Balancing Privacy and Responsibility with Monitoring and Security

I’m going to start this article off by making an obvious literary reference, quoting George Orwell from 1984:

“Big Brother is watching you.”

It’s sadly a common joke, especially at companies with robust monitoring practices, that “Big Brother” can see what you’re doing at your computer at any given time. While the technology certainly exists to watch endpoint and network activity, it’s a damaging, pejorative way to look at a necessary aspect of our very digital, very connected world.

This topic was recently covered by a former member of our team, Mike McBride, on his blog, specifically after seeing demonstrations of Nuix Adaptive Security at the Nuix User Exchange in September. Mike raises a lot of valid questions, which I had the chance to explore with him and our own Hoke Smith in a podcast conversation.

QUIS CUSTODIET IPSOS CUSTODES?

This famous Latin phrase translates to “Who will guard the guards?” and is the crux of the issue in Mike’s article (he even references a variation of the phrase). What safeguards do companies using robust monitoring tools have in place to ensure that they are used properly and only when necessary?

It’s an incredibly valid question. To begin, I don’t think enough employees know, or are willing to ask, questions about their company’s monitoring practices. Much of the fear and uncertainty about the network or endpoint monitoring could be laid to rest by simply, succinctly publishing some basic information to an easily accessible location on the company’s intranet, for example. That should be accompanied by a dedicated address for employees to ask questions or raise concerns.

One of my coworkers worked for a large corporation for several years. Prior to joining the company’s security team, he said he had no idea where to find any of the company’s IT or cybersecurity policies. Upon joining the team, he was shocked to learn that there were numerous policies, well-documented and updated regularly, published in an obscure, hard-to-find location.

Who benefits by hiding the company’s policies and procedures? Not the employee, who is left in the dark. And not the company, which ends up relying upon uninformed or, worse yet, misinformed employees to protect its critical value data.

A STARK REALITY—THERE ISN’T TIME

I’m writing all of this under two assumptions. The first is that we’re talking about companies using tools like Nuix Adaptive Security to detect and act upon suspicious or threatening activity. The second is that those companies have documented policies and procedures of some sort in place to govern the use of these tools.

Allow me to step outside of those boundaries for a moment and address a pragmatic point. Security teams simply don’t have the time to monitor and review everything. With our deployments of Nuix Adaptive Security, the monitoring rules are always set to focus on the customer’s biggest areas of concern, letting their security teams handle and investigate the most critical threats to the organization.

I am not saying, by any stretch of the imagination, that our software or any other endpoint detection solution could not be used improperly. However, that is true of any tool or technology. Remember, a hammer can be used to build a house … or hit someone in the head.

I take comfort in part that security teams don’t have the time to go around “smashing heads” with their tools. They’ve got too many “houses to build” to do anything else, and it’s my experience that those teams are under the highest scrutiny and oversight.

GREATER AND GREATER LEGISLATION

Finally, we see a continuing trend in privacy regulations worldwide that emphasize personal privacy. Most recently, it’s the California Consumer Privacy Act (CCPA). Prior to that, it was the much-publicized EU General Data Protection Regulation (GDPR).

These are regulations with consequences for failure to comply. Their presence, and the likely development of more widespread privacy regulations, make it increasingly important for companies to enforce strict rules about what data is collected, how it’s used, and who has access to it. Considering the eternal balance between security and privacy, it certainly swings the scales a bit and makes security more difficult, but not impossible.

Future regulations and court decisions are very likely to have an effect here, but it just provides another layer of assurance to anyone who is concerned with how their company monitors their activity and private information.

PRIVACY AND SECURITY BEGIN AND END WITH YOU

Every company has some sort of acceptable use policy and disclaimer that your activity may be monitored. Be familiar with these details and limit what you do while you’re at work. If you’re concerned with someone getting access to private details about your life, act accordingly and use your personal devices and network instead. Security teams have a huge challenge protecting the data and infrastructure of their company. Remember this, ask questions, and use your work-provided technology with care. You’ll help yourself and your organization in the process.