Legal monitoring, smartphones control and your employee personal portrait
20.01.2021Back to blog list
Is the system worth the money spent on it? Risk managers and information security officers know why special software is required, but how do you explain to a businessman that DLP is important? The system’s advantages become obvious during a trial period. According to our analysts’ experience, the first three hours of the DLP’s work reveal incidents. And according to the clients who launched it, these incidents are so horrible that it is fair to say that the value of the system becomes perceptible within the first month of usage.
The cost of an incident might vary in many companies but the incident likelihood statistics can’t be oppugned. Year after year the figures regarding different industries are nearly equal: almost 60% deal with data leakages, 1/3 - with kickbacks, 25% - with industrial espionage, 11% - with side selling.
The economy effect is even clearer when SearchInform Road Show participants speak about it, “How many employees work in a purchasing department?” ask the companies which are experienced DLP users, “Ten? At least one of them is interested in taking advantage. And probably there are more of them.”
Is the usage of the DLP legal? This is the most popular question. The answer is constant – the installation of the monitoring and data loss prevention systems is legal but there are some procedures which are to be abided by when the solution is deployed.
There has been the new question posed recently concerning the legality issue – how to take incidents to court? It is crucial to comply with all the regulations of incident investigation process (from its discovery and calling an investigative committee to interrogating violators prior to documenting the evidence).
All these steps are described in a memo prepared by our specialists and given to our partners at request. In case the regulations are complied with, evidence and proof is collected (with the help of the DLP system), the matter can be taken to court.
Isn’t it biometrics – all the videos and photos of users sitting in front of a laptop camera? No, the system makes a photo of a person but doesn’t identify him or her in accordance with the biometric database.
There is some hesitation among those who are intrigued by ProfileCenter methods: isn’t it some kind of medical record what the solution creates while building a user personal portrait? If so, that would oblige a data processor to meet lots of requirements. The answer is “no” – the healthcare industry and regulators don’t define a personal portrait as a personal medical health record sheet.
Can DLP control smartphones? In theory – yes, it can. But in practice there are still some things to solve before putting it into effect. This is difficult from many points of view: legal, technical, control depth, cost. First of all, it is not easy to make smartphone monitoring legal. An employer will have to sign an agreement with employees. There’s a zero probability that someone will let a company control a personal gadget, although a corporate phone which is used only at work might become a more real option. As regards the depth of this control, here’s an example – a smartphone requires a constant update of an operating system and of all applications. In order to maintain the same level and settings in functionality DLP should be updated and reinstalled as well. This brings problems to a company and a user. That’s why those willing to implement mobile control tend to purchase the whole combination of technical and administrative measures. Depending on the industry it can be a complete ban on using personal gadgets at work or an introduction of MDM/EMM solutions, placing cameras in the office. DLP systems are used in this case to complicate data theft for a violator.
How to protect corporate data from a leak via making a photo with someone’s phone? This is a frequent question. So far there have been only basic well-known methods – cameras in the office, some policy which doesn’t let an employee stay in the office when there is no one around to supervise, etc. There are no technical instruments to correctly detect the screen being shot with a phone. Such exotic attempts as putting a tape on a computer screen or flashing a light to spoil a photo as soon as a phone is taken closer to a screen weren’t effective. This is because there are no proper tools to identify this type of incident and react to it.
SearchInform DLP – Linux vs. Windows. There have been a keylogger and MonitorController added to the features for Linux users.
Where good information security officers and risk managers can be hunted for? The profession indeed is not booming in quantity in the labour market. The large-scale shift to remote work only led to the increase in the demand.
As for the ProfileCenter, there is always a question whether there should be some specific knowledge acquired to work with the program. Profiling skills will be helpful, a training course could help with a better understanding of how it works. But the solution comes in handy anyway. ProfileCenter was created for a wide audience, the interface is intuitive, all the information is accompanied with commentary and recommendations which will be intelligible for information security officers and HR specialists, department of economic security and many more.