[June 4, 2020]

Don’t use COVID-19 as a motivation to cross the privacy line

As the COVID-19 pandemic is forcing millions to work remotely and companies are considering permanent work-from-home policies, there is a clear need to secure both employees and company assets. However, as is typically the case when enterprises deploy monitoring tools, these tools are invasive and many employees rightfully feel that they violate their personal privacy. More recently, things have gotten even worse and we're seeing extreme measures being deployed.

My perspective as a CISO is that best practices need to be established, since most people agree that such monitoring will persist even post COVID-19. I will review where the current tension between privacy versus business security monitoring is today and how I think we can improve. 

There are numerous reports of increased adoption by enterprises offering software that, under the pretext of keeping enterprise data safe, spies on every single aspect of the employee’s private life. The most extreme types of monitoring software, like TimeDoctor,  records videos of employees' screens while they work, gathers a trail of their GPS coordinates, and takes pictures from their webcams every few minutes. Such tools are indiscriminate with when and what they spy on.

For CISOs, there is rarely a strong business justification to deploy such “extended keyloggers” on employee computers. Not only do they pose a giant breach of privacy, put a lot of pressure on employees, and breach the trust between employee and employer, but worse, they place vast amounts of information into the hands of the business that can be misused by both the business and hackers. 

If your organization is considering deploying such a tool ... please don't.  Instead, prioritize the businesses needs, security, productivity, training and weigh those against privacy. Review the features of monitoring platforms carefully.  Ensure that whatever you deploy for remote monitoring does not have invasive capabilities in the first place, such as taking pictures of the employee in their home. Note that most employees are not working at home with their spouses and children by choice. And remember that even if such features are not enabled by default: they are a ticking time bomb that has potential to get exploited by attackers sooner or later.

Slightly more reasonable monitoring approaches

Let's put aside the privacy angle for a little while and just focus on the sheer amount of information recorded. These tools generate so much noise that they cannot scale by design. Who will look at all the information? And how to make sense out of all the user actions and determine if they are related to the private life of the employee or the company data? Worst case scenario: you need one FTE to watch the computer activity of another employee and then in due diligence do the same for the FTE doing the monitoring, so you need to hire yet another FTE, and so on. You can start to see where this recursive argument is going.

Of course, most CISOs will not go to such extremes and will pick solutions that monitor fewer actions or instead employ anomaly detection to identify risky employees and focus on the actions highlighted by the tool. The main issues with such tools (e.g., traditional UEBA) is that they still record all user activity. UEBA has a reputation for high volume of alerts and high false positives. Both are a burden on security teams. Whenever a UEBA tool has a false positive, somebody in the security team will likely stumble upon screenshots of employees browsing their personal social media.

The “manual” solution: give back control to the employee?

So what's the solution? Motivated or informed employees can take control and segment their private and work activities and associated tools. Unfortunately this is hard, inconvenient and expensive for most. Sure, security experts and hackers might use QubesOS, virtual machines, or a different device for personal and work stuff. However, that is expensive and inconvenient. Especially if you need multiple work computers, your desktop can end up looking like this:

Keyboard

(This is actually a part of my home desk, but I am a keyboard nutter and I often test new keyboards. Most people like to have at most one keyboard on their desk, let alone multiple laptops. In my case, my keyboards are all connected to the same laptop).

The solution

It's time to stop privacy-invasive monitoring and focus on what is important, which is to monitor only what employees are doing with sensitive company data. This is the maximum justifiable level of monitoring. Most employees have signed a PIIA that rightfully empowers the enterprise to do just that. Moreover, it is important to pick a tool with fewer or zero false positives. Privacy issues largely dissolve when monitoring only what happens to company data instead of recording all user activity.

There are only a handful of approaches that can be used to achieve to a various degrees this goal, and Cyberhaven is one of them. With Cyberhaven you can discover when remote employees put your data at risk without having to record user actions like traditional UEBA. All without any false positives. This is how customers like Motorola and DARPA are using Cyberhaven today. During the time of the COVID-19 pandemic, Cyberhaven is offering a Safety Net initiative with a 60 day free trial to provide peace of mind that all activity on your company's sensitive data is monitored in a privacy-conscious way.

Topics: Insider Threat