SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Why Data Privacy Day calls for greater collaboration
Fri, 26th Jan 2018
FYI, this story is more than a year old

Data Privacy Day recognises the increasing—and often neglected—need to strengthen security to protect data and privacy. In a hyper-connected world where consumers are willing to provide their personal data in order to get a service or a good deal online, data breaches have become a norm rather than an exception.

Last year the number and fierceness of cyber attacks created a heightened awareness of the need to tighten security measures, including the monitoring of employee actions and behaviours. Unfortunately, more than 55 percent of all breaches like these occur from inside organisations.

In Australia, The Data Breach Notification Bill will come into effect on the 25th of February, meaning businesses will need to notify the Office of the Australian Information Commissioner of any significant data breaches that affects either partners or clients to the business. Similarly, the EU's GDPR act coming into effect in May will make it more important than ever for businesses to properly protect private data.

So it's not surprising that organisations want their IT and security teams to keep tabs on employees and their actions at work, which can be perceived as Big Brother or Orwellian.

Many workers already distrust their employers. However, unlike the Orwellian fictional reality, cybersecurity programmes are essential to protect and secure companies, their employees, customer data and critical intellectual properties.  So how can you monitor employee activities without building more distrust?

With this dilemma, traditional cybersecurity methods are no longer the answer. IT security alone cannot shore up defenses to protect perimeters that no longer exist. With personal and corporate data intermingling on mobile devices and in the cloud, data usage and behaviour patterns have changed so much that the perimeter is now the people.

Rather than focus on building bigger defense points, the industry needs better visibility into human behaviour to understand how, when and why people interact with critical data, no matter where it is located. Companies need to take a human-centric approach to security to understand who is touching critical content and why.

And to get to this level of visibility, IT has to convince employees to join in their efforts to maintain security and in the process, cooperate in a way that strikes the delicate balance between security and privacy.  Unfortunately, IT cannot do this alone.

Partner with HR to establish employee trust and rapport

Establishing employee trust and a rapport to build a comprehensive yet respective security strategy starts by partnering with HR. With the right mix of HR and IT, organisations can create programmes that empower employees to feel and act like they are integral to securing their organisation.

Communicate above policing

When an organisation communicates privacy and security policies well, employees will feel less policed. When you explain the threats and intrusion techniques, most employees will have a better understanding of the importance of workplace privacy when using an organisation's technology. Ultimately, you want to convince people that your human-centric security program is about keeping everyone more secure and protected.

Build a coalition to promote security

To implement human-centric security that puts privacy in the proper perspective, organisations should create new coalitions or steering committees to foster cross-functional partnerships that help the entire enterprise create a climate of mutual trust, transparency and respect. The coalition should include representatives from multiple departments and regions so that each member understands each other's actions and day-to-day routines as they fit into a human-centric security program.

Communicate and enforce policies evenly at all levels

HR can help IT apply security policies differently but equally across different levels of their organisations. Privacy policies might be applied differently based on function – and will, therefore, mean something different for the CEO, IT, sales or HR teams. However, privacy policies must be consistent across the entire organisation, leading all the way up to C-level executives. Even the highest-level executives must understand the importance of their protection.

We're all in this together

In the end, this collaborative approach should help drive a consensus that puts employee monitoring and privacy in the proper balance and perspective. If employees are treated as knowledgeable and vital parts to the overall security framework and goals, they'll come to work with a greater comprehension and appreciation of security as it relates to their behaviours and work routines.

Data Privacy Day is a good reminder for organisations to build a human-centric security approach, which focuses on the interaction of people and critical data to not only protect their business and customer's data but also their employees and Intellectual Property.