Perimeter
1/15/2012
01:09 PM
Rich Mogull
Rich Mogull
Commentary
Connect Directly
RSS
E-Mail
50%
50%
Repost This

How To Monitor Employees Without Being A Perv

While we need to monitor our employees to protect organization secrets, there's no need to turn the workplace into a bad episode of Big Brother

In my previous post, I talked about all of the nifty tools we have at our disposal to identify, monitor, and protect our information. But here’s a dirty secret: Every single one of these things monitors what your employees are up to. And any good data security strategy includes even more tools that I left off of my list since you probably already use them.

I realize you probably think that I think you’re an idiot for even bringing that up, but I hate to admit that I’ve worked with folks who don’t realize that when you’re monitoring data use, you’re also, sort of, monitoring employee activity. A couple of years ago, I remember talking with an organization that called for help in defining their DLP policies. The conversation went something like this:

Caller: We need help defining our DLP policies.
Me: Great, have you talked to legal and HR yet in case you need to discipline or fire someone?
Caller: Why would we do that? We just want to protect our data.
Me: Well, you understand that you’ll be monitoring employees, right?
Caller: Oh no, we don’t want to watch employees, just data leaks.
Me: Er ... you realize that computers don’t leak data, people do? Kinda like guns don’t kill people ... Caller: Me: When are you picking a product?
Caller: We already picked . It’s been running for a few weeks with all the policies turned on but we need your help defining our process before anyone looks at it.
Me: (crickets)

Our challenge is to monitor employees without having them feel like we’re sifting through their closets looking for their burn box (OK, maybe those are a guy thing).

There are really only a few verticals and companies that need or want to keep track of what every employee is doing on their computers at all time. The rest of us only want to know when someone is doing something that violates a policy and puts us at some sort of risk. Fortunately, most of the modern tools are designed to handle this.

Here is the process I recommend for implementing any kind of employee monitoring ... or updating your current monitoring even if it’s as simple as URL filtering.

The big key to providing employees privacy without increasing your security risk is to rely on event-driven policies. Investigators and managers shouldn’t be allowed to track everything an employee is doing and peek in whenever they want. This is where you open yourself up to legal risk or make your employees feel like they are living in a bad reality TV show. Create discreet policies that rely on technical triggers.

While there are some areas where you need to track more than that (database and file activity, for example), just be clear on how the data is handled and who can see it. For example, I generally advise against providing this data to business unit managers wanting to use it to measure productivity.

The first step is to figure out whether monitoring is even legal, and, if so, there are any limitations. This is mostly an international issue since some countries have various employee privacy laws (don’t worry, you can do pretty much anything you want here in the good old US of A).

Next, you need to check any employment, contractor, or union contracts. And by “you” I mean “your lawyers.” Again, this is typically not an issue in the U.S., but it’s also not the sort of thing you want to get wrong.

The next step is to determine your policies and procedures, then map them to your technology options. For example, if you are using Web filtering or DLP document, what kinds of activity are you monitoring, what activities will violate policies, and the process for handling and escalating violations. You have to map these to technologies to ensure you are actually able to follow and enforce your own policies at the product level.

Here’s a quick example. Your policy might say you monitor all outgoing network traffic for credit card numbers. If a number is detected, then your tool will collect and store the activity during an investigative period. This information is accessible only to investigative staff. If the activity is believed to be accidental, then here’s the process to work with the employee and manager to remediate. If it were malicious, here’s the criteria for involving management, HR, and legal.

In general, policies will include requirements for how data is collected, what’s collected, who can see it, how long it’s stored, and strict guidelines for handling it and escalating to management.

Once you set those up, document everything in human-readable language and notify employees what you are about to do. Better yet, have them sign the policy so you know they know there’s going to be a little brother watching. No one likes anyone sitting over their shoulder, so in that notice be VERY clear that you are only watching for things that put the business at risk, you strive to minimize what data you are collecting to respect their privacy, and you have tight controls over the data.

