Rethinking Security and Privacy in the Era of Empowered Digital Users
In 2007, Steve Jobs unveiled the iPhone, ushering in a new wave of high-end smartphones and native “apps”. Within a year, Google followed suit with the introduction of the Android operating system, an open OS powering a consortium of handset manufacturers. It was also the year that Intel, one of the largest employers at the time, relented to pressures from its employee base to allow personal devices in the workspace, coining the term ‘BYOD’ and establishing the first policies surrounding personal device usage in the workplace.
BYOD, Bring Your Own Device, was initially heralded as a way for enterprises to make their employees more satisfied with their work environment by letting them choose devices with which to work, while simultaneously reaping the short-term CAPEX benefits of reduced device procurement costs. Every BYOD policy could be refined down to a few common steps:
1. Evaluate the impact of personal devices for regulatory compliance
2. Align your BYOD and business goals
3. Define your BYOD policy, including data and services protection, employee compensation, and technical support
4. Educate your employees on the proper use of personal devices in corporate environments
5. Deploy appropriate resources and services to support your policy
6. Monitor and refine the policy and process to ensure a balance between productivity and risk exposure
Unfortunately, following those steps has caused endless amounts of pain and suffering for many organizations throughout the world as consumer technology innovation continues to outpace the speed of change within enterprises.
BYOD has always been a balancing act between delivering a “consumer-like” user experience to employees while mitigating the risk of exposure to security breaches through those same devices. When an organization gets this balance wrong, it suffers from, at best, low adoption of its mobile apps, and at worst, a security incident resulting in the exposure of corporate or customer sensitive data. Meanwhile, employees continue to be a significant source of security incidents, representing 25 percent of all data breaches in 2014. The end result has been an ever-increasing investment in procedures, tools and people to make these BYOD policies work for both the employees and IT.
In the four short years since BYOD introduction, the hi-tech industry has increased its pace of delivering new products and technologies to the consumer market, demolishing the already-blurred lines between consumerism and enterprise mobility. The advent of cloud computing, crowd funding and open-source hardware has empowered researchers and entrepreneurs to push the envelope of innovation with new concepts, designs and devices, increasing the number of devices per user by a factor of 5-10x by 2020.
The rise of these new devices, under the collective moniker of the “Internet of Things”, or IoT, presents increasing challenges to IT. Each new IoT device represents a new spigot of data that needs to be controlled, monitored and protected. And it’s no longer simply about protecting corporate and customer-sensitive data as its traverses employee personal devices; it is now as much about protecting personal employee information as it flows out from these devices and across corporate infrastructure.
This added problem of employee personal data privacy, and the rights of employees to dictate the lifecycle of data ownership, places significant burden on already over-extended BYOD policies. As employees bring new devices into the workplace, full of personal information like financial or health data, enterprises must employ the appropriate controls to ensure that employees are fully empowered to manage the data being generated from sources such as wearable’s, proximity and environmental sensors, remote monitors and vehicle logistics.
Beyond device and data management, IoT has given rise to personal data protection services and jurisdictional regulations throughout the world that limit the scope of global BYOD policies and force continuous modifications and exemptions to occur. Extreme data privacy regulations being enacted in countries like Germany and Brazil stretch the capability of IT systems to support “forget me” laws.
“Each new IoT device represents a new spigot of data that needs to be controlled, monitored and protected”
The fact of the matter is that many corporate security policies have not kept pace with these new sets of challenges, and instead have remained relatively rigid in their implementation since the early days of device and application management. These policies have more often than not been constructed on the basis of restriction and least privilege, excluding the employee rather than embracing their participation. But Information Security is an imperfect science that centers around risk mitigation more than absolute security, and one of the most cost-effective methods of mitigation is an empowered employee who is more aware and more vigilant in the daily battle to keep data safe from bad actors.
It’s time that we as an industry start to think about security and data privacy through a more user-centered lens, co-opting the employee as part of the solution, rather than the problem.
This starts with some key steps:
1. Build trust in your employees to do the right thing with respect to security and privacy, and trust from your employees that they will be a part of the stewardship of their own personal data inside the firewalls of the corporate environment. In exchange for this trust, you must deliver a great user experience that spans touch points and delivers real benefit to employees in conducting their everyday activities, wherever they need it.
2. Design policies with more input from employees, and with more flexibility baked in for the ever-changing landscape of IoT devices and services and jurisdictional demands.
3. Incorporate new tools into enterprise security strategies, including tools that give control to employees to manage how, where and when their personal data is used, stored and destroyed.
4. Incorporate “situational privacy” models that adapt data sharing requirements for employees to their specific situation or need. For instance, there may be certain situations where knowing an employee’s location is critical for safety or productivity reasons, but in other cases, it provides little to no utility while being highly invasive. The first case involving this type of situational privacy invasion has already started in a CA courtroom.
5. Adopt low friction identity management and access control solutions, such as multi-factor biometric authentication (like Apple touch ID), lowering the user experience barriers to higher levels of security.
6. Apply new training techniques that give the employee base practical methods and knowledge to be that first line of defense in the protection of not only their own identities and data, but that of the corporation.
With these strategies in place, your IT teams will no longer have to fight the security and privacy battle on its own. Instead, you will have an army of empowered employees as part of your extended security team.