Is employee monitoring necessary to a security strategy?
There are two answers to this question. First, employee monitoring is very much a security issue, when you consider intellectual property losses. It's absolutely required if you want to get a true perspective on what's entering and leaving the corporate network.
On the other hand, employee monitoring should not be 'owned' by the IT or security department; it is a management, legal and human resources issue. Employee monitoring could also be tied into risk management as well, which, in many cases, does tie back into security.
I think IT/security should help enable and manage the technology related to employee monitoring, but not have to draw up and enforce the policies associated with it. So, yes, employee monitoring should be part of the overall security strategy, with concessions that other departments will be involved. When is employee monitoring a bad idea? When is it a good idea?
Employee monitoring is a bad idea when one person (usually the network admin) is the judge, jury and executioner. Again, employee monitoring is an HR issue that should not be owned by IT/security. It's also a bad idea -- bad enough that it's not worth doing -- when it's done without policies that employees are educated on, consistently reminded of and sign off on, saying that they understand what's being done. It's also a bad idea when it's used for Big Brother and micromanagement purposes. Organizations would be better off not doing it if they're going to scrutinize their employees' every move. If it creates a morale problem (and it will if it's not handled properly) all of its value is diminished. It must be done for business purposes, and this must be communicated to the employees. Zero tolerance won't work here either, just like it doesn't work in any other situation. There must be discretion and objectivity. Do you really want to reprimand an employee for reading the day's headline news? What are some common mistakes of deploying an employee-monitoring system? How do organizations implement an effective and comprehensive employee-monitoring program? What are the components of a successful plan?
The biggest mistake is not creating and communicating a policy on it. Micromanagement and monitoring of every single thing that's done is not good either. I would recommend enabling monitoring -- if it makes good business sense (and it usually does) -- to block off-color Web sites and keywords in e-mails, and filter for critical intellectual property keywords in Web and e-mail use. Nobody has time to monitor employees full time. Put it in place and use it as needed, when misuse is suspected or when an alert is sounded. Also, enable logging before an incident occurs so that you can show that employee monitoring logging was taking place as a normal business practice, which can help in court later. Bottom line: Create the policies and use technology to enforce them. Can you give me some examples of employee monitoring gone wrong?
I see it being abused all the time. It always seems to be when the IT/security department owns it and HR/management are not the sole entities to manage [the process] and monitor. Employees need to be aware of this as well, because it often serves to give IT/security a bad name and can lower morale. Employees are well advised to not communicate or do anything that they wouldn't want the entire world to hear or see -- whether it's HR or management monitoring for legitimate purposes or a rogue network admin monitoring because he has nothing better to do. Don't workers have a right to privacy even in the office? How would you define privacy? How is it defined legally? Where do organizations draw the line?
Privacy is a personal right to keep others out of your business and keep things to yourself. The problem is that this definition changes from one person to the next. I'm not a lawyer, but from what we're seeing in the U.S., employers have most of the rights. If employees are using company equipment, then it's fair game for the company to perform employee monitoring. And that trend seems reasonable to me. There are exceptions to this, though. There are various laws on the books that might affect employee monitoring, and it just depends on the situation, with laws like:
- Civil Rights Act
- Electronic Communications Privacy Act
- Fair Labor Standards Act
- National Labor Relations Act
- Various state laws
[The U.S.] Constitution and Bill of Rights don't even mention privacy. However, newer federal and state laws that have been enacted over the past few decades are changing that -- and I think more are coming. In Europe and other countries, employees have the upper hand -- perhaps that's where we're headed here in the U.S. What are the benefits of employee monitoring?
There are several benefits:
- Enhance employee productivity (the most popular benefit) -- sometimes called performance optimization.
- Help catch trade secrets leaving the company.
- Protect the employees and business from sexual harassment, defamation or illegal activity lawsuits.
- Some are using it to help with Homeland Security initiatives.
- Get a hold on network bandwidth consumption and storage space usage.
- Help with network capacity planning.
SurfControl published a study a few years back -- when the problem wasn't as bad as it is today -- showing that non-business-based Internet browsing costs the average corporation $35 million per 1,000 employees.