Are you letting GDPR’s privacy rules trump security?
When incident detection vendor SecBI found suspicious activity on company devices at one of its clients, they passed on the data with the expectation that the client, a large European enterprise, would investigate further. That didn’t happen. The client’s security team was not allowed to look at the data due to privacy concerns.
A contract with the company’s employee union prohibited anyone in the organization from looking at employees’ personal data (e.g., browsing data, banking transactions, or healthcare provider interactions) stored on their work computers, even though they were owned by the company. Although SecBI’s data indicated possible bad behavior on the part of an employee, the company did not have sufficient cause to investigate under the terms of the union contract.