Should you spy on your employees?
Why, when, and how to electronically monitor your staff
Brian Martin
DSIC Security Group
February 2001
If you run a warehouse, you can spot pilfering by the number of empty boxes, or perhaps by noticing that employees are walking out with TV sets on their way home. But how do you spot abuse when yours is a knowledge warehouse? Brian Martin explores the controversial subject of electronically monitoring employee behavior.
Each day a significant portion of our working society spends the day trapped in a cubicle or office. They toil away over corporate owned computers trying to further the goals of their employers. Whether they work in a startup or corporate environment, employees are working up to sixteen hours a day on their computer, while their breaks and lunches often get melded into work time. As a result, breaks are spent checking personal e-mail, stock prices, online news, comic strips, and more. As a general rule, companies do not mind a little casual Internet usage that is not work-related, provided it does not violate company rules or interfere with assigned duties.
But what happens when an employee abuses the privilege or begins to consume too much work time using the Internet for personal reasons -- spending weeks looking for (or even performing) another job, or lost among MUDs and MOOs, or posting or viewing questionable material on the Web, such as hate speech or pornography? Some managers feel that employee monitoring displays a lack of trust and is not 'nice.' What they must consider is that while it is not friendly, neither is being patted down before concerts or searched at airports. Yet we tolerate these things in order to enjoy a safer atmosphere that benefits everyone in the long run.
According to an American Management Association report, 78 percent of major U.S. firms record and review employee communications and activities, including phone calls, e-mail, Internet activity, and computer files (this number is double what it was in 1997). Twenty-two percent of the companies that engage in these activities don't tell their employees they are doing so. While the 78 percent of companies that monitor employees may be a surprising number to many folks, what should be of bigger interest is the 22 percent of companies that do not notify employees of corporate monitoring.
With all the buzz about employee monitoring, Internet privacy, spyware, and legislation governing corporate behavior, this should be a pressing concern in the minds of management everywhere. Regardless of the final decision on whether or not to monitor employee activity, a monitoring policy should be created to help protect your company in more ways than one. Not only must you protect yourself from the potential of information leakage and loss of productivity, you must establish the policy in case litigation comes around that deals with employee monitoring.
Deciding on a monitoring policy
The biggest decision executive management will face is whether or not
they should establish some form of work place monitoring. While it may seem
like a good idea to monitor employee performance at any level, there are
a few points you should consider before moving in that direction.
Creating an office environment integrated with stealthy employee monitoring does not convey a friendly work atmosphere. When each worker sits down at their desk, they often suspect that every keystroke and every action on the computer may be monitored. A healthy dose of paranoia is quick to follow. For those wanting a quick peek at a Web site with non-work related material, or a chance to check personal e-mail, the idea that they are somehow breaking company policy lingers over them. Regardless of whether those actions actually violate company rules, it brings about thoughts of a fascist administration overseeing every little keystroke, unable to trust the people that have pledged to work for them.
For those who feel a quick break surfing any Web site is acceptable, these employees may begin to look for ways around the system. At this point, it is a challenge between your IT administration and the employee looking for unmonitored Internet access. On one side are the employees who desire private Internet usage, looking for any weak point in the monitoring policy or software so they may circumvent it. On the other side are the network administrators responsible for enforcing the monitoring policy, looking to close any small hole which may allow employees to abuse company time and resources. This techie battle has the power to quickly spiral downhill at an alarming rate, causing a variety of problems that each take away from productive time.
Rather than create an untrusting, Orwellian office, it is recommended that the employer make it well known if monitoring is taking place, as well as what type of monitoring occurs. While some may interpret this big brother atmosphere as a sign of lacking trust, it will score points with your workers in honesty. As people in your organization use the computer and network, they have no doubts about what is and is NOT being monitored. This may seem to be a trivial difference, but if you have the right to monitor all employee work activity, don't they have a right to know it? Establishing trust is one of the only ways you may set your workforce's minds at ease with regard to monitoring.
Is the goal of this monitoring to enhance security in your organization? To prevent security vulnerabilities, or information leakage? Or is the desire to maintain employee productivity by denying access to questionable sites? The policy must reflect exactly why the monitoring is to take place. You can spot a lack of productivity without monitoring -- not so with pilfered intellectual property, or security violations.
What do you want to monitor?
Once you have determined if employee monitoring will take place, you
must then decide what exactly will be scrutinized. Computer network traffic
is not all lumped into the same category by any means. One of the most
prevalent types of monitoring currently utilized throughout corporations
is that of Web traffic. With tens of thousands of new pages being added
to the Internet each day, one can find information or pictures on virtually
any topic they desire. Obviously, a significant portion of these pages
will fall outside the scope of information required to fulfill their daily
tasks. Because of the wide variety of human interests and the abundance
of information available via company owned resources, it is natural for
one to spend time on various topics. Other interests such as sexual fetishes
or pornography are clearly not appropriate in the work atmosphere and should
be monitored closely, as these activities could cause discomfort to other
workers.
