Employee Monitoring: When IT Is Asked to Spy
It's 9:00 in the morning, or 3:00 in the afternoon, or even 10:00 at night. Do you know what your users are up to?
More than ever, IT managers can answer "Oh, yes" to that query.
As corporate functions, including voice and video, converge onto IP-based networks, more corporate infractions are happening online. Employees leak intellectual property or trade secrets, either on purpose or inadvertently; violate laws against sexual harassment or child pornography; and waste time while looking like they are hard at work.
In response -- spurred in part by stricter regulatory, legal and compliance requirements -- organizations are not only filtering and blocking Web sites and scanning e-mail. Many are also watching what employees post on social networks and blogs, even if it's done from home using noncompany equipment.
They are collecting and retaining mobile phone calls and text messages. They can even track employees' physical locations using the GPS feature on smartphones.
More often that not, IT workers are the ones being asked to do the digital dirty work, primarily because they're the people with the technical know-how to get the job done, says Nancy Flynn, executive director of the ePolicy Institute.
Statistics are hard to come by, but Flynn and other industry observers agree that monitoring and surveillance are becoming a bigger part of IT's job.
Michael Workman, an associate professor at the Florida Institute of Technology's Nathan M. Bisk College of Business who studies IT security and behavior at corporations, estimates that monitoring responsibilities take up at least 20% of the average IT manager's time.
Yet most IT professionals never expected they'd be asked to police their colleagues and co-workers in quite this way. How do they feel about this growing responsibility?
Workman says he sees a split among tech workers. Those who specialize in security issues feel that it's a valid part of IT's job. But those who have more of a generalist's role, such as network administrators, often don't like it.
Computerworld went looking for IT managers who would share their experiences and attitudes, and found a wide variety of viewpoints, ranging from discomfort at having to "babysit" employees to righteous beliefs about "protecting the integrity of the system." Read on for their stories.
The reluctant beat cop
Monitoring has become a bigger part of IT's job at ENE Systems Inc., an energy and building automation company in Canton, Mass.
Although the company had already been reconfiguring and improving the security of its IT infrastructure, the implementation of a new state law in March regarding the security of personal data has increased the importance of monitoring online activity, says Barry Thompson, network services manager of the $30 million company, which has 140 employees.
Before, Thompson checked the logs from the company's Microsoft ISA (Internet Security and Acceleration) Server, which tracks what Web sites people access, only if a supervisor suspected an employee of violating the company's stated policies.
Now, one of his five IT staffers regularly reviews the logs, even without a specific request. "That's all he does for one day a week," says Thompson. "He goes through the logs to see if there's anything in there that needs to be exposed or discussed." Activity related to porn, gambling or hate speech automatically raises red flags, he says.
Thompson and his staff aren't exactly comfortable about this. "We're IT guys. We're not babysitters," he says. "It's a difficult position to be in, but it does come with the territory."
It helps that his IT staff is not responsible for confronting violators, only finding them. If a problem pops up, IT staff reports it to Thompson, who then determines whether to report the violation to the employee's supervisor.
He's like the neighborhood beat cop, who might catch kids stealing from the corner store but let them off with a warning the first time. "I do it on a case-by-case basis, based on my own gut feeling about what [the violator is] telling me," he says. "I'm a pretty good judge of whether or not someone's lying."
In the 10 years he's been with the company, Thompson says, he has officially reported inappropriate Internet usage to a supervisor on just two occasions.
The reason for that low number? "We regularly communicate to the rank-and-file employees that all Internet access is monitored and logged, so they know they are being watched," Thompson says. "In my view, that keeps the majority of people honest." (See Employee monitoring done right for more tips.)
In addition to energy and automation systems, ENE Systems provides Web site, e-mail and other IT services to its customers. Thompson says he has seen increased interest in employee monitoring among ENE customers, which include large institutions such as the Boston public school system and State Street Bank. "More and more frequently, our customers want to know, 'What was that guy doing when [his computer] got that virus?' for example."
One customer put Thompson into an ethical dilemma when it asked ENE Systems to secretly install SpectorSoft software on its employees' PCs. SpectorSoft records everything: e-mails, chats, IMs, Web site visits and searches, programs run, files transferred. It even logs keystrokes and takes screenshots.
The owner of the company, a landscaping firm, wanted Thompson's staff to lie if employees asked what they were installing on the PCs. (Although most companies spell out monitoring policies in employee manuals, only two states -- Delaware and Connecticut -- actually require that companies notify employees that they are being monitored.)
Thompson refused. "What he asked us to do crossed the line," says Thompson.
"I told him, 'We'll install the software, we'll help you use the software, we'll help you monitor your employees. If somebody does something wrong, we'll help you collect the information to fire them. We'll do all that, but we're not going to look your employees in the eye and lie about what we're doing.' "
The customer was "a bit unhappy" but accepted Thompson's position.
The legal eagle
"Daryl" -- who requested anonymity -- is an IT manager at a midsize industrial manufacturer in the U.K. He strongly believes that IT has the right, and the duty, to monitor employee activity in order to protect the interests of the company.
He once caught an employee who was engaged in criminal activity involving intellectual property that could have resulted in a big financial loss for the company.
He went straight to the CEO, and the employee was dismissed. (For more on violations that cause employees to lose their jobs, read Corporations crack down on digital delinquents.) The employer didn't press charges, however, because "it would've been very embarrassing for the company," Daryl says.
Daryl's complaint is not that he has to police employees, but that he's not allowed to do it properly.
His graduate-level college courses in information security and forensics taught him how to properly preserve electronic evidence so that it is admissible in U.K. courts. For the information from a laptop to be admissible, he says, the hard drive needs to be removed and cloned, and then the clone is examined while the original evidence is left untouched.
But his bosses aren't interested in that. "The process my managers want me to follow is inappropriate," he says -- namely, they advise him to skip the cloning step and examine the hard drive straight off. "It's highly unlikely that they would ever be able to bring a successful prosecution [because] they insist on using a practice that would invalidate any evidence obtained as a result."
Daryl is an exception when it comes to legal knowledge among IT professionals. It's more common that the IT manager doesn't know how to correctly preserve evidence, and probably doesn't even know what information might be legally relevant, says Jason M. Shinn, an attorney with Lipson, Neilson, Cole, Seltzer & Garin PC who specializes in electronic discovery and technology issues in employment law.
That's why both in-house legal counsel and HR should be involved in monitoring activity, he advises.
Next page: How to do monitoring the right way