How to Monitor Workers' Use of IT Without Becoming Big Brother

CIOs asked to monitor employees' use of corporate IT are entering a difficult area for managers, as recent litigation shows. Here's how to do it right.

Arthur Riel says he was just doing his job.

When he was hired by Morgan Stanley in 2000 and put in charge of the $52 billion financial company’s e-mail archiving system, gaining access to its most sensitive corporate communications, the company was already involved in litigation that involved its e-mail retention policies. That suit would end in a landmark 2005 judgment against the bank, which awarded $1.57 billion in damages to financier Ronald Perelman. (In March 2007, Morgan Stanley won an appeal to Florida’s District Court of Appeal.)

It was part of Riel’s $500,000 a year job, he says, to make sure that would never happen again.

To do that, Riel had what he calls “carte blanche to go through e-mail.” What he says he discovered reading company e-mails throughout 2003 were what he construed as dubious business ethics, potential conflicts of interest and sexual banter within Morgan Stanley’s executive ranks that, he says, ran contrary to the bank’s code of conduct.

Based on his reading of executive e-mails, most notably CTO Guy Chiarello’s, Riel alleged that the e-mails showed the improper influence of Morgan Stanley’s Investment Banking division in how the IT department, with its multimillion-dollar budget, purchased technology products; the improper solicitation of tickets to New York Yankees–Boston Red Sox baseball games and other high-profile sporting events from vendors such as EMC; and the influencing, through one of Chiarello’s direct reports, of the outcome of Computerworld magazine’s Smithsonian Leadership Award process, of which Morgan Stanley was a sponsor. (Computerworld is a CIO sister publication.) “I reported what was basically a kickback scheme going on in IT,” Riel says.

E-mail exchanges that contained sexual banter and involved Riel’s boss, CIO Moira Kilcoyne, added to Riel’s conviction that something was wrong at the top. Believing, he says, that he was doing his duty, Riel claims to have sent hard copies of the offending e-mails to Stephen Crawford, Morgan Stanley’s then-CFO, on Jan. 15, 2004, anonymously via interoffice mail.

Riel’s superiors vigorously dispute his story.

First, according to a Morgan Stanley spokesperson, the company asserts that Riel was never authorized to monitor, read or disseminate other employees’ e-mails “as he saw fit.” Second, the spokesperson denies that a package of e-mails was either sent to or received by Crawford. And third, after conducting an internal investigation, the company maintains that it found no evidence warranting disciplinary action against anyone identified by Riel.

On Aug. 18, 2004, moments after Riel’s BlackBerry service was shut off, Kilcoyne, along with a vice president of HR, called Riel into her office. She told him that he was being placed on administrative leave with full pay. Morgan Stanley security searched his office and eventually found more than 350 e-mails on his PC, e-mails of which Riel was neither the writer nor the intended recipient.

On Sept. 27, 2005, 13 months after being placed on leave, Riel was “terminated for gross misconduct,” says the Morgan Stanley spokesperson.

Riel filed a $10 million whistle-blower Sarbanes-Oxley suit and a $10 million federal defamation suit against Morgan Stanley. In June 2006, the Department of Labor dismissed the whistle-blower suit and said it had found no cause to believe that Morgan Stanley had violated any part of the Sarbanes-Oxley act. It also found that Morgan Stanley had “terminated other employees in the past for similar misconduct.”

In February 2007, a federal judge dismissed seven of the eight complaints Riel had filed in his suit. (A small issue concerning compensation was uncontested.) In a statement, Morgan Stanley said that the dismissal of the seven complaints and the whistle-blower suit “further confirms that Arthur Riel’s allegations are without any legal or factual merit.”

Today, in light of everything that transpired, Riel says he learned a lesson that all CIOs should heed: “It’s critical that IT departments determine a policy for who should have access to what.” During his time at Morgan Stanley, he claims, “there was no policy.”

With Power Comes Responsibility

As the need to broaden access to systems and applications increases due to business and regulatory demands, so does the potential for malfeasance, whether it’s your network admin testing the corporate firewall on his own time and inadvertently leaving it open, a salesperson accessing a customer’s credit card information or a rogue help desk staffer hell-bent on sabotaging your CEO by reading his e-mail.

Like good governments, IT departments need checks and balances, and they need to marry access with accountability. A December 2006 Computer Emergency Readiness Team (CERT) study on insider threats found that a lack of physical and electronic access controls facilitates insider IT sabotage. The situation is even more critical now because new, widely deployed applications for identifying and monitoring employee behavior have thrust IT into what was formerly the domain of HR and legal departments. Tom Sanzone, CIO of Credit Suisse, says he works “hand in glove” with HR, legal, compliance and corporate auditors, and has formalized an IT risk function to ensure that all access policies are consistent and repeatable on a global scale. “Those relationships are very important,” he says. (For more on building those relationships, see “CIOs Need Business Partners To Achieve Security Goals." )

Many CIOs have discovered that their new policing role presents the same challenges faced by the men and women who wear blue uniforms: If people can’t trust the police —or if something happens that damages that trust—then whom can they trust? (For how to repair trust once it’s compromised, see "Maurice Schweitzer Addresses the Importance of Truth and Deception in Business." )

“If IT does something that they shouldn’t, then the general employee thinks, I’m going to find a way to get around the monitoring because we can’t even trust the people in IT,” says David Zweig, an associate professor of organizational behavior at the University of Toronto at Scarborough. “It’s a cycle of increasing deviance, which, unfortunately, could create more monitoring.”

