Employee monitoring: When IT is asked to spy
- — 17 June, 2010 05:28
It's 9:00 in the morning, or 3:00 in the afternoon, or even 10:00 at night. Do you know what your users are up to?
More than ever, IT managers can answer "Oh, yes" to that query.
As corporate functions, including voice and video, converge onto IP-based networks, more corporate infractions are happening online. Employees leak intellectual property or trade secrets, either on purpose or inadvertently; violate laws against sexual harassment or child pornography; and waste time while looking like they are hard at work.
In response -- spurred in part by stricter regulatory, legal and compliance requirements -- organizations are not only filtering and blocking Web sites and scanning e-mail. Many are also watching what employees post on social networks and blogs, even if it's done from home using noncompany equipment.
They are collecting and retaining mobile phone calls and text messages. They can even track employees' physical locations using the GPS feature on smartphones.
More often that not, IT workers are the ones being asked to do the digital dirty work, primarily because they're the people with the technical know-how to get the job done, says Nancy Flynn, executive director of the ePolicy Institute.
Statistics are hard to come by, but Flynn and other industry observers agree that monitoring and surveillance are becoming a bigger part of IT's job.
Michael Workman, an associate professor at the Florida Institute of Technology's Nathan M. Bisk College of Business who studies IT security and behavior at corporations, estimates that monitoring responsibilities take up at least 20% of the average IT manager's time.
Yet most IT professionals never expected they'd be asked to police their colleagues and co-workers in quite this way. How do they feel about this growing responsibility?
Workman says he sees a split among tech workers. Those who specialize in security issues feel that it's a valid part of IT's job. But those who have more of a generalist's role, such as network administrators, often don't like it.
Computerworld went looking for IT managers who would share their experiences and attitudes, and found a wide variety of viewpoints, ranging from discomfort at having to "babysit" employees to righteous beliefs about "protecting the integrity of the system." Read on for their stories.
The reluctant beat cop
Monitoring has become a bigger part of IT's job at ENE Systems Inc., an energy and building automation company in Canton, Mass.
Although the company had already been reconfiguring and improving the security of its IT infrastructure, the implementation of a new state law in March regarding the security of personal data has increased the importance of monitoring online activity, says Barry Thompson, network services manager of the $30 million company, which has 140 employees.
Before, Thompson checked the logs from the company's Microsoft ISA (Internet Security and Acceleration) Server, which tracks what Web sites people access, only if a supervisor suspected an employee of violating the company's stated policies.
Now, one of his five IT staffers regularly reviews the logs, even without a specific request. "That's all he does for one day a week," says Thompson. "He goes through the logs to see if there's anything in there that needs to be exposed or discussed." Activity related to porn, gambling or hate speech automatically raises red flags, he says.
Thompson and his staff aren't exactly comfortable about this. "We're IT guys. We're not babysitters," he says. "It's a difficult position to be in, but it does come with the territory."
It helps that his IT staff is not responsible for confronting violators, only finding them. If a problem pops up, IT staff reports it to Thompson, who then determines whether to report the violation to the employee's supervisor.
He's like the neighborhood beat cop, who might catch kids stealing from the corner store but let them off with a warning the first time. "I do it on a case-by-case basis, based on my own gut feeling about what [the violator is] telling me," he says. "I'm a pretty good judge of whether or not someone's lying."
In the 10 years he's been with the company, Thompson says, he has officially reported inappropriate Internet usage to a supervisor on just two occasions.
The reason for that low number? "We regularly communicate to the rank-and-file employees that all Internet access is monitored and logged, so they know they are being watched," Thompson says. "In my view, that keeps the majority of people honest." (See Employee monitoring done right for more tips.)
In addition to energy and automation systems, ENE Systems provides Web site, e-mail and other IT services to its customers. Thompson says he has seen increased interest in employee monitoring among ENE customers, which include large institutions such as the Boston public school system and State Street Bank. "More and more frequently, our customers want to know, 'What was that guy doing when [his computer] got that virus?' for example."
One customer put Thompson into an ethical dilemma when it asked ENE Systems to secretly install SpectorSoft software on its employees' PCs. SpectorSoft records everything: e-mails, chats, IMs, Web site visits and searches, programs run, files transferred. It even logs keystrokes and takes screenshots.
The owner of the company, a landscaping firm, wanted Thompson's staff to lie if employees asked what they were installing on the PCs. (Although most companies spell out monitoring policies in employee manuals, only two states -- Delaware and Connecticut -- actually require that companies notify employees that they are being monitored.)
Thompson refused. "What he asked us to do crossed the line," says Thompson.
"I told him, 'We'll install the software, we'll help you use the software, we'll help you monitor your employees. If somebody does something wrong, we'll help you collect the information to fire them. We'll do all that, but we're not going to look your employees in the eye and lie about what we're doing.' "
The customer was "a bit unhappy" but accepted Thompson's position.
The legal eagle
"Daryl" -- who requested anonymity -- is an IT manager at a midsize industrial manufacturer in the U.K. He strongly believes that IT has the right, and the duty, to monitor employee activity in order to protect the interests of the company.
He once caught an employee who was engaged in criminal activity involving intellectual property that could have resulted in a big financial loss for the company.
He went straight to the CEO, and the employee was dismissed. (For more on violations that cause employees to lose their jobs, read Corporations crack down on digital delinquents.) The employer didn't press charges, however, because "it would've been very embarrassing for the company," Daryl says.
