Balancing Information Protection with Employee Productivity and Privacy
Digital transformation can mean a lot of different things. For business leaders, it can be hard to know where you should be focusing investment — and what kind of digital transformation you’re after. The authors outline four pillars of digital transformation: IT uplift, digitizing operations, digital marketing, and new ventures. Which pillar is the right starting point for your company depends on your context, needs, but also your digital maturity.
There are two types of approach: 1) Strict Approach or 2) Flexible approach. Should your business take a strict or flexible approach to information protection?
A strict approach involves monitoring employees’ use of corporate assets, while a flexible approach aims to limit the impact on employee productivity and privacy while still protecting valuable corporate information. Each approach has its pros and cons. So, when deciding which approach will work best for your organization, consider the following questions:
- What is the productivity impact if employees can’t do their jobs effectively due to information access and sharing restrictions?
- If information is exfiltrated from the enterprise, either carelessly or maliciously, what is the business impact?
- What are the regulatory and compliance implications of monitoring employee activity on corporate assets?
The events from the past year surely impacted many companies’ strategies, priorities and availability of resources and it certainly cause delays in the migration for most organizations. But need not to worry, you still have time! We can assist you in planning and carrying out a smooth transition of your Skype for Business to Teams. If you would like assistance, please contact us on 1300 337 984 and our team would be happy to help.
Different approaches, different steps
In our information protection deployments, Proofpoint has seen enterprises taking the following steps with these two different approaches:
- Start with the most aggressive prevention controls on all users
- Educate users on why strict controls are in place and when to ask for exceptions
- Grant exceptions through escalations to support business needs
- Start with monitoring policies to understand potential risky behavior
- Educate users on best practices when sharing company information
- Establish prevention controls based on observations of risky behavior
Employee privacy: a shared concern
Respect for employee privacy is a shared concern in both approaches to information protection, and it’s addressed according to local regulations and compliance needs.
For example, screenshots of employee activities are typically captured when sensitive company data is at risk or if the employee engages in misusing corporate assets. But such capture is almost always avoided if there’s a risk of capturing an employee’s personal information.
Flexible Policy Management
- Security administrators can configure data loss prevention (DLP) policies so that only activities related to sensitive data movement are captured and enhanced with user/application/web context.
- In cases that require monitoring of risky behavior, insider threat management (ITM) policies can be deployed to collect additional context around full user/application/web activities for forensic investigations.
- Optionally, if strict prevention needs to be employed, prevention and remediation controls can be configured to stop data loss.
Granular Data Access
- Security administrators can configure granular data access policies based on criteria such as a user’s country, function and activity type to ensure that user activities are viewed only on a need-to-know basis.
- Data access policies can be assigned to analysts as investigative needs arise and if proper approvals are obtained.
- Access to user data can be time-bound to help limit data exposure.