A report from earlier this week claimed that several high level security managers were in favour of employee monitoring technology.
This led me to wonder, should IT managers be looking to use monitoring technology to control and supervise what their staff are looking at? Nick Peart, global brand manager at Clearswift, said it is down to a company's stance on what is right and wrong about monitoring.
He said: “It is not employee monitoring, it is content monitoring. It is looking for regulatory requirements and it is the way that security needs to come out from the shadows, get rid of the disguise and engage with the employee and say what the measures are. That is not monitoring.”
A recent report by LogRhythm found that 52 per cent of UK workers would back the use of technology to monitor access to restricted files by other employees. I asked Ed McNair, CEO of Overtis, if using monitoring software was a sensible option in order to keep a business secure and compliant.
He said: “It is like using a hammer to crack a nut, as there is no reason to monitor when it is not specifically about acceptable use. We recently worked with a US bank that collected about two million events a day that just got stored. It is a tick in the box and results in terabytes of data and you cannot do anything with it.
“You can monitor for emails, words or data but it is all about the user, look at DLP – if any large enterprise has it turned on I would be surprised. The false positive rate would be so high that the business would grind to a halt. You shape your hardware on the hardware based on time and location, so if you print off a document at 2am on a Monday morning there is a chance it is not you. Granularity is behaviour-based, otherwise it is a blunt instrument that creates huge logs that no one does anything about.”
Likewise Richard Turner, CEO of Clearswift, said that this does cover the area of user privacy, which is a basic human right, a right that needs to be established and protected.
He said: “That said, is it acceptable that an organisation should be allowed to stipulate how the tools and services it provides are used? Absolutely. At first glance these two statements are poles apart, two paths that can never happily be joined. So how do you balance the privacy of customers and employees, with an organisation's stance on acceptable use?”
Turner said that the first stage is to realise it is the content and not the employee that needs to be monitored and secondly, is to resolve the three 'E's – establish, educate and then enforce.
He said: “Establish is to look at your business, the data moving around it and through it and identify the risks and form an opinion on acceptable use for all corporate services and tools. Look at what are required by compliance regulation such as PCI and HIPPA, productivity issues and acceptable use.
“It is critical that the policies you define are transparent and open to all. If policies are well defined and clearly communicated, most employees should be aware that they are about to break the rules before they do. For instance a block screen should not be a surprise to an employee typing in an inappropriate URL. Employee education should always begin with business justification, the reason why the policy exists and an overview on the steps that will be taken to enforce the rule. Effective education is basic duty of care that will keep both the employer and the employee safe.
“Technology exists to enforce the rules and polices as they are defined by an organisation. The first stage should be to alert an employee that they are about to break a rule, to give them the chance to alter the behaviour that has led to the warning. Once they have ignored the warning then the next step is to stop the activity in real-time and raise an alert, crucially the alert is about an employee who has ignored a real-time warning and is therefore a higher risk.”
Turner concluded by claiming that it is more about well-defined policies that support better business performance, that are communicated effectively and remove the personal privacy issue and the methods of content monitoring around the organisation.
McNair agreed that a policy-driven approach is more practical and commented that with blanket monitoring companies have to understand that if people work long hours employees will use personal applications and webmail.
“It is ok to monitor work email and applications but if you monitor personal applications then you get into dangerous ground. This is a grey area and I would say that to monitor and stop people cutting and pasting into webmail is fraught with danger. It has got to be done with sensitivity as if you monitor certain employees you end up with privacy issues,” he said.
I asked Stewart Room, partner at legal firm Field Fisher Waterhouse, what he thought of the dilemma. He said that this is not a morale issue as employers are obligated to monitor their employee's usage, but the question is how far they go.
He said: “The Data Protection Act and security principles say that employers must monitor their employees' activity so this is stating their obligation to do that. In that sense it is no deal, you have to look at monitoring and work out how much to do and how deep to do it and how do you justify what you find.
“Most businesses I deal with do this well, they use the technology to monitor the data flow and systems can depersonalise the data. So administration is the best of worlds with a secure environment and reasonable amount of privacy. It may be a problem issue, but the purpose is to ensure a safe environment for information and not an appropriate way of using monitoring technologies.”
Ultimately the debate on whether or not to use employee monitoring technology and how stringently you use it lies with the company that is deploying it. It depends on your business, customers and regulation standpoint, among many other factors, and there is no silver bullet solution.
However it is worth considering that if you do have incidents being collected and logged, it is going to take more time to decipher those results. So choose wisely.