Daryl's complaint is not that he has to police employees, but that he's not allowed to do it properly.
His graduate-level college courses in information security and forensics taught him how to properly preserve electronic evidence so that it is admissible in U.K. courts. For the information from a laptop to be admissible, he says, the hard drive needs to be removed and cloned, and then the clone is examined while the original evidence is left untouched.
But his bosses aren't interested in that. "The process my managers want me to follow is inappropriate," he says -- namely, they advise him to skip the cloning step and examine the hard drive straight off. "It's highly unlikely that they would ever be able to bring a successful prosecution [because] they insist on using a practice that would invalidate any evidence obtained as a result."
Daryl is an exception when it comes to legal knowledge among IT professionals. It's more common that the IT manager doesn't know how to correctly preserve evidence, and probably doesn't even know what information might be legally relevant, says Jason M. Shinn, an attorney with Lipson, Neilson, Cole, Seltzer & Garin PC who specializes in electronic discovery and technology issues in employment law.
That's why both in-house legal counsel and HR should be involved in monitoring activity, he advises.
Corporations crack down on digital delinquents
Not only do corporations appear to be monitoring their employees more frequently and more closely, but they're also punishing violators more severely when they do get caught -- and some are even terminating employees who violated company policies.
Percentage of companies that terminated employees when they violated stated policies on the use of:
The Internet -- 26%
E-mail -- 26%
Cell phones -- 6%
Instant messaging -- 4%
Text messaging -- 3%
Social networking -- 2%
Video sharing -- 1%
Personal blogs -- 1%
Corporate blogs -- 1%
2009 survey co-sponsored by the American Management Association and The ePolicy Institute.
In addition, 13% of companies surveyed said they review job applicants' social networking sites or personal blogs as part of the interview process, and 3% reported that they have rejected job applicants on the basis of content posted on such sites.
The conscientious objector
"Our department philosophy is that if the users fear us, the job gets 10 times harder," says Dan Olson, IT director at Farstad Oil Inc., a Minot, N.D., company with 500 employees. "Fear leads to coverup and spin. When we are trying to find [the cause of] a problem, what we need is the truth."
Fear of IT used to be a problem at Farstad. In the mid-1990s, after a manager caught an employee spending too much time in online chat rooms, IT was directed to monitor employees and report whenever they were doing anything non-work-related on their PCs.
"We had never agreed to that, nor were we consulted on it," Olson says. He mostly ignored the directive, partly because it was never a written policy, but even so, "the next two years were miserable for [IT], as everyone feared that we would assume they were guilty until proven innocent."
At one point, Farstad management became concerned that employees were using IM, a popular communication method among the company's scattered locations, for personal business. A memo cautioning employees about this caused even more upset among them, says Olson. "I remember one time carrying boxes through accounts receivable and people clicking their mice and quickly closing windows as I walked by."
That fear was counterproductive, says Olson. If employees' PCs caught a virus, for example, Olson would have trouble getting them to tell him what they had been doing or what Web sites they had visited.
Shortly thereafter, Olson persuaded management to ease the restriction. "We explained that we wouldn't be watching [workers] all the time. We would only check the logs if their manager complained that they weren't getting their work done," he says.
The new policy has made for much better working relationships between employees and the IT staff, he notes, with employees more willing to inform IT promptly about technology snafus and IT able to get the information it needs to remedy the problems.
Get used to it
Going forward, companies like Farstad that have policies that favor minimal monitoring are likely to be in the minority. Observers say IT managers can expect to be asked to take on even more monitoring duties, such are reviewing video surveillance, examining text messages, tracking employee location by GPS or listening in on social media.
Larger companies have started to hire third-party firms to monitor what's said about them in the blogosphere and on social media sites, but in many midsize and small companies, this duty could fall to IT.
Will IT managers resist this expansion or chalk it up to just doing their jobs? Florida Institute of Technology's Workman doesn't envision much pushback. "I see them doing it, but I don't see them being completely comfortable with the practice," he says.
How do you feel about being asked to monitor employee behavior? Would you rather not do it, or does it simply come with the IT terrain? Share your thoughts here.
Employee monitoring done right
Experts recommend these steps to protect your company and yourself if you're asked to monitor employees:
* Have a formal Internet usage policy in writing that spells out what employees are and are not allowed to say or do via e-mail and on the Web, including blogs and social networks.
* Explain the rationale behind the policy (that what employees say electronically can expose the company to legal risk, for example), state specifically what is being monitored and how, and lay out the consequences of violating the policy.
* In addition to having new hires read the policy, conduct ongoing training and awareness programs to educate and remind employees.
* Establish clear procedures to follow when IT discovers violations, including who should report the violation and to whom, how it should be documented and who will confront to the violator.
* Ideally, IT, legal and HR should be involved in developing and enforcing the policy. Legal, in particular, should provide guidance on the handling of electronic evidence related to any potential criminal charges or a civil lawsuit. (If your company does not have in-house legal counsel, it should hire an outside attorney with experience in employment law, IT and e-discovery.)
* Remember that you're being monitored, too. Although the IT staff may not realize it, many companies also monitor everyone in the IT department, including executives, says Larry Ponemon, founder and chairman of the Ponemon Institute, a data privacy and security consulting firm. "[IT staff] might be surprised to learn ... that someone is watching the watcher," he says.