Canon Digital Rebel XTi Camera
Oracle CDR

Monitoring Employee's Computers

Send The September 11th issue of the Wall Street Journal carried an article titled "At Many Companies, Hunt for Leakers Expands Arsenal of Monitoring Tactics." What caught my eye were the two lead paragraphs which I reproduce here verbatim:

"Tom Bowers, a security manager for a big pharmaceutical company, got a tip earlier this year that an employee had accessed sensitive drug data for which she didn't have clearance.

Mr. Bowers searched the employee's computer, using recently purchased software that tracks file transfers and Internet use. He found she had sent confidential drug-manufacturing data outside the company. The employee was fired. "We have suspected for a long time that this type of activity was going on, but [until buying the software] we had no way to track it," Mr. Bowers says."

In case you are surprised that this type of monitoring goes on, don't be. And, expect more of it.

You may think that by citing this article, I am against such monitoring. Quite the contrary. I'm against it only if you, the employee, is not informed and reminded (regularly) that this practice is going on AND that it is normal practice that applies to ALL employees, including the President.

In other words, as an employee who is paid for the time you spend on behalf of your employer, the company has rights to everything that you do and create. It is more than likely that you agreed to just that and in writing when you were hired. This means that your employer can monitor everything that you do within reason. By "within reason" I mean that they can't invade your privacy such as placing video cameras in the men's room.

There are two approaches to this legal snooping by your employer. Reactive or Proactive.

The Reactive approach is exemplified by the Wall Street Journal article. In that case, the employee was suspected of and then caught doing an illegal file transfer. Such deliberate acts can never be prevented. However, they can be minimized. This is where the Proactive approach comes in.

The Proactive approach is where a company fosters an environment of honesty, compliance and responsibility. It is an environment created by example from senior management down. It is an environment where unethical behavior (not necessarily illegal) is not tolerated. It is an environment where proper behavior is taught and reinforced. And yes, it is an environment where behavior is monitored and actions have consequences.

The Reactive and Proactive approaches must be properly balanced. One without the other will not work. If applied correctly, all employees will know what is expected, act appropriately as a matter of course and, last but not least, know the consequences.

On a final note, while the article talks about the use of software programs to monitor compliance, it does not mention what software was being used. Here also, the program must support both the Reactive and Proactive methods. One suite of software that touches both is from a company called Orchestria. Check out what they have on their web site but don't forget to do some comparison shopping before you buy.

Comments

jerry

Hi George, Great post Man. Thank you!
I would like to add two more to the list HiveDesk (http:www.hivedesk.com) and HubStaff (http://www.hubstaff.com) to the list. Both are pretty solid tools.
I am sure freelancers would love this list but even digital marketing agencies, small IT firms and outsourcing companies can use these tools to track time of their remote employees and contractors. It just provides more visibility to clients if when you can back up the hours billed with screen shots and time logs.

Paxon

In a workplace we cannot deny that there are some employees who have bad intention to the company in order to meet their personal goals. There are also employees who are lazy and spend their time on unrelated to work websites during working hours. Using this employee monitoring software employers can prevent threats of data leaks and data theft. It also helps improve employee’s productivity and limit wasted time. Using these tools it allows employers to take a glimpse of how employees use their computer at work. Here is an article that can give you more information about employee monitoring software and its features.
http://www.timedoctor.com/blog/2011/04/14/compare-screen-monitoring-software
It also discusses what is ethical monitoring? It can help you monitor employees without invading their privacy.

glaszlo

Tom, your comments about the differences in local regulations struck a chord with me.

Not long ago, I did an enterprise risk assessment project for a major multi-national biotech and devices company. With operations all over the world, they recognized that some method had to be found to stay compliant around the globe AND have a single global code of ethics. This is a tough one since your code may be more strict than those of your local competitors. At that point you are potentially at a great competitive disadvantage.

Outside our own industry, just look at the trouble Yahoo ran into in China by turning over site traffic information. Only the Chinese government was happy about this and the image of Yahoo suffered everywhere else.

Closer to home, the transfer of employee data or clinical trial subject data are also problematic. On the latter front, if a company whishes to pool data from a trial in the USA with one in, say, Germany, they need to bulletproof the process so that patient identifier information is not compromised. It is more than likely that one company will be better at instituting this than another. The safeguards need to be procedural and supported by automated methods. I'm not suggesting that the problem is insurmountable, just that it's very complicated. Some companies will get it right. Others will be open to law suits and/or suffer from consumer backlash.

Tom Bowers

Interesting thoughts George... and true. Our content monitoring allows both reactive and proactive scanning. More importantly most large firms (like ours) mandate two forms of agreement (of acceptable use and monitoring) from an employee prior to the use of a corporate computer. The first comes up prior to the network logon client and the other is before they are allowed to access applications after logon. We monitor only those countries where we are legally permitted to do so. As a member of the security function within my company we follow all U.S. rules for chains of evidence and investigational guidelines for our internal investigations. Lastly I would note that early case law in the U.S. is compelling the monitoring of employee Internet traffic from corporare computers as part of a "reasonable security" level. This is seen most clearly in cases involving breaches of privacy data from corporate assets by poor employee habits. Examples of this early case law revolves around child pornography, pornography, trade secret and privacy data loss cases. And yes this is directly contradictory to European and Japanese case law which mandates privacy rights over corporate rights. Global companies like ours are trying to find that "reasonable balance." In closing I would note that we researched and tested for two full years before deciding on a vendor and beginning implementation. We worked with our IT, HR and Legal teams before selection and during implementation. This was not done in a vacuum.

With deepest respect,
Tom Bowers
CISSP,PMP

The comments to this entry are closed.