The rest all comes down to technology implementation and keeping things consistent and updated over time. Uses the policy and detection features of your tools rather than collecting a ton of stuff and manually looking for problems (not that I’ve seen this happen in recent years).

And remember, practically speaking, users already assume you are watching at least some of their activity on corporate networks and applications. The big focus here is when we start collecting data on their computers, email, Web browsing, and other areas that tend to see some personal use.

To review: Make sure it’s legal, set clear policies and boundaries, notify the employees, and rely on technical rules/policies for things that create a risk to the business. As much as people still might not enjoy knowing activity is being watched, at least they know you are making the greatest effort possible to balance personal privacy with business needs.

Rich Mogull is is founder of Securosis LLC and a former security industry analyst for Gartner Inc.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
aliasgarbabat
50%
50%
aliasgarbabat,
User Rank: Apprentice
11/8/2012 | 2:07:52 PM
re: How To Monitor Employees Without Being A Perv
Good article regarding monitoring employee computers. It helps organizations to keep track of employees work on a daily basis and helps in giving appropriate feedback to employees. In addition to this, IT department of organizations can even have on premise remote support appliance installed such a RHUB to remotely monitor employeeGÇÖs computers.
extralabs
50%
50%
extralabs,
User Rank: Apprentice
3/26/2012 | 12:49:47 PM
re: How To Monitor Employees Without Being A Perv
for example, extraspy is free http://www.extraspy.com/
edwlexvasqz
50%
50%
edwlexvasqz,
User Rank: Apprentice
1/21/2012 | 7:33:29 AM
re: How To Monitor Employees Without Being A Perv
I am working on a school project about marketing. I am working with a software that tracks employees web surf. Please check this link to learn more about this product www.effectivepro.com/?tk=71 please I need the support from many people as possible. Just check the link. I promise this is not a virus. I am a business student at Marriott school of management.
Nick_IT
50%
50%
Nick_IT,
User Rank: Apprentice
1/18/2012 | 12:08:28 PM
re: How To Monitor Employees Without Being A Perv
While we-ádefinitely-áneed to take the insider threat seriously, I would hate to work in an environment where I would feel that I live in a Big Brother House. The first step should be to take tighter control of the privileged user rights and make sure that only users that has a need for it can access such data. Just read an interesting blog post about it:-á
http://kvm-minicom.blogspot.co...
davilee
50%
50%
davilee,
User Rank: Apprentice
1/17/2012 | 3:33:42 AM
re: How To Monitor Employees Without Being A Perv
In this modern world employee monitoring software are more useful which it can allow employers to have a glimpse on how employees use their computer at work. We cannot deny that there are employees who are lazy spending their time on unrelated to work activities. In order to manage employee effectively the company should implement AUP (acceptable use policy). Another is it also good to monitor employees the ethical way. This way you can monitor employee without invading their privacy. Here is an article that can give you information on what is ethical monitoring?
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

CVE-2014-2392
Published: 2014-04-24
The E-Mail autoconfiguration feature in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 places a password in a GET request, which allows remote attackers to obtain sensitive information by reading (1) web-server access logs, (2) web-server Referer log...

CVE-2014-2393
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in Open-Xchange AppSuite 7.4.1 before 7.4.1-rev11 and 7.4.2 before 7.4.2-rev13 allows remote attackers to inject arbitrary web script or HTML via a Drive filename that is not properly handled during use of the composer to add an e-mail attachment.

CVE-2011-5279
Published: 2014-04-23
CRLF injection vulnerability in the CGI implementation in Microsoft Internet Information Services (IIS) 4.x and 5.x on Windows NT and Windows 2000 allows remote attackers to modify arbitrary uppercase environment variables via a \n (newline) character in an HTTP header.

CVE-2012-0360
Published: 2014-04-23
Memory leak in Cisco IOS before 15.1(1)SY, when IKEv2 debugging is enabled, allows remote attackers to cause a denial of service (memory consumption) via crafted packets, aka Bug ID CSCtn22376.

Best of the Web