As employee monitoring technologies move out of the realm of experimentation and into the mainstream, concerns over their impact on employee privacy, data security, and trust have become even more pressing. In a breakout session at Gartner’s ReimagineHR event in London on Wednesday, Principal Executive Advisor Clare Moncrieff elucidated the difference between the kind of employee monitoring we trust and that which we don’t. She began by asking the attendees if they agreed with the following statements:
- “Recording the location, actions and communications of employees is a necessary and important part of business operations.”
- “Recording the location, actions and communications of commercial airline pilots is a necessary and important part of business operations.”
Responses to the first statement were mixed, with about half the audience saying they agreed or strongly agreed and the other half saying they disagreed or felt neutral on the subject. On the other hand, every single attendee agreed with the second statement. What’s the difference?
One reason why the recording of commercial airline pilots was uncontroversial is that it has been a standard practice in the industry for nearly 60 years. Flight recorders (commonly referred to “black boxes”) are understood to be a normal and necessary component of air safety procedures. Their value in diagnosing and correcting problems that can lead to catastrophic accidents is unquestioned, and everyone—passengers, crew, airline administrators, regulators, and the public—understands and appreciates why they are needed.
Pilots don’t see these devices as intruding on their privacy, even though they record every conversation they have in the cockpit, because their benefits are clear and because airlines only use the information for a specific and clearly defined purpose. Data from the recorders is only accessed after an incident and is never shared or published. Black box data has never been used for purposes other than intended and there has never been a known breach of flight data security in six decades of using these recorders. Also, data from flight recorders is only one of many inputs into an inquiry, which also incorporates first-hand accounts from the flight crew.
Flight data recorders meet all the key criteria of an effective employee monitoring system, according to our research at Gartner: The purpose and beneficiary of the technology is clear and consistent, access to the collected data is strictly controlled, and employees’ voices are taken into consideration when interpreting the data. When monitoring follows these guidelines, employees are much more likely to trust and accept it.
Cybercriminals are continuing to carry out ransomware attacks on organizations at a greater frequency, according to two new reports highlighted by Cnet’s Laura Hautala this week:
According to Verizon’s annual Data Breach Investigations Report, released Tuesday, ransomware attacks doubled in the last year. That’s especially alarming considering that they doubled the year before, too. … Ransomware accounted for 39 percent of all new malware infections tallied up in the Verizon report, which looks at more than 53,000 security incidents drawn from Verizon cybersecurity customers as well as reports from the US Secret Service and an international consortium of private sector companies.
The numbers match up with findings released Monday by cybersecurity company Malwarebytes, which found that while hackers are targeting consumers with ransomware less frequently, they’re hitting businesses with more of the attacks.
The threat of ransomware was thrown into stark relief last year, when the WannaCry attack, the largest such cyberattack in history, struck over 300,000 machines in 150 countries, exploiting a vulnerability in outdated versions of Microsoft Windows to lock victims out of their computers and demand ransoms of hundreds of dollars to restore access to their documents and data. Most ransomware attacks are much less sophisticated than WannaCry, which the US government ultimately blamed on North Korea, and rely on phishing scams that trick users into handing passwords or other personal data over to hackers, who can use this information to gain control of their devices.
Phishing and ransomware are of concern for HR departments in particular, first because this part of the organization is often a soft target for cybercriminals and second because employee behavior is the main weak point in most organizations’ cybersecurity strategies.
Watson Assistant, the latest entry into the AI-powered virtual assistant market, made its debut on Tuesday at IBM’s Think conference in Las Vegas, CNET’s Ben Fox Rubin reports. Unlike Amazon’s consumer-focused Alexa, however, Watson Assistant is an enterprise-oriented technology that “will function as the behind-the-scenes brains for a variety of new digital helpers made by a variety of businesses”:
For example, Watson Assistant is already in use at Munich Airport to power a robot that can tell you directions and gate information. The assistant is in development by BMW for an in-car voice helper. Also, Chameleon Technology in the UK created a Watson Assistant-driven platform called I-VIE that helps people manage their energy usage.
“We looked at the market for assistants and realized there was something else needed to make it easier for companies to use,” said Bret Greenstein, IBM’s global vice president for IoT products. …
HQ Trivia, a mobile game where players compete for cash prizes in live quiz-show style games, has been described as “the future of both mobile gaming and live TV,” as well as “the best worst thing on the Internet.” Whatever it is, it’s growing fast: Launched on iOS just a few months ago, with an Android version released just before New Year’s Eve, the app attracts hundreds of thousands of users to each game and topped one million users last Sunday night. A product of the startup Intermedia Labs, founded by two of the co-creators of Vine, HQ isn’t making any money yet but has attracted plenty of interest from venture capital investors.
