Security

Yes, Your IT Department Is Watching — And Being Paid to Rat You Out

Thompson and his staff aren't exactly comfortable about this. "We're IT guys. We're not babysitters," he says. "It's a difficult position to be in, but it does come with the territory."

It helps that his IT staff is not responsible for confronting violators, only finding them. If a problem pops up, IT staff reports it to Thompson, who then determines whether to report the violation to the employee's supervisor.

He's like the neighborhood beat cop, who might catch kids stealing from the corner store but let them off with a warning the first time. "I do it on a case-by-case basis, based on my own gut feeling about what [the violator is] telling me," he says. "I'm a pretty good judge of whether or not someone's lying."

In the 10 years he's been with the company, Thompson says, he has officially reported inappropriate Internet usage to a supervisor on just two occasions.

The reason for that low number? "We regularly communicate to the rank-and-file employees that all Internet access is monitored and logged, so they know they are being watched," Thompson says. "In my view, that keeps the majority of people honest." (See Employee monitoring done right for more tips.)

In addition to energy and automation systems, ENE Systems provides Web site, e-mail and other IT services to its customers. Thompson says he has seen increased interest in employee monitoring among ENE customers, which include large institutions such as the Boston public school system and State Street Bank. "More and more frequently, our customers want to know, 'What was that guy doing when [his computer] got that virus?' for example."

One customer put Thompson into an ethical dilemma when it asked ENE Systems to secretly install SpectorSoft software on its employees' PCs. SpectorSoft records everything: e-mails, chats, IMs, Web site visits and searches, programs run, files transferred. It even logs keystrokes and takes screenshots.

The owner of the company, a landscaping firm, wanted Thompson's staff to lie if employees asked what they were installing on the PCs. (Although most companies spell out monitoring policies in employee manuals, only two states -- Delaware and Connecticut -- actually require that companies notify employees that they are being monitored.)

Thompson refused. "What he asked us to do crossed the line," says Thompson.

"I told him, 'We'll install the software, we'll help you use the software, we'll help you monitor your employees. If somebody does something wrong, we'll help you collect the information to fire them. We'll do all that, but we're not going to look your employees in the eye and lie about what we're doing.' "

The customer was "a bit unhappy" but accepted Thompson's position.

The Legal Eagle

"Daryl" -- who requested anonymity -- is an IT manager at a midsize industrial manufacturer in the U.K. He strongly believes that IT has the right, and the duty, to monitor employee activity in order to protect the interests of the company.

He once caught an employee who was engaged in criminal activity involving intellectual property that could have resulted in a big financial loss for the company.

He went straight to the CEO, and the employee was dismissed. (For more on violations that cause employees to lose their jobs, read Corporations crack down on digital delinquents.) The employer didn't press charges, however, because "it would've been very embarrassing for the company," Daryl says.

Daryl's complaint is not that he has to police employees, but that he's not allowed to do it properly.

Subscribe to the Security Watch Newsletter

Comments