It’s easy to roll out endpoint security when you don’t give a sh*t about your employees.
At Kolide, we offer an endpoint security product for organizations that want to prioritize preserving a healthy and transparent company culture, the privacy of their employees, and the performance of their devices.
Rolling out a User Focused Security solution like Kolide, in a way that treats your employees with respect, requires careful planning, and thoughtful communication. To make this easier for our customers, we give them resources they can share with their end-users like a detailed Privacy Center and our Slack App.
That being said, our philosophy isn’t for everyone. A lot of this hard work can be easily avoided when you do not care about your employees. If that sounds like you, we think the tips below will be very helpful.
Tip #1: Surprise Them
Your employees are used to treating customer data with care and respect, so they will expect the same in return for the data you collect via the endpoint agent.
If you announce and transparently roll out this new software, it will generate a lot questions and meaningful discussion. This is bad. Discussion will slow down your deployment, forcing you to waste a lot of time researching your solutions. To avoid this, it’s important that you roll the agent out as silently as possible, only notifying employees after the roll-out has been completed. It’s none of their business what information you collect. They’re *your* employees.
If you must make an announcement, make it as close to the roll-out as possible, after the vendor has been chosen, and using a medium of communication that will be missed by most employees. An email on a Friday afternoon can work wonders.
Tip #2: Treat your culture and value system as impediments to future business
After the roll-out, you should receive push-back from your most observant employees about the new software that has been installed on their devices. They may even have try to show you how endpoint security violates important employee cultural values around trust and personal responsibility.
To deal with these concerns, it is key that you blame external causes as the rationale for eroding the company’s internal value system. Good scapegoats for this include
- your customers
- a recent security incident that made the news; and
- the phrase, “everyone uses the same tools for this”.
If scapegoats don’t work, just assert authority and make the person feel guilty for asking questions. Good templates for shutting down discussion:
- “You shouldn’t be using the company device for personal tasks anyway.”
- “We checked with our lawyers and we have the right to monitor devices we pay for.”
- “We are all on the same team, I’m hurt you think I would do something bad with your data.”
Make sure that you triage concerns as slowly as possible and engage with concerned employees using private channels of communication. This will deter follow-up questions and prevent other employees from becoming aware of any concerns about the new solution.
Tip #3: Lock down devices as much as possible
Instead of considering the context of your employees work and the nuanced tradeoffs between security and productivity, it’s much easier to just blindly follow and enforce rigid security standards to eliminate all possible risk.
Hiding behind official standards is key, as many practices you choose to enforce can often feel arbitrary or even detrimental to security (ex: enforcing users to change their passwords every 30 days). Without standards to hide behind, you will need to justify each practice to your employees. With official standards, you can defer all the thinking and most importantly, deflect all the blame to a faceless third party.
Tip #4: Collect as much data as possible
When an incident does occur, you do not want to be caught without the critical data necessary to figure out what happened.
Since it can take a lot of effort and energy to determine the trade-off between the utility of information, the performance impact on a device, and your employee’s rights to privacy, it’s more efficient to optimize for just your needs and collect everything.
Tip #5: Only focus on company risk
The endpoint solution may detect evil software that poses no risk to the company, but mines data from the end-user (like a Chrome extension that sells your user’s browser history to ad companies)
It can be a lot of work to reach out and educate your end-users about these threats. Since you are only being paid to protect the company, so you should ignore these alerts. Do not delete them though, you may want to point these alerts later to someone in finance to justify the expense of a renewal.
Tip #6: Make exceptions for your “best” people
Despite your efforts to keep your security program as opaque as possible, some employees may continue to resist and cause trouble.
In these cases, it’s much easier to cave-in and give them everything they want. Make it clear that you are making a special consideration for only them because they are smarter, better, and more productive than the rest of their peers. Insist that they keep their special status a secret, otherwise they will lose their privileges.
Making special exceptions is much easier than making fair and transparent rules equally applied to everyone. With the most vocal users dealt with, it will be much easier to roll-out even more oppressive software later.
Hopefully your sarcasm meter is off the charts at this point.
The above tips are an exaggeration of the attitude some organizations have about rolling out endpoint security, but in every caricature there is a bit of truth.
We are working really hard to make the tips above seem even more ridiculous, and we are proud to offer a security product that is helping hundreds of organizations meet their security objectives without the classic sacrifices.
See for yourself, and give Kolide a try for free!
