“The growth in monitoring employee behavior in digital environments is increasingly enabled by new technology and services,” said Andrew Walls, research vice president of Gartner. “Surveillance of individuals, however, can both mitigate and create risk, which must be managed carefully to comply with ethical and legal standards.”
To prevent, detect and remediate security incidents, IT security organizations have traditionally focused attention on the monitoring of internal infrastructure. The impact of IT consumerization, cloud services and social media renders this traditional approach inadequate for guiding decisions regarding the security of enterprise information and work processes.
“Security monitoring and surveillance must follow enterprise information assets and work processes into whichever technical environments are used by employees to execute work,” said Mr. Walls. “Given that employees with legitimate access to enterprise information assets are involved in most security violations, security monitoring must focus on employee actions and behavior wherever the employees pursue business-related interactions on digital systems. In other words, the development of effective security intelligence and control depends on the ability to capture and analyze user actions that take place inside and outside of the enterprise IT environment.”
Security is a major concern but not the only concernCompanies are learning that they have to balance the security monitoring and the overall good of the company with the rights and privacy of their employees. The battle to keep employees focused on their tasks at hand and working while at their desks and not "playing" games has been a challenging one for most businesses. The popularity of online and cloud based services, such as Facebook, YouTube, LinkedIn, iTunes and others not only provides new distraction but also new targets for security breaches. Surveillance of user activity in these services generates additional ethical and legal risks. These risks and rights to privacy are posing a daunting question for many companies: How do we protect ourselves from possible threats and protects the rights of the employee?
Social media sites in-particular create new challenges for monitoring. There are times when the information available can assist in risk mitigation for an organization, such as employees posting videos of inappropriate activities within corporate facilities. However, there are other times when accessing the information can generate serious liabilities, such as a manager reviewing an employee's Facebook profile to determine the employee's religion or sexual orientation in violation of equal employment opportunity and privacy regulations.
Earlier this year, headlines where made when it was reported that prospective employers were asking people they interview for their Facebook passwords. The practice was so widely questioned it prompted several states to act, passing legislation to block employers from the practice. While many feel this approach will "gradually fade," companies will mostly likely continue to monitor the social media conversations of employees and customers.
Educations is the best approach to staying safeEducation of employees about potential risks it needed. When asked, most employees would likely tell you that they don't see what the problem is or don't see how there could be a threat. Most employees aren't aware of the fact that using their own device on a work network could lead to a security breach. Nor do they know that by bypassing the network security in place they could also allow attackers in.
For employees the U.S. National Labor Relations Board, in several recent decisions, ruled against employers who fired workers for complaining on social media sites about work conditions. The agency's position is that discussing work conditions with other employees is protected by the National Labor Relations Act. This however does not mean that you should see these ruling as being in favor of your right to use social media sites in the work place. You should be careful about "inappropriate" work-related posts on Facebook and other social media sites. Speaking out against an employer is one thing, posting "inappropriate" material is another.
More details about the report can be read in Gartner's press release