Ted Demopoulos    Demopoulos Associates
keynote speeches
Security, IT, Business Consulting
securITy newsletter

Ted Demopoulos’ securITy

Employee Monitoring

Subscribe to S e c u r IT y, our free E-newsletter on Information Technology, Security, and their intersection with Business.

  • Thanks to my readers who stopped by to say hello at the SANS Network Security last month in Las Vegas where I was teaching a seminar on "Security Policy and Awareness Programs." SANS has been keeping me pretty busy.

  •  Thanks to all the new subscribers, including the large influx of .mil subscribers!

  • I've adopted a daughter and written another book, What No One Ever Tells You About Blogging and Podcasting, which includes sections from such security notables as Bruce Schneier, Pierre Noel of The Arial Group and Martin McKeay of the Network Security Podcast.

Employee Monitoring

The Visible Employee

Employee monitoring is a hot issue. Some monitoring may be necessary to audit compliance with security policy, and can also be required by various regulations such as GLBA, Sarbanes-Oxley, and HIPAA, but employee monitoring can also potentially overstep the bounds of reasonable. For example, no one wants video cameras installed in the bathroom stalls!
I believe that privacy is a fundamental human right, yet some workplace employee monitoring is necessary. Technology alone can only go so far in securing information assets – the human element is incredibly important.

An Interview with Dr. Jeffrey Stanton, Syracuse University
Dr. Jeffrey Stanton is co-author of The Visible Employee, a book I highly recommend, and a security researcher at The University of Syracuse. Before entering academia and research, Jeffrey spent over a decade in IT, both in technical and management roles, and is very active in consulting with impressive, bottom line oriented results.
(Here is a great resource on Employee Monitoring)

Ted Demopoulos: So what’s employee monitoring all about anyway?

Jeffrey Stanton: The basic idea is that many companies are doing the best they can with technology solutions to information security problems, but if you want to go to the next level with making a company secure, you have to work on the behavior of your computer users. When the employees of a company are doing the right things with their computers, they can help to prevent security disasters from happening. The Visible Employee is all about influencing employees to do those positive things.

Ted Demopoulos: So how do you influence them?

Jeffrey Stanton: There are two issues to deal with – know how and motivation. You use training and awareness programs to inform people about the set of practices and policies that your IT folks think will work the best to protect the company. Then you motivate people to follow those practices and policies. The book mainly deals with the motivation piece. We claim that this is a scenario where you need to get individuals to follow a set of guidelines or rules that have been designed to benefit them collectively. Most people don’t want to be bothered with following rules; they want to do their own thing. So you have to have a way of watching for rule breaking and then following through to do something about it.

Ted Demopoulos: Among other things, you’re talking about firing anybody who surfs for porno while at work, right?

Jeffrey Stanton: That’s the kind of behavior we’re talking about, yes. Basically we think that workplace computers should generally not be used for “entertainment” purposes. But we don't recommend firing people, at least not for a first offense. If your policy is that harsh you’re not going to be able to enforce it. What if your absolute best salesperson – responsible for half of your profit margin – gets caught doing one goofy thing, say playing poker on his lunch hour (which should be against the rules)? You have the Hobson’s choice of looking weak or unfair if you don't fire the guy or of screwing up your company by getting rid of someone who is a huge asset to the success of your business.

Ted Demopoulos: What kinds of attitudes do you see about employee monitoring?

Jeffrey Stanton: Let's look at the employer and employee viewpoint, and then the view from the person doing the monitoring and perhaps enforcement.

Unfortunately employers often use monitoring in a reactive fashion. There is an incident, say with pornography, the poster child for monitoring in many ways, and there is a knee jerk reaction from management to monitor for possible pornography issues. Of course reactive security is less than ideal, and among other things tends to create isolated databases of monitoring information.

Employees don't want to be monitored, but most employees have the view that "I'm not doing anything wrong so it doesn't matter that much." I think this is a somewhat dangerous view, and it'll take a major incident such as someone falsely accused of crime based on monitoring data to change this attitude.

It's very troubling from the point of view of IT people. IT people are often told to monitor employees, but those employees usually include colleagues and friends. When a company has harsh policies, an IT person is really tempted to overlook evidence of policy violations, in order to keep employees out of trouble.

Ted Demopoulos: Where do you think employee monitoring is going.

Jeffrey Stanton: I think monitoring – surveillance in general, for better or for worse will be a growth industry for the foreseeable future.

Ted Demopoulos: Thanks Jeff. More information of The Visible Employee is available at http://visibleemployee.org/

Ted Demopoulos, Consultant and Professional Speaker, 603-231-8782 (cell)

This newsletter is Copyright © 2006 by Demopoulos Associates, Durham, New Hampshire, USA.  All rights are reserved, except that it may be freely redistributed if unmodified.

Sharing securITy is encouraged if the copyright and attribution are included.

The free newsletter of Demopoulos Associates, www.demop.com

© Copyright 2002-2017, Demopoulos Associates