Establishing Digital Trust: Don't Sacrifice Security for Convenience
It's all about the security.
Increasingly, security managers and IT managers are looking down the barrel of employing monitoring software. And it's not always for monitoring the perimeter. More and more of it is geared to monitoring people inside the company -- scanning incoming and outgoing emails for certain words that might warn of corporate information being leaked, logging keystrokes, and keeping track of what Web sites workers are going to.
And security analysts agree that it's a necessary step to take, even if monitoring people you have coffee with in the break room doesn't feel exactly right.Despite most people's fears that hackers will break into the company and destroy data or steal critical information, more often than not, security breaches come from the inside. It's the company's own employees -- the man working in HR, the office manager -- who are wreaking havoc. They're snooping into colleagues' personnel files. They're changing their own records. They're even being paid by competitors to sneak key marketing or engineering plans out of the office.
"Insider risk is still the single highest potential loss that a company has," says Dan Woolley, a vice president at SilentRunner, a network security company. "We know historically that there are huge amounts of potential risk associated with insider use of technology. It could be as simple as someone leaving a wireless connection open. Or if somebody becomes disgruntled or doesn't like another employee, she can do things that will cost the corporation a lot of money. That's where you've got to be really careful."
Gartner Inc., an industry analyst firm, reports that most financial losses come at the hands of insiders -- either working alone or with someone outside the company. Other analyst firms suggest that as much as 70% to 90% of security breaches come from the inside.
And face it, it's the employees -- not the kid home alone after school and not even paid corporate saboteurs -- who know how best to hurt the company. They can more easily guess at the boss's password. Maybe they've even seen the password on a Post-It stuck to her monitor. They know when new projects are being planned out. They probably even know where the key information is stored away.
It's all right there for the taking for anyone who has the motive to go get it.
"Look, we could be talking about people being paid $20,000 or $30,000 a year," says Woolley. "They're being enlisted by people saying, 'How would you like us to pay for your daughter to go to college? You just need to get us some information. How about $5,000?' Corporate data is very critical, but corporate networks are very porous. This happens a lot more than we'd like to think it does."
The figures about insider-based security problems are enough to make IT managers look twice at the colleagues he's passing in the hallway or sitting beside in monthly meetings. But monitoring them is still not always an easy step to take.
"Security managers and CIOs are well aware of the threat posed by insiders, but often find it easier technically and politically to take action against external threats instead," says Victor S. Wheatman, managing vice president for Gartner. "Businesses must take steps to secure themselves against criminally intent insiders or resign themselves to suffering significant losses from insider crimes."
What About Employees' Rights?
Once IT managers get around the fact that they're monitoring their employees and the fact that it's going to take another bite out of their already dwindling budgets, then they have to figure out what they have the right to monitor. Do employees have the right to expect privacy in the workplace?
No, say most industry experts. When it comes to using the company network, company computers, the corporate email system, even the company phone system, everything that crosses those connections is company information. If an employee is shopping online during his lunch break, it's the company's business. If another employee is sending an email to his college roommate, the company has the right to read it. If a worker is checking her personal HotMail account, the company even has a right to read that since she's checking it over the corporate network and on the corporate computer.
"The law says that there should be no expectation of privacy in electronic documents and email," says Vincent Schiavone, president of Philadelphia-based ePrivacy Group Inc. "No employee should expect privacy in the workplace. The companies have a requirement to maintain a safe workplace. That's hard to do. They have a requirement to have adequate security on the system."
But they also have a requirement to set up a clearly stated policy regarding employee usage of the Internet and email. If a company is going to monitor employees, that also needs to be in the policy and employees need to be educated about it, says Mark Rasch, senior vice president and chief security counsel of Omaha, Neb.-based Solutionary, Inc.
"You have to tell employees that you intend to monitor email, Internet use..." says Rasch, who notes that monitoring policies take a lot of planning and should involve HR, the legal team, IT and business executives. "You have to have the policies well posted and well-known in the company. You have to have the employee's consent for legal reasons."
Rasch says federal and state wire tapping laws require employee notification of all in-house monitoring. The federal Electronic Communications Privacy Act extends wiretapping laws to electronic records, which includes email and web browsing.
"You don't want people to be caught by surprise," adds Rasch. "You don't want people to think they have privacy when they don't. You need to spell out to employees that you plan to look at all that stuff. If you don't plan to look at it, then spell that out as well."
Rasch says employers really need to drive home the point with workers that they shouldn't expect privacy in the workplace. Give them specifics. If the company wants to be able to monitor personal emails sent over company computers but on a personal Yahoo account, tell them so. If the company plans on monitoring keystrokes when an employee is checking her online bank account, tell them so. If employees shouldn't be doing anything personal on company time, spell that out.
"You've got to set up their expectations," adds Rasch. "People say they have no expectation of privacy and then they act like they do... One of the problems is that people's expectations of privacy are based not only on the policy but on how the policy is enforced. If you have a usage policy that's never enforced or enforced indiscriminately, then people develop expectations of privacy. Then they'll be shocked and upset when you do monitor them."