Are You Big Brother?
Most of us donâ€™t want to be Big Brother. We donâ€™t like the idea of â€œspyingâ€ on our employees. We donâ€™t like the taste of infringing on someoneâ€™s privacy because we value our own. However, what you donâ€™t know will hurt you and may hurt you in a court of law. Fortunately technology has made our job a lot easier.
The most common monitoring components are email, Internet, and phone usage abuse. The AMA/ePolicy Institute provides the results of a survey completed in 2005 on this very topic. The survey states: â€œWhen it comes to workplace computer use, employers are primarily concerned about inappropriate Web surfing, with 76% monitoring workersâ€™ Website connections. Fully 65% of companies use software to block connections to inappropriate Websitesâ€”a 27% increase since 2001 when AMA and ePolicy Institute last surveyed electronic monitoring and surveillance policies and procedures in the workplace.â€
Internet use monitoring is perhaps one of easier types of monitoring to implement which may be the reason statistics are higher for this type. Another good reason is that port 80 (http) is one of the biggest legitimate holes intentionally created in most firewalls. When port 80 is open, additional tools and technology are needed to filter or block unacceptable web access.
While employees have realized that using corporate email for personal use or dishonest use is not a good idea, they havenâ€™t stopped using email. Most rely on web-based email for communications like yahoo, gmail, hotmail, etc. Even companies who have Internet usage policies allow employees to use webmail for occasional and personal use. I would get upset if the organization I worked for prevented me from using my personal webmail while at work because that is how I communicate with my children and spouse during the work day. As a security professional and an Information Security Officer, if I could, I would block webmail completely and forever because I think it is a great security risk. Thereâ€™s the rub.
As in everything, balance is the key. While tools, such as SurfControl, Websense, and GFI WebMonitor, can help organizations gain control, it is very important to make sure that the data collected from the monitoring tools become HRâ€™s responsibility. Usage reports can be emailed to a distribution list on a daily, weekly, or monthly basis. It is important that the distribution list include senior managers in HR, IT, Information Protection, and Operations, not rank and file employees in security and IT. As always, company policy is the foundation for all actions. Ahead of implementing any monitoring technologies, time has to be taken to formulate the policies and procedures that will support employee monitoring.