Information monitoring
is a tricky subject. We all want to be able to trust others with data, but
information theft and data leakage happen all too often, and organizations are
asking themselves how much they should be monitoring the way company information
is used. But why is it an issue and how should it be done?
Why is it an issue?
There
are two primary reasons to consider stricter information monitoring. Firstly,
not all company secrets and confidential information is lost by theft and
hacking – much is lost by accident, with staff
not realizing what they are doing. It is therefore a means of
protecting against both intentional and unintentional data loss.
Secondly,
under governance and compliance rules and legislation, it is the owner of the
equipment – that is, the company not the employee – that will be held liable
for legal compliance standards. These can range from the loss of personal
and/or company confidential intellectual property to harassment and bullying
within the company; and can lead to increasingly large fines and loss of brand
reputation.
The
owner of the equipment being responsible for illegal content held on the
equipment also applies to both local and Cloud. The data controller (usually a
person within the company, but effectively the company) is responsible for
protecting personal data.
The
question of whether to monitor staff thus becomes a business issue rather than
a simple IT security issue. It transcends both the IT and legal departments –
and because it involves staff, it must also include the HR department.
Can it be done legally?
The first question, in
an age of increasing privacy protection from the EU in Europe, and federal and
state laws in the US, is simple: is it legal to monitor staff communications?
Precise details vary from country to country. Germany, for example, has
particularly stringent privacy rules. But provided that staff have agreed to or
have accepted the monitoring, and provided that the monitoring is for business
purposes on business equipment, then in general communication between staff on the
company network can be monitored, and emails received or sent by staff on
company computers can be monitored.
Nevertheless,
if it is done, it is best done sensitively and discreetly. The starting point
should be the formal company fair use policy, making it clear what staff can
and cannot do, and more specifically a clear statement that business
communications will be monitored. This policy should then be part of the
conditions of employment. Staff will consequently know what is happening, and
employers will have redress if necessary.
Think before you click ‘send’!
If
staff in your business use email and IM for fun, perhaps these stories will
illuminate the dangers to them…
Sending
‘rude’ (offensive) jokes is also an issue.
Should it be done?
On a purely logical
basis, yes, it should be done. Here are three main reasons:
1.
Staff working from home. The boundaries between office and home are breaking
down. More and more staff work at home in the evenings and at weekends, and
they find ways to transfer data from office computers to home computers for the
best of reasons. This could be via file synchronization services such as Box
and Dropbox, or simply by emailing the file as an attachment to a personal
webmail account such as Gmail or Hotmail. It is important that a CISO knows
where company information is at all times, because once it’s outside of the
company network, they can no longer defend it. It could be the source of a data
leak.
2.
Legal liability. But they, or at least the company, will still be legally
liable for what. The EU approach is typical: it is not the employee who is
responsible, but the data controller – which is, effectively, the company. If
data is lost or misused, then it is the company that will be fined, and it is
the company’s reputation that will suffer.
3.
The increasing technical competence of cyber attackers. No company is immune
from attack, and those attacks are becoming more and more sophisticated. While
still important, traditional perimeter defenses like a simple firewall and
anti-virus software can no longer be relied upon to keep out hackers: they will
not stop a zero-day vulnerability that delivers new malware. It is no longer
just a case of prevention; it is as much a case of discovery and remediation.
According
to Trend Micro, 91% of all successful APT attacks start with a spear-phishing
email. The automated monitoring of email – both inbound and outbound – is a
valuable way of defending staff against spear-phishing.
Once
an attacker is inside the network, they can spend weeks and months finding the
data they want to steal, and working out an exit strategy that will go
unnoticed. One such route is to take over a legitimate staff account and mail
the data out. Unless that email and the data itself is analyzed, it will simply
pass through the firewall as legitimate traffic. If it is personal or financial
data it can attract legal action and loss of brand; if it is intellectual
property it can affect the very future of the business; and if it is military
data it could affect us all.
How should it be done?
If
the logical conclusion is that information monitoring is an important part of
data loss prevention, the logical question is: how?
The
first thing to realise is that this is not just an IT problem. It affects the
whole business and requires a whole business approach. While the role of CISO
is increasingly absorbing the role of compliance, in many companies
‘information security’ still comes under a CISO attached to the IT department,
while ‘compliance’ comes under a risk manager attached to the Risk department.
An
amalgamation is important since compliance is often seen as little more than a
tick-box requirement, while information security needs a more holistic
approach. Compliance alone does not deliver the security that compliance seeks.
This
is further complicated by the need to involve the legal department in both the
staff contracts and the legal compliance issues; and the HR department to
ensure the policy is workable and delivered. Finally, it is worth noting that
some CISOs are now involving the company marketing department to develop a
strategy that will help ‘sell’ the policy to the staff.
Such
a multi-departmental approach in the delivery of a staff monitoring business
plan is more likely to attract Board attention, and more likely to gain the
support necessary for implementation.
With
Board approval, it then becomes a question of how to implement information
monitoring. In anything but the tiniest of one-man-and-his dog companies, this
cannot be done manually – there is simply far too much traffic to monitor. That
means an automated system must be brought in; but since this is effectively a
bolt-on product, it must be chosen with care so it can be integrated
seamlessly, efficiently, and unobtrusively into your existing infrastructure.
It
must also be scalable for when you grow, and part of a holistic view of your
data security. It must be ready to take its place in the wider context of big
data analytics so that the CISO is able to spot threats in real time rather
than after the event, and to remediate those threats before they cause damage.
It is a fundamental part of intelligence-led security.
No comments:
Post a Comment