Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Careers and People
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
Workplace Privacy: Big Brother Is Watching
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Marilyn Cohodas
Marilyn Cohodas,
 User Rank: Strategist
11/6/2014 | 10:59:52 AM
Re: Is it really shocking that companies are watching?
Agree, @SecOpsSpecialist,at least in theory, as I type on my work computer in my home office, (right after checking my personal gmail).  It is indeed a slippery slope we are on with workplace privacy at home -- as well as in the office!
SecOpsSpecialist
SecOpsSpecialist,
 User Rank: Moderator
11/6/2014 | 10:50:39 AM
Re: Is it really shocking that companies are watching?
@Marilyn,


That's a good question actually. Can we reasonably expect that no one is going to do non work related activities on work computers? No. But what we can expect is that if we say that we don't want people viewing adult material on their work laptops, and someone does, we have the reserved right to take disciplinary action against them for violating company policy. As I may have mentioned, there are products out there that can be installed on work laptops to prevent people from going to websites we don't want them to go to. Plus, with logging and log management systems, we can view practically anything on those laptops. By accepting a work laptop, a person is then accepting the responsibility of said laptop into their care and custody. Once at home, if on the work laptop, the person decides to engage in personal activities that are against company policy, technically, the laptop is still company property and therefore is still subjected to the Acceptable Use Policy, even on business trips or in the home.
Marilyn Cohodas
Marilyn Cohodas,
 User Rank: Strategist
11/5/2014 | 3:37:58 PM
Re: Is it really shocking that companies are watching?
It gets more complicated as  more work takes place outside the workplace -- in our homes, on airplanes traveling for business -- or personal reasons. As the lines blur between work and life, how can you tell a person they can't pay a bill online in the office, when they go home and check email at work? 
SecOpsSpecialist
SecOpsSpecialist,
 User Rank: Moderator
11/5/2014 | 3:12:41 PM
Re: Is it really shocking that companies are watching?
@dmelnick,

You make an interesting point. The thing that we as workers tend to forget is that the reason companies had to create acceptable use policies in the first place is because something bad happened to the organization. Same reason why the silica packets say "do not eat" and why McDonald's coffee says, "caution hot!". Someone did something, regardless of what it was, caused a problem for the organization and the company had to tighten up what they allowed their employees to do.

Quite honestly, by signing an Acceptable Use Policy, you are, in fact, signing an agreement between you and the employer. I can understand from the employee perspective why it seems unfair that they say "you can't go on Facebook" or "you shouldn't login to your bank account." In a way, the company is trying to not only protect themselves, but protect you as well.

Think about it another way, if the company gets hacked, and the hacker is able to get into the company's credentials, what's to stop them from stealing John Smith's bank account information? It's been logged into the company's system that he's accessed it and therefore, he knows that John Smith banks with ABC Bank and has a username of jsmith252. The hacker can then use that to get access to his bank records. Yes, it seems unlikely, but that's often times what happens.
dmelnick
dmelnick,
 User Rank: Author
11/5/2014 | 10:43:13 AM
Re: Is it really shocking that companies are watching?
@SecOpsSpecialist,

You say "People only complain about "privacy" being invaded when they do something that is against company policy on their computer." But what happens when doing anything personal is against company policy. over 70% of companies have Acceptable Use Policies that basically say you cant do personal stuff at work. It seems like we are in a bit of a pickle when the policy is unrealistic. These policies are forcing employees into civil disobedience in a sort of "dont ask dont tell" unwritten policy.
SecOpsSpecialist
SecOpsSpecialist,
 User Rank: Moderator
11/5/2014 | 10:17:17 AM
Is it really shocking that companies are watching?
You really have to ask yourself this question: Is it surprising the companies have to watch what it is people are doing? Think about it from this perspective, a company has data that they need to protect, if a person is consistently on Facebook or Twitter, there is a distinct possibility, in the business's mind, that this person could be leaking secrets all over the Internet. So what can companies do?

There's this nifty little thing called URL Filtering, Application Whitelisting and Application Blacklisting which helps to protect the organization. If the organization does it right, they can block social media such as Facebook and Twitter, but leave "professional" sites like LinkedIn available. A business is designed to make money, not lose it. I know when I come to work, I'm being monitored. But the thing is that I also don't do things that I know would get me into trouble. People only complain about "privacy" being invaded when they do something that is against company policy on their computer.

The 20% watching pornography seems like a lot, but quite frankly, it's on the business if they allow it on their computers at all. Products exist on the market to prevent those kinds of things from happening and if the business complains that their users are doing that, then perhaps they should rethink what they actually allow on their work computers.
dmelnick
dmelnick,
 User Rank: Author
11/4/2014 | 6:14:42 PM
Re: trust
@Thomas, I agree this discussion is partly about "trust" but I think the real debate is about what constitutes "fair" rules?

@vnewman2, thank you for your comments, I appreciate the way you are working to wrestle with what constitutes fair practices. To your point, our lives have blurred between work and personal and I don't think that is necessarily a bad thing. But accepting that co-mingling leads to a discussion about whether an employee should have any rights to a private live in the workplace. I think the Europeans are out in front of the US in thinking deeply about this important 21st century question from a regulatory perspective.
dmelnick
dmelnick,
 User Rank: Author
11/4/2014 | 6:08:23 PM
Re: trust
@Marilyn, I agree the pornography number is surprising, however examples like the high profile EPA users of pornography that led to congressional hearings illustrate the limited controls enforced in many organizations. All the more surprising with the wide availability and maturity of category based web filtering solutions which could limit this type of activity. Pornography often leads to more complicated employer liability risk around creating a hostile work environment/sexual harassment, and in the case of the EPA story child pornography incidents were reference which are criminal. The EU members are not going to protect employees involved in criminal behavior and generally provide for surveillance associated with investigations into employee activity. 
vnewman2
vnewman2,
 User Rank: Strategist
11/4/2014 | 5:07:33 PM
Re: trust
Further, here's a little anecdote: During graduate school, I worked part-time as the kid's fitness director at a gym.  If I had a guest teacher come in (let's say for gymnastics), I would sit and read a text book because I wasn't allowed to help (liability) or leave the room.  When the class was over, I would clean up the equipment.  I was wiping things down when my boss and her dad (yeah, i know) walked over to my desk, staring down at the book and whispering.  I asked, is everything ok?

She said, "Yeah, we're just looking at this table."  

I quit the next week. 

 
vnewman2
vnewman2,
 User Rank: Strategist
11/4/2014 | 4:59:18 PM
Re: trust
@Thomas - I hear what you're saying but when the rules are antiquated or just obviously don't make any sense, people are going to break them.   Putting all kinds of barriers in place to prevent people from "goofing off" or doing non-work related tasks is near impossible since people can just hop on their personal phone to play games, FB, email, shop, etc.  

The way I feel about it is this: My life does not just stop when I walk in this building.  There will be times when I need to deal with personal issues on the firm's dime.  In the same way, I'm not going to report every second of time I spend checking my work email throughout the night to make sure no one in the office is at a work stoppage.   I feel like it all evens out in the end.

And if my work for day is complete and my projects are current, why can't I go waste some time on Facebook (I don't because that's not my thing, but you get my point).   Or else I could sit here and daydream - you can't police that - yet.   The point I'm getting at is - what's the difference between sitting at your desk drawing doodles and getting on your computer to do bascially the same thing?  I've never understood this kind of mentality.

The only issue I do have is with people who put the entire firm at risk doing stupid things that are outside the confines of their job - visiting rogue sites, circumventing security checkpoints, etc.
Page 1 / 2   >   >>


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2023-33196
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
CVE-2023-33185
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
CVE-2023-33187
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
CVE-2023-33194
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
CVE-2023-2879
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file