People want to know that companies look after their data responsibly, but the root concern for people is protecting identity. To put it simply, people don’t want their personally identifiable information (PII) to be exposed. This goes for the companies we buy goods and services from as well as the ones that employ us.
Some of the most successful modern tech companies have built their entire business models around the collection of data, going to the nth degree gathering information and building profiles on users so they can profiteer from advertising.
In 2018, 98% of Facebook’s total revenue stemmed from advertising, and 85% of Google’s, giving us and understanding of how important data is to these companies.
We provide stacks of information about ourselves, both implicitly and explicitly, in exchange for discounted or free services. This has been under the assumption that our data, and subsequently our identity, would be properly protected.
The recent slew of data breaches has caused public faith in data privacy practices to dwindle — to the point where the demand for privacy-related products and services has surged.
At Wandera, we’ve observed a 95% increase in privacy-related app installations across Wandera-managed devices over the past 6 months:
Companies have the means to collect substantial amounts of information on their employees, perhaps more so than they can on consumers. CVs, background checks, social media audits, HR and employee benefit data, emails, browsing history — the list of data points is extensive. And so, the principle of data minimization needs to be applied.
According to the UK Information Commissioner’s Office, under the data minimization principle:
“personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
“Identity and access management is an important part of securing corporate assets. When granting access we can reduce the risk by accurately establishing identity and leveraging relevant contextual factors. In doing so, we need to ensure that any personal information we utilize is either minimized or used in a privacy enhancing manner, thus protecting the privacy of the user.”
– Paul Simmonds, CEO at the Global Identity Foundation
It’s widely recognized that password-based authentication is not enough to protect companies, nor is it a good enough method of authorizing access. Login credentials simply mean someone has access to those credentials — they do not confirm a person’s identity.
Companies need to use Multi Factor Authentication (MFA) to accurately determine who is requesting access. MFA can be deployed in a variety of ways, but anything requesting PII should be avoided. Data minimization needs to be considered throughout the entire cybersecurity process.
Require no more personal information than necessary
Ensure that all collected personal information is encrypted
Use opaque identifiers in place of personal information to hide identity
Tracking employee behavior with productivity gains in mind is by no means a new practice. Henry Ford did this to great effect, but the level of detail granted by modern technology is worrisome to many. Companies are so focused on the optimization of everything that privacy is often sidelined.
There have been multiple incidents in recent years that have possibly impinged on employee privacy, including:
In cybersecurity, monitoring network activity is undeniably important. Companies need to understand who is accessing corporate resources and from what devices, as well as determine ‘normal’ parameters so that anything unusual can be detected and flagged for greater inspection.
But employees inevitably have concerns around too much visibility. In Company Owned, Business Only (COBO) device ownership environments, there is an understanding that these devices are for business use only and come with all the necessary corporate applications and configurations.
However, in Company Owned, Personally Enabled (COPE) and Bring Your Own Device (BYOD) environments, what behaviors are okay for businesses to monitor?
Again, the principle of data minimization needs to be applied in the collection of behavioral data, limiting it to only what is needed for the intended purpose. This can mean:
User activity also needs to be decoupled from identity within the system. This can be achieved by ensuring that identity information is stored separately from activity information.
Businesses need to think about how the personal information they hold can be further fragmented and anonymized. Can the payroll system operate with anonymous IDs? Does an employee’s home address and emergency contact information need to be stored in the same database as their contract and employment information? Separating the data reduces the possibility of misuse, malicious or otherwise, and ensures that any unfortunate data breach does not compromise the identity of the user.
Collect data based on role and function per employee
Decentralize data, start by divorcing identity and activity information
Aggregate statistics so that personal information is protected
With the intention of increasing productivity or, in some cases, complying with industry regulations, companies typically collect data to understand their employees.
The use of data to make decisions is commonplace, and this is no different in cybersecurity. Reporting and analysis are part of every technology suite and having more data increases visibility, enabling security professionals to better protect their organization. But end-user privacy and security don’t have to be mutually exclusive, and trade-offs don’t need to be made.
In a pure on-premise world, the privacy-security debate was less of an issue. But as work styles have changed and employees are increasingly using personal devices for work, privacy-security concerns have arisen. While threats to security have evolved significantly, control over assets has diminished.
57% of enterprise data usage is mobile. Many of your personal habits can easily be gauged if your employer (or anyone else) has access to your location, private browsing habits and apps installed.
“Your employer controls your livelihood and if they say ‘give me this data,’ it’s very hard to say no.”
– Ben Waber, Massachusetts Institute of Technology
The previously discussed principles of ‘who, what and when’ with regards to accessing personal data provide clarity. But to maintain privacy, a ‘need-to-know’ principle for reporting must be established:
The application of anonymization or pseudonymization can conceal the identity of an end user, but behavioral data should be viewed in aggregate form so that patterns can be understood by the business — without being linked to specific employees. However, the best policy for personal data is to delete it if it’s no longer in use.
It seems simple, but in practice there are many opportunities for information to be accessed inappropriately. In March 2019, Facebook announced that thousands of its employees had access to data containing hundreds of millions of users’ unencrypted passwords.
It’s not only employees that might have access to personal data held by a business. The use of artificial intelligence also needs to be considered. There are concerns that AI trained using personal information and past decisions may reinforce discrimination, affecting the hiring, promotion, and firing processes.
Only track data that is needed to complete business objectives
Hold personal information for no longer than necessary
Govern access using clear user roles and permissions
Companies shouldn’t collect user data without consent. People need to know why companies want their personal data, how they’ll use it, and the methods of collecting it. Being transparent about data collection is incredibly important when it comes to privacy. Without transparency, it’s difficult for individuals to trust companies, especially given recent privacy breaches.
Consider app permissions on mobile devices. Do we know why certain apps need access to particular features and information on our devices? For the large part, no. The table below shows the percentage of iOS apps that have access to personal information. Do you know which of the apps you have installed can access this information? Or why?
|Permission||Percentage of apps|
Regulators have taken an active role in ensuring that individuals have the information they need to make decisions regarding their privacy. However, the devil is in the detail, and regulations often use vague language that leaves some elements unclear:
The problem with the lack of clarity in regulations is that the majority of people don’t wholeheartedly know what their rights are. In a GDPR questionnaire, many respondents misunderstood concepts such as the right to erasure, but this shouldn’t allow organizations to abuse the legal gray space. Overall, there is a severe lack of transparency around how data is collected, stored, processed and used.
The key principle here is transparency. A business should clearly articulate the details of its data collection and usage for its employees in some form, such as in its company policy handbook. A checklist of relevant considerations for an employee’s personal information across its (i.e. the information’s) life cycle is given at the end of this report. In addition to articulating the policies, organizations should ensure that there is adequate training and communication of those policies during onboarding of new employees. And if there are any changes to how the data is being handled, they should be clearly communicated to employees.
In the UK, employees have the right to know what information their employers hold on them, and businesses may not hold that information for longer than necessary. However, a Harvard Business Review survey found that 58% of people trust strangers more than they trust their own boss. With a quarter of workers in the UK having quit jobs because of distrust, there are tangible benefits to providing clarity about how employee data is managed.
Providing a comprehensible and transparent policy to employees will ensure that your business is compliant with regulations and help build trust.
Let employees know what information is being recorded prior to or at the time of collection
Be clear on why you are storing personal data and how long you will hold it
Inform users if there are any changes to how their data is being used