Security Experts:

Note to Enterprises: It's OK to Monitor Computer Activities

It's OK to Monitor Computer Activities; Employees Accept It, Security and Productivity Require It

Privacy advocates and security experts have long argued over whether employee computer-activity monitoring is an infringement of employees’ rights or a necessary solution to ensure the security of data and the productivity of workers. Regardless of which side of the debate you are on, it is difficult to argue against the fact that in today's world organizations need to deploy at least some level of activity monitoring to protect themselves against the insider threat, other cyber risks and productivity loss. Without monitoring, it is far too easy for a malicious insider to steal IP or commit fraud, or for workers to visit unapproved and dangerous websites.

Until recently, there have been many barriers to employee computer activity monitoring. In addition to not knowing where to start when it comes to effective monitoring, security and risk professionals have always had a level of implied restraint placed on them due to privacy issues. Fortunately, there are solutions to both problems, one in the form of tangible technologies and the other in shifting employee attitudes towards computer monitoring.

Monitoring Becoming More Accepted

I frequently learn of customers and prospects that recognize the value of monitoring but move forward with trepidation due to privacy concerns. I understand that their worries are valid but also recognize that they are interested in what we provide because they have security and productivity problems that only monitoring can solve.

One key to resolving this dilemma is for them to ensure that their organizations have clear acceptable use policies in place, and that you disclose to employees that the organization has both the right, and the ability, to monitor use of corporate computers. You do not need to disclose the means you use to do so, since disclosing the means can lead to attempts to evade, but by all means tell your employees what they can expect in terms of privacy up front.

We have always demonstrated to this particular group that monitoring — done right — is both legal and ethical, but to shed some light on what the people being monitored think, we conducted a survey. The results show that monitoring is growing in acceptance — even among the monitored.

My company surveyed 300 U.S.-based full-time employees to understand how they felt about having their computer activities monitored by their employers. Ninety-one percent of respondents said they expect, accept and in some cases welcome having their computer activities monitored by their employers. Moreover, of the 49 percent of respondents whose employers actually had monitoring in place, only 9 percent were actually "mad" that their employers monitored their activities.

Choosing the Right Monitoring Solution

With the privacy issue now squarely behind us, it is time to focus on monitoring itself. While there are many security solutions on the market that provide a piece of the puzzle in protecting the corporate network from data loss, such as DLP, SIEM, firewalls, secure email gateways and more, none of these "traditional" technologies focus on the biggest security wild card — the human factor. While they do a great job of recording network security events and stopping malicious incoming traffic, they cannot provide the level of deep granularity needed to truly understand what employees are doing on their work computers and devices or to provide the alerts needed to reduce the impact of a potential insider attack.

Effective monitoring fills the gaps that traditional technologies are not designed to bridge. The aforementioned technologies and a host of others cannot be configured to capture, report and alert on every key stroke, all of the various online communications, applications accessed, and files dragged and dropped to the public cloud. While such solutions can provide a great deal of after-the-fact forensic information, they cannot provide video-like recording and playback of everything a malicious insider does while logged onto the corporate network. All the above features are needed in the fight against insider threats, data theft and fraud.

Moving Forward

Now that we have covered the bases on intangible privacy concerns and actual solutions options, it is time organizations to move forward with finding and deploying effective monitoring solutions. There are many on the market, and most are doing a good job at providing at least some level of protection. As you evaluate technologies and brands, there are at least a few things you should keep in mind:

• Make sure the company is proven through longevity and major customer deployments

• Find a solution that allows you to record all computer activity and continually scan for threats

• Make sure it will alert you to threats and provide activity details

• Choose one that provides easy-to-interpret video-style recordings with user details

• Get one that supports Windows and Mac

• Look for solutions that incorporate privacy protections – security and privacy are a balancing act. There are solutions that don’t tip the scales too far to one side at the expense of the other.

view counter
Mike Tierney is Vice President of Operations at SpectorSoft. Prior to joining SpectorSoft, Mike oversaw a large product portfolio that included solutions for desktop security, least privilege management, file access control and reporting, and compliance. Mike also has responsibility for Operations, and in this capacity deal with the same issues facing most companies: improving productivity and security while maintaining user privacy.