Looking beyond simple Web traffic, you must consider monitoring electronic e-mail, telnet and other interactive sessions, phone calls, and more.
Employees sending mail to and from the office can easily leak sensitive information to friends or mailing lists. Often times these leaks are accidental. For example, system engineers posting to mailing lists asking for help with a technical problem may include the type of firewall you run, the patch level or version, configuration options, internal IP addresses, and other information that could be used by someone to compromise your network.
As e-mail passes through the mail system, the solution is to scan for keywords determined by the monitoring policy. Trying to monitor interactive communication requires installing a network sniffer that must examine a steady stream of traffic. This solution takes more computer power and more overhead, which may not be as desirable.
Monitoring interactive communication such as telnet, rlogin, Internet Relay Chat (IRC), or others, may pose more difficulty and turn into more trouble than its worth. Not only is the technical solution for this type of monitoring more difficult, it creates even more traffic that must eventually be examined by your staff.
Who monitors?
Once you have determined your employee monitoring policy, as well as
which aspects of the computer network traffic you will keep tabs on, you
must assign the task to the appropriate staff. Who will implement the technical
side of the monitoring?
Because of the sensitivity of the issue, many companies prefer to bring in outside consultants to discreetly set up the monitoring so as not to alarm or concern employees. Companies that have their own computer security staff may delegate the task to them since information security is another reason for computer traffic monitoring. If there is no dedicated security personnel, does the task fall onto the regular IT Staff? Are either of these groups qualified to monitor computer traffic, or should their job be to generate summary reports and pass them on to management?
Other concerns develop if the job is passed on to management. Will the manager in charge of the reports really read them each and every day? In skimming through these dry and long reports, it is easy to miss little characteristics that could spell out a larger problem. If these reports end up in a circular file (that is, trash can), then the entire solution and time devoted to installation of such measures has become useless.
Who monitors the monitors?
As much as you may hate to admit it, employee trust is not absolute
at any level. It isn't just lowly techs and data processors that could
pose a threat to your organization. Often times high level managers are
in a better position to hurt the company, regardless of intention. With
better access to valuable information, and with more ability to move throughout
the organization unchallenged, it is often trivial for executive
management to violate company policy regarding the security of corporate
secrets.
If the IT or Security staff is elected to oversee the monitoring activity, who will verify that they themselves are not abusing the power bestowed upon them? This abuse can come in the form of their own activity, or simply overlooking the activities of their close friends.
How do you monitor?
Fortunately for you, a wide variety of products and solutions exist
to perform these tasks for you. Products like E-Sniff, SilentRunner, and
dozens of others exist as commercial solutions and responses to the problems
and questions outlined above. With several off-the-shelf
solutions designed to plug directly into your existing network, the
choice boils down to a product that produces readable output. Using the
E-Sniff product as an example, you can begin to see how many of these products
make it very easy to add filtering based on a keyword, network address,
and more.
When implementing the solution to the problem, you must weigh several factors that could affect your network. If the solution resides on a firewall or router, it could slow down network performance and hinder legitimate employee activity. On larger networks, traffic may be routed through different proxies or machines forcing you to implement a more expensive solution that requires more machines or software licensing.
Consequences and legalities
Before any of the above questions can be answered, your company must
turn to the lawyers to advise you on all the laws that govern this type
of activity.
They must advise you on how to implement such monitoring without violating the rights of your employees. For companies that are spread out over several states or countries, the laws may change from office to office. In most cases where monitoring takes place, companies should add warning banners on servers or desktops that notify their employees that monitoring MAY take place. It may take modification of the employee Acceptable Use Policy (AUP) and a new copy signed by each employee.
As with many 'digital issues', the laws are not yet fully defined. The task discussed above is much easier said than done, as the corporate lawyers will be hard pressed to find public examples or existing case law.
Last thoughts
Employee monitoring may not seem like a productive measure or valuable
use of company time and resources. Regardless of this, it may well
become as necessary an evil in the corporate environment as security guards,
inventory, or regular auditing are now. Even if your company is just starting
out -- perhaps, especially if it is -- it is easier to implement complex
policies like employee monitoring earlier, rather than later.
Resources
About the author
Brian Martin, of the DSIC Security Group, has been involved in computers
since the early 1980s. His experience spans from first-generation home
computers to large scale servers powering the most current business applications.
Working in the computer security industry for the past five years, he has
provided security audit and penetration assessment for foreign banks, Fortune
500 companies, and the U.S. Department of Defense. He has provided training
and consultation for the Federal Bureau of Investigation, Defense Criminal
Investigative Services, and the National Security Agency. In recent months,
Brian's articles focusing on security issues have been widely circulated
on the Internet, corporate newsletters,and print magazines. You can contact
him at bmartin@attrition.org.