During the last half of the 1990s, there was a concern for employees using their own home desktop computers to dial in to the corporate network from home. Thousands of articles and hundreds of conference sessions discussed the associated risks and then how to mitigate them through documented policies and the use of new tools.
Soon after the year 2000, these concerns expanded to employees using their personally owned laptops outside of the office and in other facilities instead of the corporate-issued computers. Thousands more articles and hundreds more conference sessions discussed how to address the risks.
Just a few short years later, smart phones started being widely used…thousands of more articles and hundreds of more sessions. And soon, employees were using not just one but multiple smartphones, tablets, laptops and wearables for not only personal activities but also for work activities.
The types of new technologies that employees are using within work environments and for business activities are going to continue to grow exponentially. Their personal data is getting more mixed in with the business data on those devices. How can organizations get ready for these increasingly high-tech employees? How can they keep the business data separate from the personal data? Can they even do this anymore?
There are increasingly complex ways in which employees are connected to…
- the Internet;
- directly to other individuals
- Wi-Fi enabled objects that are passively collecting your mobile device exhaust, and/or images of you, as you pass by them;
- unlimited numbers of unknown others slurping data through their mobile apps; and
- growing numbers of other “smart” internet of things (IoT) devices that are automatically taking the data generated and passing it along to unlimited others.
This is complicated by the fact that these workers are increasingly doing work remotely, away from the company networks and outside of the facilities and purview of their managers, which exponentially increases the risk to all the business information they are accessing.
All the new gadgets and tech that employees are now simply using, with no questions asked and no parameters set, increase the security risks and every business’s cybersecurity attack surface.
So, where should you start?
1. Determine your risks
Do a high-level risk evaluation that includes, among other actions, answering the following questions:
- What types of devices (computing, storage and smart) are employees using? How many of them are owned by the business and owned by the employees or others?
- Which ones are used while doing work activities?
- Which ones collect data in some manner?
- Which ones store business information?
- What mobile apps are used on the devices? What data are they collecting, and to whom are they sending/sharing data?
- In what geographic locations and types of environments are the devices being used?
- What security controls are used in all those locations?
- Who has access to all the data?
- How can data be removed from those devices?
- What kind of training and awareness communications do employees receive for using all types of devices?
- What types of confidentiality contracts do employees sign when starting work?
- What are employees required to do when leaving employment with the business?
You can then do a deep-dive risk assessment after you finish the rest of this list to see where you still have risks and gaps to mitigate. Or if you already have the tools and do the actions listed below, then go ahead and do a deep-dive risk assessment to begin with.
2. Establish documented security and privacy policies and procedures
Now you need to establish documented security and privacy policies to mitigate those identified risks to acceptable levels, providing the rules for all the types of tech that your employees use that could impact your business. Then document procedures to support those policies.
Remember: if your policies and procedures are not actually documented, they don’t exist. That’s the case at least to clients, regulators and auditors who will review your information security and privacy programs. Policies and procedures for the issues related to employees using their own devices in a wide range of locations should include (but should not be limited to):
- Requirements for employees to sign non-disclosure and confidentiality agreements upon the start of employment.
- Requirements to get data from computing devices when employees leave the company.
- Clearly worded requirements for the types of technologies that can and cannot be used when doing business activities.
- Clearly worded requirements for where business information, including information about customers, employees, patients and other types of personal information used within the business environment, can and cannot be posted, shared, stored, etc.
- Employee exit procedures to review the employees’ legal obligations for not using the data for other purposes to ensure the soon-to-be ex-employee understands the things those folks cannot do with the business information they had access to and the legal ramifications of taking business information and using it elsewhere.
- Requirements for employees using their own devices, in unlimited locations, to get training for the security and privacy requirements.
3. Identify tools to support the policies and procedures
There are a wide range of tools to consider such as (but not limited to):
- Encryption for data at rest, data in transit, and data being collected.
- Data logging tools to track business, customer, employee, patient and other data that is related to the organization
- Remote data wipe tools to remove data from ex-employee, stolen and lost devices.
- Firewalls and anti-malware tools required on all types of devices.
- Performing periodic privacy impact assessment (PIAs), risk assessments and audits.
4. Provide training for the requirements
Your employees will not know what to do unless you provide them with effective training. Providing effective training is key; don’t just point employees to a document and call that training…it is not. There are many ways to provide effective training.
5. Send occasional awareness reminders
The longer it has been since training, the less often employees will think about how to secure information and protect privacy. You must provide ongoing frequent communications to remind employees of the need to work in a way that protects data and privacy. There are many ways to provide ongoing information security and privacy awareness communications.
6. Monitor compliance
After you establish rules for how to use computing devices and how to manage business data along with personal data, you need to make sure those rules are effective. You can’t just put the rules out there and assume everyone is following them. Some will choose not to certainly, but then there will be others who didn’t understand or notice the rules, those who will forget the rules and those who will make mistakes that will create incidents and even breaches involving business information. You must monitor the effectiveness of your policies and procedures for how employees must work with their own devices in every location.
Businesses must keep up with the times to know the current and emerging risks based on current and emerging public trends for using a wide range of technologies and computing devices. Businesses must then make sure the rules for using such technologies are documented and then ensure those rules are followed.
About the Author: Rebecca has 25+ years of systems engineering, information security, privacy & compliance experience, is CEO of The Privacy Professor® consultancy she founded in 2004, & President of SIMBUS, LLC Information Security, Privacy & Compliance cloud services she co-founded in 2014. Rebecca designed and engineered the SIMBUS architecture and associated services, including for online employee and contractor information security and privacy training and awareness, vendor management, risk management assessments and evaluations, policies and procedures, program management tasks, breach response, audit management, employee oversight and management, and inventory management. Rebecca has authored 19 books, the last two of which were privacy books published by ISACA in 2017; one titled, “ISACA Privacy Principles and Program Management Guide” and the other titled, “Implementing a Privacy Protection Program: Using COBIT 5 Enablers With the ISACA Privacy Principles.” Rebecca has contributed to dozens of other books and written hundreds of articles.
Rebecca led the U.S. National Institute of Standards & Technology Smart Grid Privacy Subgroup for 7 years, performed the first electric grid cybersecurity OpenFMB testing for NIST, was a co-founder/officer for IEEE P1912 Privacy and Security Architecture for Consumer Wireless Devices Working Group, and is on many advisory boards. Rebecca is a member of the NIST Privacy Framework working group. Rebecca appears regularly on the KCWI23 morning television show, hosts the Voice America radio show “Data Security & Privacy with the Privacy Professor” with a new show each week, and is quoted in a large number of diverse publications. Rebecca has also served as an information security, privacy and compliance expert witness. Rebecca has degrees in Mathematics, Computer Science and Education. Rebecca earned the following certifications: CISM, CISA, FIP, CIPT, CIPM, CIPP/US, CISSP, FLMI. Rebecca is a Ponemon Institute Fellow. Rebecca is based in Des Moines, Iowa, USA. firstname.lastname@example.org. www.privacyguidance.com, www.SIMBUS360.com, https://www.voiceamerica.com/show/2733/data-security-and-privacy-with-the-privacy-professor
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.