How can we mitigate human risk in a post-GDPR world?
7 June 2018
TEISS guest blogger Nico Fischbach, CTO at Forcepoint, discusses why human behaviour is the biggest threat to workplace security, how workplace monitoring programmes can help mitigate these threats and the challenges of implementing these programmes in a post GDPR enterprise.
With the cost of a cyberattack significant, prevention is far more appealing than cure. To stop such incidents from happening, many businesses have now accepted that they need to address what is at the same time their most important asset and biggest source of risk in their workplace: their people.
Billions have been and continue to be spent on cybersecurity technology designed to identify the latest threats and mitigate them as they emerge, but such technology will be inconsequential if it cannot help security teams account for the unpredictability of human behaviour.
Whether intentional or accidental, employee’s interactions with corporate data and credentials is the biggest threat to a company’s security, with 55% of all cyber-attacks found to be carried out by ‘malicious’ or ‘accidental’ insiders. To ensure protection against such substantial threats, combining the right cybersecurity technologies with a human-centric approach to workplace security is crucial.
Also of interest: Editor’s blog: Why agile learning matters in cyber security
A human-centric approach
Such an approach prioritises understanding and examining human intent within the workplace as employees interact with data such as business plans, customer records or intellectual property, and ensures that activity that seems unusual can be flagged and dealt with in real time.
This enables businesses to investigate suspicious activity across the whole IT environment whether access to cloud-based apps, connections from unknown devices or attempts to visit websites hosting malicious code, preventing potentially risky incidents from ever taking place.
However, such monitoring must be justified and not only take into account the laws and regulations which apply but also focus on employee communication. This means approaches to workplace monitoring vary widely depending on factors including the size of the company, type of industry, geographical location, workplace infrastructure and working culture.
Also of interest: Keil Hubert on language and security awareness
A careful balancing act
Now that GDPR is in force, businesses now face the unenviable task of trying to balance protection of key assets against the heavily increased privacy and legal rights of their own employees. The issues associated with this are obvious.
When monitoring workforce activity to keep threats at bay, businesses may also inadvertently capture and process information in ways that may infringe laws governing privacy and data protection, communications secrecy, or employment. This makes workplace monitoring a particularly tricky project, and the goalposts have now moved significantly.
Organisations working internationally have even more issues to consider as they try to maintain this careful balancing act whilst also having to deal with the different laws of each country in which they operate. This could require multiple policies depending on location.
The post-GDPR landscape
So how is it done? How can organisations operating in our post-GDPR landscape protect themselves from insider threats, while successfully making workplace monitoring work for their business and onboard their employees?
Some answers to these question can be found in the report which legal firm Hogan Lovells recently produced in partnership with Forcepoint, detailing the necessary legal considerations and practical steps businesses should take when revamping or creating workplace monitoring programs as part of their cyber defence strategy.
At Forcepoint, we believe that the key to success with workforce monitoring in the workplace will be total transparency. Legal compliance aside, employees must be both aware that workplace monitoring is taking place and understand the reasons behind its implementation.
As these programs affect them directly, being open and clear with employees from the outset about what has been or will be implemented can make the difference between success and failure. To put it simply, without staff trust, you risk rejection and as such HR plays a key role in such programs.
Employees also need to understand that although workplace monitoring may sound ominous, it can be a real force for good. After all, if the monitoring of user behaviour happens to stop an insider from sharing private information or putting an employee at risk, it might just be the hero when it comes to GDPR compliance, rather than the perceived villain. These learnings can also extend outside of work by increasing the overall security and privacy awareness of people.
For more info, go to Forcepoint