Are You Big Brother?

Are You Big Brother?
There are many unpleasant tasks in life and work. Monitoring employee behavior is one of those unpleasant tasks. Management has to take a strong role in insuring that liability does not come the company’s way, i.e., Risk Management. New regulations hold management responsible for employee behavior which can cause the company to be subject to monetary loss, criminal charges, and civil lawsuits. The buck stops here.

Most of us don’t want to be Big Brother. We don’t like the idea of “spying” on our employees. We don’t like the taste of infringing on someone’s privacy because we value our own. However, what you don’t know will hurt you and may hurt you in a court of law. Fortunately technology has made our job a lot easier.

The most common monitoring components are email, Internet, and phone usage abuse. The AMA/ePolicy Institute provides the results of a survey completed in 2005 on this very topic. The survey states: “When it comes to workplace computer use, employers are primarily concerned about inappropriate Web surfing, with 76% monitoring workers’ Website connections. Fully 65% of companies use software to block connections to inappropriate Websites—a 27% increase since 2001 when AMA and ePolicy Institute last surveyed electronic monitoring and surveillance policies and procedures in the workplace.”

Internet use monitoring is perhaps one of easier types of monitoring to implement which may be the reason statistics are higher for this type. Another good reason is that port 80 (http) is one of the biggest legitimate holes intentionally created in most firewalls. When port 80 is open, additional tools and technology are needed to filter or block unacceptable web access.

While employees have realized that using corporate email for personal use or dishonest use is not a good idea, they haven’t stopped using email. Most rely on web-based email for communications like yahoo, gmail, hotmail, etc. Even companies who have Internet usage policies allow employees to use webmail for occasional and personal use. I would get upset if the organization I worked for prevented me from using my personal webmail while at work because that is how I communicate with my children and spouse during the work day. As a security professional and an Information Security Officer, if I could, I would block webmail completely and forever because I think it is a great security risk. There’s the rub.

As in everything, balance is the key. While tools, such as SurfControl, Websense, and GFI WebMonitor, can help organizations gain control, it is very important to make sure that the data collected from the monitoring tools become HR’s responsibility. Usage reports can be emailed to a distribution list on a daily, weekly, or monthly basis. It is important that the distribution list include senior managers in HR, IT, Information Protection, and Operations, not rank and file employees in security and IT. As always, company policy is the foundation for all actions. Ahead of implementing any monitoring technologies, time has to be taken to formulate the policies and procedures that will support employee monitoring.


About the Author

Marcia J. Wilson, CISSP, CISM

Marcia J. Wilson is an Information Security Professional and a freelance writer. Her expertise includes network security assessments, information security policy and procedure development, business continuity and disaster recovery planning as well as security awareness training for small and medium sized companies.




Around the Network