How to Monitor Workers' Use of IT Without Becoming Big Brother

CIOs asked to monitor employees' use of corporate IT are entering a difficult area for managers, as recent litigation shows. Here's how to do it right.

1 2 Page 2
Page 2 of 2

New technologies have also made it easier for IT to identify who and where the violators are. According to the American Management Association’s 2005 electronic monitoring survey, 76 percent of the 526 companies surveyed said they conduct some form of electronic monitoring. In a recent paper written by the University of Toronto’s Zweig, it’s estimated that more than 40 million U.S. employees are subject to some type of electronic performance monitoring, “such as counting keystrokes, listening in on phone calls, tracking e-mail and even video-based monitoring of availability.” (For a list of monitoring tools, see “Five Enterprise Content Monitoring Tools.” ) But even though a recent Harris Interactive study of U.S. office workers found that most employees don’t let the knowledge that they’re being monitored interfere with their nonwork use of the Internet (more than half of respondents said they send and receive personal messages on their work e-mail accounts), CIOs do not want to be thought of as IT cops. “You don’t want to be the bad guy who’s enforcing the policy,” says CareGroup CIO Halamka.

The ROI of Privacy

In conversations with CIOs, Forrester’s Kark says he’s discovered that most companies “don’t want to put in draconian measures tfo say that [their company] is going to monitor everything, even though they have the right to do so.” In those companies that create cultures with more user-friendly privacy measures, Kark says that he’s found that there’s a higher level of trust among users and management.

According to Zweig’s research, monitoring “continues to violate the basic psychological boundaries between the employer and employee—one that is predicated on some minimal level of privacy, autonomy and respect. Once this boundary has been violated, a host of negative implications are likely, ranging from dissatisfaction and stress to resistance and deviance.” Therefore, he says, it’s critical for a company that wants to engender a culture of collaboration and trust to make it perfectly clear to all employees both inside and outside IT, just what IT will and, more important, will not do. “It should be communicated to everyone in the organization that the IT department does not have carte blanche,” Zweig says. “It isn’t open season on people.”

How to Monitor the Monitors

And that brings us back to the IT department—those entrusted with the access, know-how and a front-row seat on all the monitoring action. In organizations where there is “open season” on employees’ digital wakes, CIOs and analysts say there’s usually an unregulated “cowboy culture” within the IT department and, most likely, little trust and respect between management and users. In such organizations, Forrester’s Kark says he finds that more IT employees have access to a system than is actually appropriate. At one company, for example, he determined that 32 employees (including the CIO) had access to a very sensitive area of the company’s systems when, in fact, only three people actually needed the access to do their jobs; the other 29 were superfluous and therefore potential risks. Kark calls that situation “typical.”

Even though anyone with PC access can wreak havoc on your systems, research from a CERT Insider Threat study shows that technology sabotage almost always comes from within the IT ranks. In 49 incidents of IT-enabled sabotage examined, 86 percent of the perpetrators held technical positions, and 90 percent of them had been granted administrator or privileged system access when they were hired.

“I worry about the trusted person,” says Credit Suisse’s Sanzone. “To run an organization like this you have many trusted individuals that have access to sensitive things as part of their job. Probably, your risk is as high or if not higher [with the trusted person] than with any other.”

But taking some of that power and access away from IT employees can be a delicate procedure. In the CERT study, 92 percent of all of the insiders attacked their organizations following a negative work-related event, such as a dispute with a boss, a demotion or a transfer. “The people who have had privileged access have enjoyed the freedom to do whatever they wanted to do,” Kark says. “If you put in control where there was no control before, there’s going to be some resistance.”

Network Services Company’s Roche was “somewhat seriously concerned” about that kind of resistance when he instituted a new policy for how his IT staffers would monitor employees’ computers. Each IT staffer received a specific ID and password for tapping into systems for monitoring and “running a report” on an employee. Each monitoring event could be initiated only by HR, and every one would be logged. Roche credits the time he took to explain to everyone why he was instituting the policy and why it was important to the company for the fact that he didn’t get the pushback he anticipated. That, and the perception that “they wouldn’t want someone doing it to them.”

Kark says there are three key things that CIOs need to make certain (and communicate to their staffs) when rolling out these types of policies. First, make it clear who in IT has ownership and responsibility for each part of the process when any type of event is triggered by the HR, legal, physical security or compliance departments. Second, there needs to be a decision tree for how IT employees will respond to each incident and investigation, with a detailed analysis of different types of scenarios and the resulting procedures. And third, CIOs and their staffs should run simulations and tests on how the processes will play out when an event happens.

For all of Riel’s claims of whistle-blowing at Morgan Stanley, it was, ironically, one of Riel’s subordinates who followed the proper chain of command and blew the whistle on Riel.

Despite Morgan Stanley’s insistence that its procedures functioned properly, a lot of things went wrong. Of course, a lot of things can go wrong anywhere, but accepting that inevitability, and planning for how to handle it, is the key to good security and a lot less anxiety for CIOs. “We do everything we can to stay on top of this,” says Credit Suisse’s Sanzone.

“But sure, I worry.”

Copyright © 2007 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Download CIO's Roadmap Report: Data and analytics at scale