Employee Safety Is For Sale
In our “Predictions 2020: Cybersecurity” report, we projected that the anti-surveillance economy would grow by 15%. At the time, we didn’t know a story about location data would publish a few weeks after our prediction, but we knew that the conditions existed for something like this to occur. Surveillance is now an enterprise risk. Specifically, The New York Times piece shares how its reporters were able to obtain the location data of specific individuals from the data set. For security leaders, those individuals could represent an executive, shareholder, employee, or contractor for your firm.
Location Data Is Vital To Operational Security
Many companies use compartmentalized facilities and technology to isolate teams working on new mission-critical innovation. The projects have code names, special non-disclosure agreements, and strict third-party contracts to ensure that their secrets are kept safe. All of those precautions can be rendered useless, however, because of data brokers’ ability to provide competitive insights about your firm based on location data. For example, say a competitor identifies that your executives have meetings with several early-stage startups in a niche category — they could now identify which companies you might be targeting for acquisition based on where your employees are traveling to. Those competitors could determine that you are meeting with a supplier that makes a specific type of technology, which could clue them in that you are developing a new piece of hardware with specific functionality. Back in the film “Wall Street,” this Bud Fox character followed around various individuals; now, he’d just have to buy data. Data can tell you whether “Blue Horseshoe loves Anacott Steel.” The surveillance economy — the dark side of the data economy — should vault into your risk register in 2020.
IT And Security Are Clueless To Employees’ Apps
Anti-surveillance tools are usually first adopted by end users that are looking to make their jobs easier. For example, many users run pop-up blockers or add-ons that prevent scripts from running on web pages. However, many of these tools are not supported by IT or security despite them being run on corporate devices. The bottom-up approach will not work for enterprises in the surveillance economy. IT and security need to stay on top of this. Mobile devices are also creating issues because they share enriched data about location on top of browser histories, cookies, and IP addresses.
BYOD Is Not New, But New Problems Exist
The balance between allowing enterprise data on a mobile device, personal use, and personal ownership of that device is still a balancing act. But as more details on the amount of location data available and the degree to which that data can tie to specific individuals emerge, more complications are added to bring-your-own-device. CISOs need to protect non-corporate-owned devices. Physical security is also a concern, especially as location data intersects with geopolitics and especially when executives or employees with critical knowledge of company initiatives travel abroad to countries where kidnapping or other physical security threats could occur.
Protecting The Privacy Of Your Employees Helps You Secure The Enterprise
In 2020, Fatemeh Khatibloo, Heidi Shey, Claire O’Malley, and I will continue our anti-surveillance research into the tools, techniques, and procedures that security leaders must adopt in order to protect the privacy and security of their employees. In much the same way that companies now offer their employees identity protection as a benefit, or discounted subscriptions to enterprise productivity software, they will need to offer the same to help protect online anonymity and prevent technology-enabled surveillance on their employees. CISOs who do a good job on awareness, behavior, and culture will recognize that savvy users will not only appreciate this but come to expect it in the future. Those that do neither will open up their firms to data gathering by competitors and investors at best or attackers with malicious intent at worst.
If any security and privacy leaders want to participate in our research, let us know, and any vendors operating in the anti-surveillance economy space with enterprise offerings, please reach out!