The Disconnect Between Privacy and Security
Anyone who has worked as a system administrator or IT in general has had a user express concern whether they can read their email, see their location, or see photos and texts. This concern reaches a crescendo when an MDM/EMM solution is on the horizon or an employee reprimanded for extreme social media usage. Yet, most of these same users never question what other vendors can see.
The truth is that IT staff do have a lot of visibility into the network and corporate owned assets. Firms can range on opposite ends of the control spectrum. I have always expressed that I am far too busy to check on what my users are doing at any given minute. I may spot check reports to make sure bandwidth is okay, or look for malicious programs. But, this data is in aggregate unless a potential problem arises.
Nonetheless, users whisper and question what the IT department can see, and for good reason. With the rise of BYOD programs employees want to ensure their private texts and photos remain hidden from their employer. The problem with BYOD is that every company is different which can lead to confusion and distrust among employees. Not having a balanced BYOD/MDM environment keeps system administrators from using the tools they enforce. As a matter of fact, BYOD adoption among System Administrators is is at an astonishing 43%.
Here’s where things get interesting: the same questions are not addressed to Facebook, Google, Dropbox, among others by the same users. These applications can reach farther into your device and privacy than most IT departments. Most of these applications have access to actually read text messages, parse photos, see your location, and then share with other vendors. Yet, because it is a faceless application and not their employer, they get a pass. Because these applications provide convenience and a high utility, they get a pass.
A typical user does not have time or energy to parse EULA’s spanning hundreds of pages – and who does? We have adopted an attitude that the Internet is a safe place if we interact with a trusted company. These trusted companies are the same ones obscuring how much data they own about us, and who they are selling too. Users have become the new commodities, and few are aware they are being traded.
We must educate our employers and users to ensure that they accept a tolerable level of risk.. This reduces the friction between employer and employee, and protects employee and corporate data. When users begin questioning how much an application intrudes in privacy they start to use less rogue or shadow IT applications. Instead they begin asking for advice and guidance, which opens the door for conversation.
We must work with each other to ensure everyone remains protected. As IT and security professionals this means educating our users in easy to understand terms. As users, we must bring down our adversarial walls. Technology has become collaborative, and that isn’t going to change any time soon.
For further reading on BYOD Privacy, feel free to check out the following: