Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Workplace Privacy: Big Brother Is Watching
Threaded  |  Newest First  |  Oldest First
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Ninja
11/4/2014 | 4:04:19 PM
trust
If you can't trust your employees to follow fair and established rules, you've already lost. 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
11/4/2014 | 4:37:06 PM
Re: trust
It doesn't surprise (or bother) me that 77% of people check their social media profiles from work computers or that 49% of women shop online at work during the holiday season (and probably other times of the year as well.) But 20% of men view pornography at work? Really? Hard to imagine that even the EU would sanction that in workplace privacy laws. 

 
dmelnick
50%
50%
dmelnick,
User Rank: Author
11/4/2014 | 6:08:23 PM
Re: trust
@Marilyn, I agree the pornography number is surprising, however examples like the high profile EPA users of pornography that led to congressional hearings illustrate the limited controls enforced in many organizations. All the more surprising with the wide availability and maturity of category based web filtering solutions which could limit this type of activity. Pornography often leads to more complicated employer liability risk around creating a hostile work environment/sexual harassment, and in the case of the EPA story child pornography incidents were reference which are criminal. The EU members are not going to protect employees involved in criminal behavior and generally provide for surveillance associated with investigations into employee activity. 
vnewman2
50%
50%
vnewman2,
User Rank: Strategist
11/4/2014 | 4:59:18 PM
Re: trust
@Thomas - I hear what you're saying but when the rules are antiquated or just obviously don't make any sense, people are going to break them.   Putting all kinds of barriers in place to prevent people from "goofing off" or doing non-work related tasks is near impossible since people can just hop on their personal phone to play games, FB, email, shop, etc.  

The way I feel about it is this: My life does not just stop when I walk in this building.  There will be times when I need to deal with personal issues on the firm's dime.  In the same way, I'm not going to report every second of time I spend checking my work email throughout the night to make sure no one in the office is at a work stoppage.   I feel like it all evens out in the end.

And if my work for day is complete and my projects are current, why can't I go waste some time on Facebook (I don't because that's not my thing, but you get my point).   Or else I could sit here and daydream - you can't police that - yet.   The point I'm getting at is - what's the difference between sitting at your desk drawing doodles and getting on your computer to do bascially the same thing?  I've never understood this kind of mentality.

The only issue I do have is with people who put the entire firm at risk doing stupid things that are outside the confines of their job - visiting rogue sites, circumventing security checkpoints, etc.
vnewman2
50%
50%
vnewman2,
User Rank: Strategist
11/4/2014 | 5:07:33 PM
Re: trust
Further, here's a little anecdote: During graduate school, I worked part-time as the kid's fitness director at a gym.  If I had a guest teacher come in (let's say for gymnastics), I would sit and read a text book because I wasn't allowed to help (liability) or leave the room.  When the class was over, I would clean up the equipment.  I was wiping things down when my boss and her dad (yeah, i know) walked over to my desk, staring down at the book and whispering.  I asked, is everything ok?

She said, "Yeah, we're just looking at this table."  

I quit the next week. 

 
dmelnick
50%
50%
dmelnick,
User Rank: Author
11/4/2014 | 6:14:42 PM
Re: trust
@Thomas, I agree this discussion is partly about "trust" but I think the real debate is about what constitutes "fair" rules?

@vnewman2, thank you for your comments, I appreciate the way you are working to wrestle with what constitutes fair practices. To your point, our lives have blurred between work and personal and I don't think that is necessarily a bad thing. But accepting that co-mingling leads to a discussion about whether an employee should have any rights to a private live in the workplace. I think the Europeans are out in front of the US in thinking deeply about this important 21st century question from a regulatory perspective.
SecOpsSpecialist
100%
0%
SecOpsSpecialist,
User Rank: Moderator
11/5/2014 | 10:17:17 AM
Is it really shocking that companies are watching?
You really have to ask yourself this question: Is it surprising the companies have to watch what it is people are doing? Think about it from this perspective, a company has data that they need to protect, if a person is consistently on Facebook or Twitter, there is a distinct possibility, in the business's mind, that this person could be leaking secrets all over the Internet. So what can companies do?

There's this nifty little thing called URL Filtering, Application Whitelisting and Application Blacklisting which helps to protect the organization. If the organization does it right, they can block social media such as Facebook and Twitter, but leave "professional" sites like LinkedIn available. A business is designed to make money, not lose it. I know when I come to work, I'm being monitored. But the thing is that I also don't do things that I know would get me into trouble. People only complain about "privacy" being invaded when they do something that is against company policy on their computer.

The 20% watching pornography seems like a lot, but quite frankly, it's on the business if they allow it on their computers at all. Products exist on the market to prevent those kinds of things from happening and if the business complains that their users are doing that, then perhaps they should rethink what they actually allow on their work computers.
dmelnick
100%
0%
dmelnick,
User Rank: Author
11/5/2014 | 10:43:13 AM
Re: Is it really shocking that companies are watching?
@SecOpsSpecialist,

You say "People only complain about "privacy" being invaded when they do something that is against company policy on their computer." But what happens when doing anything personal is against company policy. over 70% of companies have Acceptable Use Policies that basically say you cant do personal stuff at work. It seems like we are in a bit of a pickle when the policy is unrealistic. These policies are forcing employees into civil disobedience in a sort of "dont ask dont tell" unwritten policy.
SecOpsSpecialist
50%
50%
SecOpsSpecialist,
User Rank: Moderator
11/5/2014 | 3:12:41 PM
Re: Is it really shocking that companies are watching?
@dmelnick,

You make an interesting point. The thing that we as workers tend to forget is that the reason companies had to create acceptable use policies in the first place is because something bad happened to the organization. Same reason why the silica packets say "do not eat" and why McDonald's coffee says, "caution hot!". Someone did something, regardless of what it was, caused a problem for the organization and the company had to tighten up what they allowed their employees to do.

Quite honestly, by signing an Acceptable Use Policy, you are, in fact, signing an agreement between you and the employer. I can understand from the employee perspective why it seems unfair that they say "you can't go on Facebook" or "you shouldn't login to your bank account." In a way, the company is trying to not only protect themselves, but protect you as well.

Think about it another way, if the company gets hacked, and the hacker is able to get into the company's credentials, what's to stop them from stealing John Smith's bank account information? It's been logged into the company's system that he's accessed it and therefore, he knows that John Smith banks with ABC Bank and has a username of jsmith252. The hacker can then use that to get access to his bank records. Yes, it seems unlikely, but that's often times what happens.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
11/5/2014 | 3:37:58 PM
Re: Is it really shocking that companies are watching?
It gets more complicated as  more work takes place outside the workplace -- in our homes, on airplanes traveling for business -- or personal reasons. As the lines blur between work and life, how can you tell a person they can't pay a bill online in the office, when they go home and check email at work? 
SecOpsSpecialist
50%
50%
SecOpsSpecialist,
User Rank: Moderator
11/6/2014 | 10:50:39 AM
Re: Is it really shocking that companies are watching?
@Marilyn,


That's a good question actually. Can we reasonably expect that no one is going to do non work related activities on work computers? No. But what we can expect is that if we say that we don't want people viewing adult material on their work laptops, and someone does, we have the reserved right to take disciplinary action against them for violating company policy. As I may have mentioned, there are products out there that can be installed on work laptops to prevent people from going to websites we don't want them to go to. Plus, with logging and log management systems, we can view practically anything on those laptops. By accepting a work laptop, a person is then accepting the responsibility of said laptop into their care and custody. Once at home, if on the work laptop, the person decides to engage in personal activities that are against company policy, technically, the laptop is still company property and therefore is still subjected to the Acceptable Use Policy, even on business trips or in the home.
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
11/6/2014 | 10:59:52 AM
Re: Is it really shocking that companies are watching?
Agree, @SecOpsSpecialist,at least in theory, as I type on my work computer in my home office, (right after checking my personal gmail).  It is indeed a slippery slope we are on with workplace privacy at home -- as well as in the office!


44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-0565
PUBLISHED: 2020-02-25
NaCl in 2015 allowed the CLFLUSH instruction, making rowhammer attacks possible.
CVE-2020-9393
PUBLISHED: 2020-02-25
An issue was discovered in the pricing-table-by-supsystic plugin before 1.8.2 for WordPress. It allows XSS.
CVE-2020-9394
PUBLISHED: 2020-02-25
An issue was discovered in the pricing-table-by-supsystic plugin before 1.8.2 for WordPress. It allows CSRF.
CVE-2019-3999
PUBLISHED: 2020-02-25
Improper neutralization of special elements used in an OS command in Druva inSync Windows Client 6.5.0 allows a local, unauthenticated attacker to execute arbitrary operating system commands with SYSTEM privileges.
CVE-2020-8809
PUBLISHED: 2020-02-25
Gurux GXDLMS Director prior to 8.5.1905.1301 downloads updates to add-ins and OBIS code over an unencrypted HTTP connection. A man-in-the-middle attacker can prompt the user to download updates by modifying the contents of gurux.fi/obis/files.xml and gurux.fi/updates/updates.xml. Then, the attacker ...