Amazon Echo ® , Google Home ®  and other “smart home” devices are becoming more common place. Known as “virtual assistants”, “digital assistants”, “personal digital assistants”, “PDAs”, or “smart assistants”, most are voice-based and/or card-based systems that allow the user to interface with the device to request information or a service. They use a combination of natural language queries, Machine Learning (ML), Artificial Intelligence (AI), and Internet of Things (IoT) mechanisms to provide a digitally connected platform that can interface with the user. 

We are seeing Digital Assistants begin to take hold in the corporate world as well. Generation Z is entering the work arena and is expecting to see similar technology to what they use on a daily basis available to them on the job. As “Digital Workplace Experiences” adoption expands, it brings with it a number of security and privacy concerns. What seems like a means of providing convenience and efficiency in the workplace can become a security, privacy, and legal nightmare without the proper preparation for rollout.

If you are considering adding Digital Assistants to your company for your employees, here are some suggested items to address as you create your plan for the adoption and socialization of the use of these devices in the workplace. 

  

  • One of the biggest concerns with the use of Digital Assistants is selecting a platform that has been designed with security in mind. 
    • Many of these devices have been rushed to market and may lack proper testing for security, so ask security-related questions of the vendors and choose your platform wisely. 
    • These devices collect data constantly in order to provide a more robust experience for the user. Be sure to review the vendor’s Privacy Policy and get documentation on the information that is collected, how it is stored, and how it may be used. 
    • Ensure that the device has a mute function so that the capturing of data can be suspended and that it allows for deletion of data at the company’s discretion. 
  • The use of Digital Assistants changes the nature of information in the workplace. These devices are proactive and predict an employee’s actions and needs. This means they require the holding of information which may be considered sensitive but not previously captured by the company, such as an employee’s current physical location. 
    • You will need to complete an employee data risk assessment and document what personal or sensitive information is being captured, logged, and how it may be accessed and used via the Digital Assistant. 
    • Check with your Legal Team to confirm any changes which may need to be reflected in employment contracts or handbooks. 
  • The handling of client information via Digital Assistants is a critical area of security risk. The last thing you want is for sensitive data to be leaked via the device. 
    • You will need to complete a client data risk assessment and document what sensitive information is being captured, logged, and how it may be accessed and used via the Digital Assistant. 
    • If you are a company that deals with highly sensitive or restricted information, you will want to consider using a card-based system. 
    • If you are using a card-based device, be sure that the cards cannot display sensitive information inadvertently. 
    • Due to the risk of sensitive data leakage, it is recommended that you not allow employees to synchronize their personal devices with company Digital Assistants. 
  • You will need to update your Information Security Policy (ISP) to reflect the use of Digital Assistants and to outline best practices. 
    • If your company is required to comply with the General Data Protection Regulation (GDPR) from the European Union (EU) or other legal regulatory standards, be sure that your required documentation is updated to reflect the use of these devices.
    • Voice-activated systems use a “wake word” to begin streaming the user’s voice for analysis of what to do next. Thus, these systems are always in “listening” mode. Check the laws in your area related to procedures around recordings and update your policies to reflect any legal notifications or requirements. 
  • Since Digital Assistants are mostly wireless devices, you will need to review and possibly harden your wifi configurations in support of their use. 
    • You will need to restrict the connections of Digital Assistants to only company-owned and maintained wifi options. 
  • Digital Assistance operate in a Cloud infrastructure. If you keep some data on premise, you will need a Hybrid cloud environment to support the use of these devices. This can provide challenges related to proper configuration. 
    • Research the related security configurations, document the requirements and standard configurations, and review them on a quarterly basis. 
  • The use of Digital Assistants will often require the use of Application Programming Interfaces (APIs) for connection to needed external information sources. 
    • These are usually backend inline business systems, such as HR, CRM, ERP, Email, Intranet, Calendaring, or SMS. 
    • Be sure developers who are working with APIs have Secure Coding training in order to protect sensitive data in transit.
  • With Digital Assistants, you cannot use Endpoint Management agents for configuration as you can with traditional network devices. 
    • You will have to put in place a schedule for the review and updating of devices on an individual basis. 
  • As with the best practices for laptops and computers, create role-based security profiles that are applied to devices before they are issued to an employee. 
    • Harden the device so that employees cannot change the security settings. 
    • If users are unfamiliar or uncomfortable with using Digital Assistants, they may accidentally do something they did not mean to do. Set multi factor authentication mechanisms for sensitive or critical activities, such as reading texts or purchasing.
    • Digital Assistants allow for multiple access interfaces. Users can ask questions or make commands via voice, chat bots, browser extensions, and more. Set security, such as voice lock, on the devices.  
  • For employees to get the most out of their use of Digital Assistants, you will need to provide for easy configuration of services, known as “skills”, by the user. 
    • Since some users will be more comfortable with using various features than others, you cannot have a one size fits all services configuration.
    • Ensure that the services allowed on the device are relevant to your company’s operations and will not inadvertently leak data. For example, if you allow the use of third-party services, any ones that interact with sensitive data must provide full encryption. 
  • Digital Assistants in the workplace require that supporting information about the employee be accurate in order to provide the best predictive analysis. 
    • Information such as current position in the organization, basic duties of the position, organizational hierarchy, and other supporting information must be kept up-to-date in the external system. 
    • If an employee changes position and that change impacts their data access level, this change to the device will need to be reflected at the time the personnel change occurs. 
  • Your company’s Security Awareness Training (SAT) plan and content will need to be updated to reflect the use of Digital Assistants. 
    • Employees who are assigned the devices will need to complete additional training in their secure use, such as Data Privacy Training.  
    • Developers will need to complete Secure Coding training in support of the creation and maintenance of skills and APIs. 
  • If your company allows your employees to work from home, either consistently or on an as-needed basis, do not allow them to access their Digital Assistant remotely. 
    • Of special note, ask your employees if they have personal Digital Assistants in range of their home office. If they do, require them to mute the device during work hours so that sensitive data is not inadvertently leaked. 

What Can You Do?

Choosing to offer Digital Assistants in the workplace provides employees with a tool that can improve their efficiency and accuracy. However, your company must have a plan in place to provide a smooth and secure transition to their use. GLS can help you with planning and implementing additional training that is vital for ensuring secure, private, and legal use of these devices. Click on the “Request a Demo” button to learn more.

REQUEST A DEMO