A game of HQ lasts about 13 minutes, during which players must rapidly answer a series of 12 multiple-choice questions and are eliminated when they answer incorrectly. Those who get every question right split a prize pool, usually of $250, which means each player usually stands to win a few dollars, at most. The app comes alive to host a game at 9 p.m. Eastern time every day and at 3 p.m. on weekdays.
Of course, that means many users are likely playing it at work. SHRM’s Dana Wilkie solicits the opinions of some experts as to how employers should handle the latest craze:
“Like anything else, if it is causing harm or lowering productivity, nip it in the bud,” said Cord Himelstein, vice president of marketing and communications for HALO Recognition, an employee rewards and incentives company based in Long Island City, N.Y. “However, if it engages your employees well and it’s something they really like, embrace it and set boundaries. It’s important to give it as fair of a shake as March Madness and Super Bowl pools, two things that, over time, have found a natural fit and flow in the modern workplace.” …
A series of massive data breaches at major companies, including the recent theft of over 140 million Americans’ personal data from Equifax, has put questions of cybersecurity at the front of every CEO’s mind. At the Wall Street Journal last week, Vanessa Fuhrmans noted that the threat of losing their jobs or even seeing their business destroyed was pushing more chief executives to give cybersecurity their personal attention.
Their motivations are twofold: First, the frequency of data breaches is increasing at an alarming rate, and second, CEOs are increasingly getting blamed for them. After last month’s crisis, Equifax’s board moved quickly (though some argue not quickly enough) to remove Richard Smith from the CEO role he had held for 12 years. Yahoo CEO Marissa Mayer, for example, had her bonus for 2016 rescinded as punishment for a 2014 security breach that compromised hundreds of millions of user accounts and to which an internal investigation found her management team had not responded properly.
The bottom line, Fuhrmans hears from various chief executives, is that they can no longer afford to pass the cybersecurity buck to the IT department and hope to escape unscathed if their company’s data is eventually compromised. That means developing good cybersecurity habits themselves (given how much information is publicly available about them, CEOs are attractive targets for phishing scams), learning more about how their organizations’ security systems work, and taking on a more direct oversight role.
Here’s an area where CEOs could be leveraging their relationship with the HR department to be more proactive about solving the problem. Rather than investing more in firewalls to prevent external breaches, many organizations should also be looking inward, as employee errors account for nearly 60 percent of privacy failures. There’s a big role for HR in helping employees avoid the errors and bad habits that make cyber attacks more likely to succeed.
The massive data breach at the credit reporting agency Equifax affected 2.5 million more Americans than previously thought, the agency revealed last week. The breach, first revealed last month, exposed the data of 145.5 million US consumers in total, plus some 400,000 in the UK and about 8,000 in Canada.
This event, which Equifax has blamed on employee error, has raised concerns over not only what hackers might do with the data that was compromised, but also what other data Equifax and other credit agencies have on hand that could be put at risk by similar oversights in data security. Equifax, for instance, owns a database of payroll information from 7,100 companies, which was not exposed in the recent breach, and major employers seem to have no intention to stop entrusting the firm with their data, Jennifer Surane reported for Bloomberg last week:
In the wake of the breach announced last month, Bloomberg News contacted the 40 largest U.S. employers — representing some 12.5 million workers — and asked if they would continue dealing with the service, which helps them with unemployment claims, employment eligibility and tax credits. None said they will sever existing ties.
Several — such as Wal-Mart Stores Inc., the nation’s largest private employer — confirmed they will keep sharing information with Equifax. Others declined to comment on their relationships or didn’t respond to messages. Only about a half-dozen said they didn’t provide that information prior to this year’s hack.
On September 7, the credit reporting agency Equifax revealed it had experienced a cybersecurity breach in late July that potentially exposed the sensitive personal data of 143 million Americans to unidentified hackers, and the agency said this week that it had suffered another breach in March.
The data exposed in the breach included millions of consumers’ names, birth dates, addresses, Social Security numbers, and in some cases driver’s license numbers. The hackers also obtained 209,000 credit card numbers and documents with personal information used in disputes for 182,000 people. “On a scale of 1 to 10 in terms of risk to consumers, this is a 10,” Avivah Litan, a fraud analyst at Gartner, told the New York Times when the July breach was disclosed earlier this month
With so many people affected, most US organizations likely have victims of the breach among their employees, whose data could be used to steal their identities and commit fraud. Employers that offer 401(k) plans should contact their third-party administrators to ensure that employees are notified of any vulnerabilities in their accounts, Edward McAndrew, an attorney with Ballard Spahr in Philadelphia and former cybercrime prosecutor for the Department of Justice, tells Allen Smith at SHRM:
The TPAs should notify employees to monitor their account statements for fraudulent activity and start using multifactor authentication to access their accounts, McAndrew said. HR shouldn’t provide the notice itself or it will get inundated with questions from employees about Equifax’s breach, he said.