It is more important than ever to ensure that all employees are cognizant of privacy and security issues.
With employees increasingly working remotely and using non-sanctioned devices, it is vital to establish a zero trust framework. At the core of this framework is the “principle of least privilege,” whereby users are granted access to the fewest amount of resources for the shortest amount of time necessary to complete a task. Until shown otherwise, IT personnel should assume that every access request has been compromised. Additionally, IT personnel should authenticate users based on their identity, location, and device health, while also looking out for any uncharacteristic, anomalous behavior.
All employees should embrace a zero trust mindset
In addition to a zero trust framework, all employees should have a zero trust mindset. Employees should be wary of emails from unknown sources; all strange phone calls should be treated as potential social engineering efforts, and any shadow IT—devices, software, applications, and services not officially sanctioned by IT personnel—should be reported to IT personnel. This zero trust mindset applies to all employees in an organization, including those in the upper echelons of the org chart. After all, C-level employees and other privileged users are often the most valuable targets for bad actors.
Many high profile attacks are the result of privilege abuse, often due to bad actors gaining access to users’ privileges. It’s particularly important to instill a zero trust mindset in these privileged users. If a privileged user has directly or indirectly facilitated breaches in the past, IT personnel should consider privileged session recordings. By overseeing privileged users’ activities on databases, remote servers, and other critical systems, one can support audits and instantly terminate a user session that looks suspicious. All that said, the key to global data privacy and security has less to due with monitoring employees’ activities and more to do with building a zero trust mindset in all employees.
Assign data privacy scores to hold employees accountable
When it comes to instilling a zero trust mindset in every employee, there are certain tried-and-true methods. At least initially, it does comes down to education. Most companies hold mandatory courses about privacy and security, followed by quizzes, often with questions based on real-world incidents that have happened inside and outside of the company. However, this is the bare minimum.
At ManageEngine, we use “data privacy scores” to hold employees accountable. After holding training courses and periodic quizzes, every team is given a data privacy score, which is posted on an internal forum. These data privacy scores are not so different from the public posting of students’ scores in law school. However, given that these data privacy scores are awarded at the team level, no single employee is singled out. We’ve found that these scores have helped to hold employees accountable.
Although we may have courses and quiz questions related to GDPR or CPRA, we encourage our employees to think more about underlying principles, as opposed to laws.
Focus on principles, rather than laws
New laws are always coming down the pike. By focusing on the principles behind these laws, employees will generally be prepared when the laws do arrive. For example, we stress the principle of data minimization. Across the board, employees should only collect customer data that is necessary, and that data should only be kept for the minimum amount of time necessary. Another example, which pertains primarily to designers and developers in the organization, is the principle of privacy by design. Employees should think proactively about the privacy and security repercussions that their products may facilitate in the future.
Embed contextual hooks in software tools
Placing contextual hooks in applications has proven to be quite an effective way to remind employees about privacy and security issues. For example, if a ManageEngine employee posts another employee’s name, email, or phone number in an internal communications channel, a chatbot pops up with a message stating, “Sharing personal information is not a good practice.” If necessary, this chatbot could be programmed to block the data sharing entirely. Nevertheless, this contextual learning teaches employees about privacy and security in real time, in a real work environment, which allows them to gain a strong grasp of these issues over time.
Also, it is important to stress that security and privacy awareness is ongoing. Much like the team-level data privacy scores, contextual hooks within applications need to be frequently updated.
Conclusion
Even companies that hold a lot of mandatory info-sec education sessions fall victim to preventable cyberattacks. Education alone isn’t enough. Not only do we encourage our employees to embrace a zero trust mindset, but we periodically assign teams data privacy scores and place contextual hooks within software tools. It is vital that all employees make data privacy and security a priority in their lives—in and outside of the 9-5 workday. Thankfully, by using the strategies above, we’ve found that data privacy and security concerns eventually become second nature.