Organizations monitor their computer networks for many reasons — from gaining insight into availability, performance, and failures, to identifying potential cybersecurity vulnerabilities and exploits. In the process, they often collect more data than is actually necessary on employees, customers, prospects, vendors, and more. The prevailing attitude is that since the data exists, is readily available, and relatively cheap to store, why not collect it? But given the vast capabilities of today’s technology, along with how it permeates every aspect of our lives, there is a risk of purposefully or inadvertently collecting unnecessary and private data.
More Data Means More Risk
This issue will only increase as surveillance technologies continue to improve and are capable of gathering broader insights and unique personal characteristics. Currently, companies collect a lot of direct data on individuals and use third-party enrichment to add more complete details, some of which are more intrusive than necessary. As layers of disparate data are captured, it is likely that insights will increasingly transcend privacy boundaries and create danger.
All data obtained during surveillance — including financial information, communications, intellectual property, personnel files, contracts, and other confidential materials — has the potential to enter the public domain, either through hacking or human error. A recent warning is a Department of Defense server misconfiguration which released email messages and sensitive personal details of federal employees. Although this information is required for military security clearances, many companies collect similar data without a legitimate need, creating an unnecessary threat of exposure.
Hackers regularly take advantage of personal data to open authentication information that allows them to monetize their cybercrimes, which have become easier and more profitable thanks to cryptocurrencies. There are also nation-state actors, corporate espionage, and even politically motivated organizations that seek to acquire intellectual property to improve their position. It doesn’t have to be a proprietary company secret. They may be looking for a process, application, engineering diagram, or even a simple text message.
When Tracking Feels Like Tracking
Another concern with excessive data collection is the impact on employees. When companies and vendors gain insights that are unnecessary to the core monitoring mission, it can alarm employees. This is especially true as the boundaries between work and home merge, making personal devices more useful for collecting company data.
Additionally, if the data collected is not traceable to a specific purpose, legitimate network and security monitoring employees may mistake it for tracking, especially if employee monitoring The tools became more widely used with the beginning of remote work. These tools have a different purpose than network and security monitoring tools, but that’s not always clear to workers.
When it comes to network and security monitoring, there is a strong case to be made for collecting and analyzing data at a discrete micro level. But when viewed on a macro level, where more personal and unnecessary information is collected and connected to other data sources, the case may lose its validity. This often happens when chief information officers (CIOs) and others get so caught up in keeping up with advanced technology capabilities that it clouds their good intentions and leads to dubious results. Here are some steps to help prevent data from getting the upper hand:
● As an organization, it is important to change how data is viewed. For many leaders, every data point is seen through a business mission lens and not from a privacy perspective. The key is to identify each data point being collected and determine whether it is a piece of primary information or enrichment information. In most cases, data collected strictly for enrichment purposes is more difficult to justify.
● Due to advances in data analysis, it is not just about analyzing the information being entered into the system. It’s about how the algorithms are trained, and what controls are in place to define what is confidential and how to keep it that way. Without those controls, the algorithm can use unnecessary data points, resulting in outputs that answer questions it wasn’t intended to ask.
● In addition to improving data consistency and quality, a data management team can be invaluable in helping to educate employees and others about what is and is not being tracked, and why. They can also develop and enforce company data policies and ensure compliance with standards and regulations to avoid crossing privacy lines.
● When it comes to vendors, there should be a clear directive that the data collected must be linked to the services provided. IT leaders must make these three demands of vendors:
—Provide a detailed account of all data collected, how it is collected, how often it is collected, and how it is used.
—Describe the access mechanism used to collect data and determine whether, and to what extent, it allows the collection of unnecessary data.
—Explain whether there are options to opt out of having specific data points collected and, if so, any implications that may result if taken.
A thorough examination of monitoring and data collection methods will likely reveal that most organizations are overreaching and putting the company, its employees, and its customers at risk. It’s time to accept that the chance of being hacked today is not so low anymore. This intensifies the need for companies to take the necessary steps to rethink their data collection and monitoring strategies, and put in place best practices to protect employee privacy and corporate integrity.