Drafting surveillance policy to protect company networks from internal threats
PRACTICALLY all governments and industry regulators now demand that companies secure their enterprise networks to protect their systems and data.
In responses, companies are doing everything in their capacity to mitigate the risks and threats to their network by both external and internal forces.
External threats from cybercriminals could present distinctive markers and signatures that could be neutralized with robust cybersecurity measures.
However, dealing with internal threats such as deliberate theft of data by employees and even mistakes that lead to a network breach may not be as straightforward.
Some companies resort to close monitoring of their employee activities to thwart any attempts of a breach. But, it is not easy to figure out the extent of surveillance that their staff should be subjected to.
Most often, creating a robust network surveillance policy requires a delicate balance of reasonable efforts to prevent wrongdoings and negligence while also providing employees with sensible privacy.
Obviously, these measures should vary depending on industry requirements, but there are few things every leader should keep in mind in order to strike the right balance:
Monitoring employee emails and internet usage
While it could be a contentious issue, companies could and should monitor employee’s work emails and their activities with work applications that are on the enterprise network.
They could do that by deploying software that detects transmission of confidential data via company email servers or transfer of large data onto portable storage devices. Some security software could also be configured to detect suspicious activities within email conversations.
However, company email and activities on company applications are where an organization should draw the line.
Falling short of suspicions beyond a reasonable doubt, companies should not access and monitor employees personal email and social media accounts.
This is because employees also should be afforded reasonable privacy over their personal correspondence. To mitigate any concerns, organizations could impose a limitation on using the company network or devices to access personal applications.
Similarly, phone calls made using company telephones could be monitored as well as video surveillance during working hours, preferably with the consent of the employee.
Establishing clear policies
Given how tricky it is to maintain a delicate balance of securing the network and ensuring privacy to the employees, one of the best things companies could do is establish clear policies from the outset.
These policies should lay out clear guidelines to explain how an employee should treat company network and devices, and emphasize that should the staff choose to use them for personal use, they could be subject to surveillance as well.
Some companies do allow access to work applications on employees’ personal devices. In such cases, the employees should ensure that their devices are fitted will all the necessary security feature to protect against any compromise.
In conclusion, it is clear that affording privacy while in the digital era could be very complex, but it will only get more complicated in the coming years, given the rise of bring-your-own-device policies.
And with regulations requiring companies to protect their data as well as individual privacy, it is especially crucial for enterprises to strike the right balance without compromising too much of either.