employee monitoring business risk

Getting Smart About Employee Monitoring

Protecting enterprise assets has never been tougher. Despite sophisticated tools and technologies to guard data, organizations increasingly find themselves in the crosshairs. Yet, hackers and attackers aren’t the only risks to an organization: Employees, contractors, and others—including criminal gangs that can infiltrate organizations—represent a serious security threat.

What’s more, direct theft isn’t the only business risk. A recent Forrester study pegged the risk of stolen devices or data at 31 percent of security incidents, while misuse of employee accounts represented 27 percent of incidents. “Internal threats cannot be overlooked. They represent a very real risk,” stated Michael A. Silva, owner and principal consultant at Silva Consultants, a Seattle-based security firm.

That’s why employee surveillance is on the rise. Cameras, webcams, GPS tracking devices, key loggers, social media trackers, phone recording systems, and even software that captures text messages and screenshots from personal computers have become the new normal. Yet, it’s critical to use monitoring tools intelligently and effectively—while avoiding the reputational and legal risks associated with extreme surveillance.

Said Edward Stroz, co-president at Stroz Friedberg, an Aon company that specializes in risk management: “Employee monitoring should be done with a sensitivity to the company’s culture.”

Surveillance states

Although laws and regulations vary by country and state, it’s important to recognize that employers are generally allowed to monitor employees and others inside their company. Other than placing cameras in dressing rooms and bathrooms—and security guards rifling through an employee’s purse, wallet, or personal phone—organizations are allowed to do what’s necessary to lock down systems and data.  While some employers might take monitoring too far and create a hostile environment or expose the firm to reputational risk, a balanced approach to security and privacy is possible.

“In the United States, courts have ruled that the owner of any network has the right to know exactly what is happening on that network,” stated John Kindervag, field CTO for Palo Alto Networks (Security Roundtable’s parent company). “[Yet,] an enterprise can monitor activity on the network without knowing what is inside every encrypted flow—including things like personal e-mail accounts—by looking at the size and behavior of the payload, as well as other attributes.” Essentially, the right monitoring system eliminates the need for manual oversight—including managers snooping on employee e-mails and activities, noted Kindervag.

As a rule, employers should closely monitor employee networks, Kindervag pointed out. “Unfortunately, the internal networks of most companies are not monitored deeply,” he said. “This is one of the primary reasons we see major data breaches taking place. Organizations generally monitor what is coming in through the perimeter, but they have little or no interest in monitoring what is happening on the internal network because these are so called ‘trusted users.'” Ultimately, organizations must adopt a Zero-Trust mentality, he explained.

An organization should also examine its specific situation—and risks, Stroz noted. “For example, in financial organizations, email might be routinely monitored, but not so in other industries.” He also pointed out that “monitoring should be used not just to find problems, but also to help manage people in a more effective way.”

Policy matters

Identifying risks and how they could adversely impact the business is the first step to creating a more secure internal framework. Stroz said that there should be a legal basis for any monitoring initiative, and that a multi-disciplinary approach should be used to craft a strategy. “This should involve legal, HR, IT, Security, and Risk Management department heads,” he explained. The focus should always be on “spotting areas that might be distressed and perhaps deserving attention. Also, if an individual shows signs of possible at-risk behavior, this should be discreetly flagged and addressed.”

This framework typically encompasses things such as lost or stolen devices, the improper use of systems and software, and gaining access to restricted data and information. Silva said that policies and procedures are critical—and they are the foundation for any monitoring program. “It’s important to define acceptable practices and unacceptable practices,” he said. “If you leave things up to individual managers or security staff, you could wind up with problems because people view and interpret things differently.”

Automation is critical, Kindervag pointed out. A well-designed system—driven by clear policies and procedures—can analyze traffic and compare the expected behavior of a user with the actual behavior of a user.

“If there is a delta between the two behavioral models, then the organization investigates or automatically blocks the questionable activity,” said Kindervag. “You can introduce a level of automation that virtually eliminates the need for manually addressing issues. It’s possible to establish criteria based on specific factors that are important to a particular organization and know when someone or something is out of bounds.”

This approach replaces the need for managers to manually snoop through employee e-mails and use keyloggers and screenshot-capture software to see what a particular person is doing at any given moment. It also makes it easier to spot when something falls outside the scope of a policy or regulation, such as the EU’s General Data Protection Regulation (GDPR). It dictates how companies handle personal data involving European residents.

According to plan

In the end, it’s essential to develop a security framework that balances protection and privacy. Three components serve as pillars for effective monitoring and robust cybersecurity:

  • Screening. Many problems—and problem employees—can be weeded out during the hiring process. Background checks are a critical component, but it’s also important to review references. Reviewing public-facing social media posts can provide mixed results. The primary focus should be on identifying candidates that can become trustworthy employees.
  • Policy. It’s important to establish clear policies about what employees are allowed to do, what they aren’t allowed to do, and when, how, and where security systems enter the picture. “With policies, you lessen the risk that someone does something outside the boundaries of what’s acceptable or desired,” Silva explained. “Without policies, people might act for legitimate or illegitimate reasons.” He also pointed out that a good policy eliminates surprises and reduces excuses and rationalizations. A person cannot claim he or she inadvertently did something unacceptable.
  • Technology. Today’s digital technology creates enormous challenges on several fronts, including protecting data and intellectual property. But it can also address critical risks and improve security by an order of magnitude. An enterprise should adopt a Zero-Trust approach. This can be achieved with network monitoring that uses more advanced methods to inspect packets, IP addresses, and other criteria, and then analyze the behavior and actions of employees, contractors, and others on the internal network, Kindervag explained.

In the end, Lewis Maltby, president of the National Work Rights Institute, believes that a balanced approach is possible: “The goal should not be to simply avoid legal problems, it should be to establish a sensible policy and effective tools for protecting an enterprise but respecting privacy.”