Securing business data without compromising employee privacy
Remote and hybrid work is the new normality and COVID-19 has further cemented the need for businesses to support flexible working environments. But the comfort of working from home comes with its own set of challenges. With the sudden shift to remote working in 2020, many organizations were woefully unprepared in terms of securing their mobile devices or employee privacy. Their data became more susceptible to breaches and cyber-threats like malware, spyware, phishing, and WiFi hacks. These threats were a constant concern as employees swapped the office network for their home network, coffeeshop or borrowed neighbors Internet.
Some businesses were concerned that remote working could reduce productivity and wanted to ensure their employees continued to work efficiently regardless of location. Employee activity tracking software was installed to monitor websites browsed, apps used and monitor hourly productivity and time spent working on the laptop/smartphone/tablet. However, employees often view this as a breach of privacy and regularly resist such “surveillance” initiatives. Surveillance has only proven to reduce productivity and not increase it, big-brother watching does not make for positive work culture. However, the concerns driving these initiatives are valid and need to be addressed in an appropriate manner.
The Employer Perspective
Fear of Loss in Productivity – They want to ensure that employees continue to work efficiently during work hours and not get distracted by entertainment sites and social networking apps. Employees are reluctant to use tracking software especially if they’re using any personal devices for professional purposes and it is a valid concern.
Lack of Control over Device Security – Most companies have a security environment built around the office network and PC’s. Traditional anti-virus solutions such as email phishing protection do not extend to the remote working mobile-first world employees exist in and the threats they see daily such as SMS phishing are left unaddressed. Companies regularly equip their employees with smartphones but these devices are rarely protected even though they are used to access the same business systems like a laptop or desktop. There is a huge security gap right here and hackers are exploiting it. The most successful phishing, malware, and spyware threats over the past 2 years have been distributed through SMS, mobile apps, and social media – all mobile-centric attack vectors. Phishing attempts grew by 364% from 2019 to 2020 and continue to accelerate rapidly.
There are mobile security apps available but they typically fall short of employer security requirements and employee experience expectations. Often they are either too intrusive, screen-scraping every activity on the phone, or are so limited that they miss key vulnerability and real-time threat indicators. At Corrata, employee privacy is a key product pillar. We protect mobile devices from phishing, malware and spyware attacks without compromising employee privacy. We don’t monitor the information content of texts, sensitive company documents, or general activity on mobile device.
The Employee Perspective
Multi-purpose Devices – In reality, unlike laptops, mobile devices are not just used for a singular purpose. They are sometimes shared amongst family members or used for other activities like shopping, entertainment, video streaming etc. Mobile phones are a goldmine for phishing and malware attacks. We recently found a major security configuration flaw in one of the world’s biggest news sites that gets over 200 million visits per month. When business devices are used for multiple purposes, it becomes harder for organizations to be confident that their data is secure.
Blurred Professional and Personal Lives – Remote working can sometimes blur the line between personal and professional lives. Some employees feel burnt out as there is no “off” switch for working from home. And adding a tracking software to this mix can further add to this frustration.
Each perspective has valid points. Employers want productivity and security while employees demand privacy and the tools to work securely when remote.
How can companies ensure both parties are happy?
- Refrain from deploying intrusive monitoring apps. Instead, restrict certain distracting sites on business devices if required
- Opt for a security solution that detects and blocks threats without compromising user privacy. Educate employees on the software implemented and be transparent about what is tracked and what is not. Transparency and awareness is 80% of the work. Assure employees that their privacy is protected.
- Double-check any software installed. Certain mobile security apps use the accessibility feature to take control of the phone and perform special tasks/actions. Android developed this feature to help people with disabilities but certain apps use this to read everything on the user’s phone or perform actions on their behalf in the name of “security”. The same accessibility features are also exploited by hackers to steal data off your device using trojans, bots, or clickjacking. Any apps relying on accessibility features for security are a major security concern.
What can employees do?
Download authentic apps from official app stores on mobile devices and do not jailbreak or tamper with the operating system or security settings. Malware and spyware contained in benign-looking apps are so sophisticated, you generally will not notice any issues until it is too late
Phishing texts are increasing every day. Always be careful not to give away any confidential banking information or any other login credentials.
Corrata was built keeping mobile security and privacy in mind. For example – If a certain device is found to be spending time on gambling sites or any site against the compliance policy of the company, the IT team is alerted so they can issue an organization-wide communication but not single out the employee. Corrata does not look at the content of any communications, be it texts or emails. The only focus of our solution is to report security events and not gather information about the apps each user downloads or track the websites they visit. This builds employee trust and ensures there are no data breaches. Everyone wins. Click here if you’d like to know more about the technical nuances of how we achieve employee privacy every time.