Privacy and the death of security, what security teams need to knowCHRIS JACOB
As people start coming back to the office after working from home exclusively for two years, a hybrid work model will pose a series of challenges for security teams. One of these challenges involves reminding and reeducating workers about security best practices after two years of working remotely and using decentralized services.
In a survey by F-Secure of 7,200 people from nine countries, 67% of remote workers acknowledged they increasingly worry about their online security and privacy, even when nothing is wrong, compared to 58% of other respondents. Additionally, concerns over data privacy have changed how 63% of remote workers use the internet, compared to 48% of other respondents. Many employees working from home without easy access to IT support, have taken their own steps to alleviate some of this anxiety. For instance, they had switched to decentralized services that they believe are more privacy-conscious than corporate-sanctioned tools for video conferencing, browsers, search engines, private messaging, file storage and backup. This trend portends a rocky re-entry for employees and IT security teams alike when they come back to the office, even if just in a hybrid model.
Privacy and security often are conflated, but they are two very different things. Privacy is about controlling your personal information and security is about protecting your personal information. Sometimes the two can be at odds. Security practitioners are responsible for the security of the company. But the company’s responsibility is to its stakeholders and to producing revenue. As a security practitioner you need to understand how the business produces that revenue in order to implement policies to enable that securely, without employees circumventing them because they need to get their job done.
To reduce the friction between privacy and security, it’s crucial that in this somewhat turbulent period, security teams focus on setting up their policies in line with business objectives and put employee training front and center. Employees coming back to the office need to understand why you’re putting certain policies in place and asking them to do things in a certain way. While it seems counterintuitive, employees need to understand that the more privacy they achieve through decentralized services they may have started to use over the last two years, the less security practitioners can help them. In effect, employees have taken on the onus of security themselves. Meanwhile, for the enterprise security team responsible for securing the company and it’s stakeholders, it becomes more difficult to ensure that each user is staying safe and secure.
With employees more attuned to online data privacy than ever, it’s paramount for security teams to set up policies and help employees understand how adhering to these policies will help reduce the digital anxiety working from home may have triggered. With the right training and the right policies in place, it’s a trade-off employees should be more than willing to make for some welcomed peace of mind and convenience.