Has anything changed in cyber risk monitoring? asks John Holmes, Chief Legal Officer at Forcepoint.
It’s been four years since the team at the Hogan Lovells law firm first issued their formative report, Managing Workforce Cyber Risk in a Global Landscape: A Legal Review, which explored the implications of enacting security monitoring programs in the workplace. The authors are attorneys Harriet Pearson, who essentially wrote the book on privacy in cybersecurity, and James Denvil, whose practical knowledge of cyber monitoring in the workplace is unparalleled.
It is said that change is inevitable, and since the report’s initial publication in 2017, we’ve all experienced tectonic social and economic shifts affecting security on a global scale. The evolution of privacy laws like GDPR and CCPA, and the maturation of SaaS and SASE make the top of my list. None more so, however, than the pandemic, which forced enterprises to quickly mature their business plans for transformation initiatives and shift their focus from infrastructure security to remote workforce security seemingly overnight. I tip my hat to my colleagues in IT and security for their amazing efforts to move faster than the speed of the business, especially in the past 12 months.
Even as our world transitions from lockdown to return-to-work, where we work is still an open question. Right now I’m writing this blog post from my home office. Who knows where I’ll be for the next one as it will be months before I unlock my office door at HQ. How security will protect the “anywhere” worker in today’s hyper-distributed enterprise is the question that Harriet and James at Hogan Lovells addressed in their new report, Protecting the Workforce and Information in a Global Landscape: A Legal Review.
It’s clear that monitoring user interactions with data and systems continues to be foundational to cyber risk management programs. The research findings from across 15 countries provide a blueprint for security leaders, corporate executives and board directors to plan their risk management for the next critical months of this year and into 2022.
I will highlight just a few here:
Cyber risk profiles have changed significantly especially in light of the increase in agile working arrangements driven by the COVID-19 pandemic and other factors. It’s likely that every organization has been affected by changes in the relevant legal and regulatory environment. Since 2017, we have seen GDPR take effect and significant changes to laws or official guidance in South America and Western Europe, in particular.
With the changing risk landscape, effective cyber risk management programs should include capabilities such as user activity monitoring solutions that are designed to detect, prevent, and investigate cyber incidents.
Corporations need to recognize that what constitutes normal behavior for one employee may reflect anomalous activity for another. As a result, organizations must identify and have context into moments when activities diverge from normal routines on a user-by-user basis.
In addition to an overall privacy program, organizations can mitigate privacy risk by ensuring security can flag suspicious activities without directly identifying employees and users.
The conversation about the privacy and compliance implications for user monitoring could not have come at a better time. Corporate risk management programs must evolve as quickly as IT and security services have had to rapidly change to support a permanent and massive remote workforce.
Harriet, James and I continue the discussion in the webcast, “Global Privacy, Data Security, and User Protection: What’s New?”