At Network Services Company (NSC), a distributor in the paper and janitorial supply industry, CIO Paul Roche asserted control over how and when his IT department can access employee systems and, working with HR and legal, he has developed a policy for dealing with suspected employee infractions. For example, the IT policy states that IT personnel can’t start snooping around employees’ PCs without prior HR approval. “Employees know we’re not going to look the other way,” says Roche.

Any CIO’s mettle—no matter how rock-solid his policy or relationships—will be tested when one of his own crosses the line and breaks the trust between users and the IT department. “The expectation has to be that if you’re going to give someone authority, at some point it will be misused,” says Khalid Kark, a senior security analyst at Forrester Research. “And who will guard the guards?”

Bad Guys and Do-Gooders

Despite Riel’s assertion that Morgan Stanley had no policy for which systems and e-mail accounts he could access, Morgan Stanley says Riel was never authorized to do what he did. (No one from Morgan Stanley’s IT department was made available for this article.)

Morgan Stanley isn’t alone in having to deal publicly with renegade IT employees. Wal-Mart disclosed last March that over a four-month period one of its systems technicians, Bruce Gabbard, had monitored and recorded telephone conversations between Wal-Mart public relations staffers and a New York Times reporter. “These recordings were not authorized by the company and were in direct violation of the established operational policy that forbids such activity without prior written approval from the legal department,” Wal-Mart said in a statement. In addition, Wal-Mart revealed that Gabbard had “intercepted text messages and pages, including communications that did not involve Wal-Mart associates,” which the company maintains “is not authorized by company policies under any circumstances.” Gabbard, who was fired, claimed in an April Wall Street Journal article that his “spying activities were sanctioned by superiors.” Wal-Mart says that it has removed the recording equipment and related hardware from the system. “Any future use of this equipment will be under the direct supervision of the legal department,” Wal-Mart stated.

In February, the Massachusetts Department of Industrial Accidents (DIA) disclosed that Francis Osborn, an IT contractor, had accessed and retrieved workers’ compensation claimants’ Social Security numbers from a DIA database. According to court documents, Osborn accessed 1,200 files and opened credit card accounts using three claimants’ information, charging thousands of dollars to those fraudulent accounts. In a statement, the DIA commissioner said the department was “conducting a thorough review of all security procedures.” Osborn was fired, arrested and charged with identity fraud.

Other incidents, however, are less egregiously criminal and therefore harder for CIOs to evaluate and handle. In February 2006, New Hampshire officials announced that they had discovered password-cracking software (a program called Cain & Abel) planted on a state server. Cain & Abel potentially could have given hackers visibility into the state’s cache of credit card numbers used to conduct transactions with the division of motor vehicles, state liquor stores and the veterans home. Douglas Oliver, an IT employee who in one news report referred to himself as the state’s “chief technical hacker,” admitted to media outlets that he had installed the program, saying he was using it to test system security. He said he did so with state CIO Richard Bailey’s knowledge. (Bailey did not respond to repeated requests for an interview.) Oliver was placed on paid leave during an investigation that involved the FBI and the U.S. Department of Justice.

On April 4, 2006, state officials announced that the Cain & Abel program had never been turned on and that it was “very unlikely” that any credit card information had been exposed. Oliver, who had never been named as the IT worker responsible for the incident, was invited to return to his job on April 25, 2006.

A more highly publicized incident occurred at Sandia National Laboratories in New Mexico. After a series of hacks on the lab’s network in 2004, Shawn Carpenter, a Sandia network security analyst, launched his own investigation. He eventually linked the attacks to a Chinese cyberespionage group and also discovered that U.S. government documents had been stolen. He shared his findings with the Army Counterintelligence Group and the FBI. In response, Sandia fired Carpenter in January 2005 for, as reported in Computerworld, “inappropriate use of confidential information.” But in February 2007, a New Mexico jury awarded Carpenter $4.3 million in his wrongful termination suit and in the process transformed him from a rogue IT worker into a national hero. (Sandia is appealing the verdict.)

The moral is that whether they’re dealing with a malcontent, a crook or a conscientious employee doing his job to the best of his abilities, CIOs need to be alert to risks and threats in their own backyard. (For signs that there could be trouble in your department, see “Six Signs IT Staffers Could Be Ready To Cause Trouble.")

“It’s not the external hacker you need to worry about so much,” says John Halamka, CIO of CareGroup and Harvard Medical School. “It’s the internal employees who have legitimate access to the systems and can do most harm.”

The Sinful Six

Since the dawn of the Internet age, IT has been aware that the Web is a Pandora’s box filled with tools that anyone with a PC, a network connection and a devious mind can employ to make mischief. But now regulations such as Sarbanes-Oxley, the Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley and Payment Card Industry (PCI) data security standards have focused the non-IT executive’s attention on what evils can lurk alongside the business benefits IT can provide. (For more on IT’s regulatory compliance responsibilities, see “Your Guide to Good Enough Compliance.”)

“Business management has become much more aware that IT risk is business risk,” says Richard Hunter, a vice president and expert on security and privacy with Gartner. Consequently, even companies in lightly regulated industries have begun to pay more attention to their liabilities and their user management policies. For employees everywhere, the message is (or should be) clear: “You don’t have privacy where corporate life is concerned,” Hunter says. And “corporate security” will always trump “user privacy.”

1 2 Page 1
Page 1 of 2
Get the best of CIO ... delivered. Sign up for our FREE email newsletters!