Security Watch | Matt Hines » Tips on employee monitoring

March 21, 2008 | Comments: (0)

Tips on employee monitoring

TAGS: Security

Employee monitoring has become an increasingly necessary evil for most organizations as a wide range of factors push companies to expand both their physical and IT surveillance systems.

From greater varieties of compliance regulations, to widespread electronic data theft -- including corporate espionage and other so-called insider threats -- there's a growing list of reasons to keep everything from DLP systems to closed-circuit TV cameras trained on larger numbers of workers.

That said, it's clear that there are rules of engagement that can be followed to protect companies from security incidents while also shielding employees from unnecessary spying. Carefully considering all the involved parameters can also lower the potential for lawsuits if surveillance efforts breach established personal or regional privacy thresholds.

At the CSO Perspectives Conference in Atlanta this week, Dave Morrow, chief security and privacy officer at EDS, the giant consulting and systems integration firm, took the stage to share his thoughts on how to do employee monitoring right.

Along with specific recommendations, Morrow also highlighted some emerging business, technological and ethical questions that companies will need to tackle as they further architect their surveillance strategies.

What follows are some highlights of Morrow's speech to the assembled audience of CSOs:

-Here's why you should do IT monitoring:

"The main reason to do it is for liability purposes; when you go to a parking garage you expect surveillance cameras, it's almost considered due diligence at this point, and new case law shows a developing body of thought that IT monitoring will be an issue of due diligence in the future," Morrow said.

-Keep regional sensibilities in mind:

"We already have a certain level of questioning in our society, and it depends on where you are as to what's considered acceptable surveillance," said Morrow. "In [parts of the U.S.], we're fighting over stop light cameras, whereas in the U.K. there is an acceptance that you're already on TV everywhere; how you do it depends on acceptance of [the concept of] private information; that involves what you think that is and dealing with different sensibilities worldwide."

-Pitching data leak prevention:

"Anti-virus is really DLP in reverse, but if you have a project and don't explain it well to your executives you will be in for world of hurt, because people will think big brother is coming," he said. "And you need to present it in a context where you frame your argument as a business process, of how DLP makes process more effective as opposed to framing it under security; that makes your argument a lot more palatable."

-More regulations to come:

"Everyone knows about data notification laws, and there are a growing number of regional privacy directives," said Morrow. "We expect this to continue to expand in the EU, where they are already talking about standardized breach notifications; and I think we'll see them in APAC as well."

Tying physical access to IT access:

"To IT, this idea makes all kinds of sense, but a lot of people will have a hard time with the idea of big brother, cameras, and being able to be tracked," Morrow said. "We have a have policy not to track [access details] for attendance or HR issues; technically it's easy to do, but you have to ask if is the right thing to do; the other question is how far is too far."

How and what to tell employees about monitoring:

"Coupled with an aggressive security education program, talk about why it is so critical not to have any kind of breach," the CSO said. "Explain it in context of business problems; tell people what you are doing and why; [monitoring] is not just something you jump into, you have to intertwine it with an education process, and business needs."

General advice:

"Surveillance is in the eye of the beholder, you have to think about re-framing the argument from surveillance to monitoring," said Morrow. "Often times we're our own worst enemies for not thinking of interesting ways to communicate to business leaders."

Posted by Matt Hines on March 21, 2008 09:47 AM

RATE THIS ARTICLE: