The moral is that whether they’re dealing with a malcontent, a crook or a conscientious employee doing his job to the best of his abilities, CIOs need to be alert to risks and threats in their own backyard. (For signs that there could be trouble in your department, see “Six Signs IT Staffers Could Be Ready To Cause Trouble.")

“It’s not the external hacker you need to worry about so much,” says John Halamka, CIO of CareGroup and Harvard Medical School. “It’s the internal employees who have legitimate access to the systems and can do most harm.”

The Sinful Six
Since the dawn of the Internet age, IT has been aware that the Web is a Pandora’s box filled with tools that anyone with a PC, a network connection and a devious mind can employ to make mischief. But now regulations such as Sarbanes-Oxley, the Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley and Payment Card Industry (PCI) data security standards have focused the non-IT executive’s attention on what evils can lurk alongside the business benefits IT can provide. (For more on IT’s regulatory compliance responsibilities, see “Your Guide to Good Enough Compliance.”)

“Business management has become much more aware that IT risk is business risk,” says Richard Hunter, a vice president and expert on security and privacy with Gartner. Consequently, even companies in lightly regulated industries have begun to pay more attention to their liabilities and their user management policies. For employees everywhere, the message is (or should be) clear: “You don’t have privacy where corporate life is concerned,” Hunter says. And “corporate security” will always trump “user privacy.”

This, in turn, has created a more authoritative role for IT departments as they monitor and dictate what employees can and can’t do with the technology they provide. A list has emerged in IT circles, “The Sinful Six,” describing the types of Internet sites that can’t be viewed at work: those containing pornography, anything promoting gambling, anything deemed tasteless, hate material, violence and illegal activities. Roche says visiting any of these sites, along with any kind of site that is a danger to PCs (exposing them to malware and spyware), is in direct violation of NSC’s HR policies.

New technologies have also made it easier for IT to identify who and where the violators are. According to the American Management Association’s 2005 electronic monitoring survey, 76 percent of the 526 companies surveyed said they conduct some form of electronic monitoring. In a recent paper written by the University of Toronto’s Zweig, it’s estimated that more than 40 million U.S. employees are subject to some type of electronic performance monitoring, “such as counting keystrokes, listening in on phone calls, tracking e-mail and even video-based monitoring of availability.” (For a list of monitoring tools, see “Five Enterprise Content Monitoring Tools.” ) But even though a recent Harris Interactive study of U.S. office workers found that most employees don’t let the knowledge that they’re being monitored interfere with their nonwork use of the Internet (more than half of respondents said they send and receive personal messages on their work e-mail accounts), CIOs do not want to be thought of as IT cops. “You don’t want to be the bad guy who’s enforcing the policy,” says CareGroup CIO Halamka.