee wants, but remember, a happy employee makes a productive one.
But with remote working, comes a serious issue that many
businesses in Corporate America are now facing.
And that is, how much they can spy on their employees to make sure that
they are maintaining good levels of Cyber Hygiene. The major thrust of this are the data privacy
laws that have been enacted in the recent years, most notably those of the GDPR
and the CCPA.
But now, another factor has compounded this issue in that what
if your remote workers are actually using their own devices in order to gain
access to shared resources on your corporate servers? How much prying can you
do then?
For example, if your entire infrastructure is in the Cloud
(like Microsoft Azure), and your employees still use their personal devices to
access the resources on it, can you still audit those devices?
Well, this morning, I came across an article that sort of addresses
these issues. Here are some thoughts
that were shared in it:
1)
Don’t collect too much:
If you are an SMB with an online
presence (such as an Ecommerce store), information and data about your
customers and prospects are literally your lifeblood. You want to collect as knowledge as you can about them so that you
can entice them with your latest products and services, and if you have the AI and
ML tools on hand, predict what their future buying habits will be like. But now the line is starting to be drawn is
when is too much information collected?
There is really no clear cut answer to this, as a lot depends on your
line of business, and what you are selling.
But once again, the GDPR and the CCPA now limit as to how much you can collect. Also, under these new regulations, your customers
now have the right to ask you how their data is being stored, archived, and/or
processed. For example, is it being
given away to third parties without their knowledge or consent? In a worst case scenario, your customer can
ask to have all of their data purged, and never shop with you again. Therefore, is always in your best interest to
let customers and prospects know what kinds of data/information are being collected
about them. Also keep in mind that if
you do collect “too much” information, this also increases the attack surface,
as now the hacker has much more that they can exfiltrate and sell onto the Dark
Web for a nice price.
2)
Be careful of the lines you cross:
As mentioned earlier, with the Remote
Workforce now in its almost permanency, as a CISO, you have to be careful as
what is deemed to be “surveillance” in the eyes of your employees. Obviously, you do not want to be perceived as
Big Brother watching. So in this regard,
you should always tell your employees ahead of time as to what kinds of
activities you will be watching them for.
This is especially true of third-party contractors. But, this issue gets even murkier when the
home networks that your employees use to access the corporate networks are blended
together. For example, what if your remote
employee uses their own personal workstation to connect to their own network which
in turn will be used to gain access to the shared resources? Can you still deploy employee monitoring
tools onto these personal devices? A few
years ago, this was never really an issue.
But this all came about when the COVID-19 pandemic first hit, and
everybody for the most part, was required to work from home.
3)
Take preventative measures:
In the end, as the article points
out, it is always better to err on the side of caution rather than taking risks. Here is what is recommended:
*View each piece of data not only
in terms of its business value, but also in terms of its privacy value as
well. For example, always ask this question: Do we really need this piece of
information? Can it be deemed as a
privacy risk?
*If you make use of AI and ML
tools, also take a look at the datasets that you have acquired (more than
likely from a third party vendor) and see if all of the information is really
needed before you actually process the datasets. In other words, look at what you want your expected
outcome to be, then ask the question if those extra points will actually help
meet your end objective or even skew it.
*Always be extremely careful when handing
over any datasets to third party vendors.
Make sure you know how they are using them, and for what purposes they
are being used for. Always conduct
regular audits if you feel that this is necessary.
My Thoughts On This:
Let’s go back to #2. Although
I am not a lawyer, IMHO, as an employer, you have every right to question your
employees how they are using their devices when it comes to the accessing and storage
of it. But keep in mind, that the
law is on your side if your employees are using company issued devices.
If they are using their own, then this really becomes a
dicey situation. But on the flip side of
this, you are a steward of the data and information that you collect and hold,
and with that responsibility, you have to take every precaution possible to
protect it.
So, that could give you some more latitude in the inspection
and/or audit of your remote employee’s personal devices. But you have to make these
stipulations clearly and blatantly known to your employees from the very
beginning!!!
No comments:
Post a Comment