Monitoring users: Best practices and pitfalls

As you’re well aware by now, internal threats are a huge issue in IT. So keeping an eye on users is a must for most IT departments. 

Whether it’s a disgruntled employee taking sensitive information, a malicious insider who is looking to profit or just a confused user who doesn’t know what’s unacceptable, these employees can do as much harm to your company as any hacker.

The problem: How can IT observe for these trouble behaviors without crossing the line into invasion of privacy?sneaky laptop use

Why it’s needed

The threats insiders pose to data can’t be understated. According to a report by Spectorsoft, a vendor of monitoring software,  nearly a quarter of organizations (23%) have had an insider-caused data breach.

Other troubling trends:

  • 47% of respondents said employees had taken information with them when they left the company
  • 53% found employees had used personal cloud-based sharing accounts with company data
  • 33% said employees had emailed themselves work documents to personal accounts, and
  • 49% had users copy data to thumb drives or USB memory sticks.

This certainly implies that keeping an eye on employees might be a good idea.

Who should make the calls?

The first and most important thing is to determine who the stakeholders are. Teaming with HR, legal and upper-management will be key.

According to Spectorsoft, bringing in users may also be a good step to take. It could help build buy-in with employees to know they have a say, and it also would make them more aware and conscious of security and potential issues.

What will you look for?

In many ways, this is the most important question to answer. You’ll want  a clear view of what you want to find before starting. This may be:

  • monitoring as part of an investigation of a specific problem
  • monitoring as early detection for problems, or
  • monitoring to look for time-wasting or other productivity issues.

It’s also important to determine whether you’ll check for everything users are doing online or look for certain keywords or warning indicators. Essentially, it boils down to whether you’re looking for something that could be troublesome or monitoring for something that troubles you already.

What not to do

If you’re monitoring users, there’s always the chance you might find or learn something you’d wish you hadn’t. This includes personal correspondence, emails to attorneys or other confidential sources, users’ personal passwords, etc.

That’s why it’s important to make sure there are clear guidelines on who can monitor users. It may even be best to require approval from representatives from multiple departments (such as HR or upper-management) before accessing the information. That could remove the temptation for staffers to sneak a peek.

Most importantly, if you’re investigating specific users, there should be clear reasons why. Companies can run afoul of the law when they monitor users, then discipline them based on what they’ve seen without monitoring everybody. This can lead to charges of discrimination or retaliation if users believe they’re unfairly targeted for extra scrutiny.

The best catch-all rule: Monitor for behaviors and practices, not individuals.

The most important thing

One final warning: Make sure whatever your decisions on monitoring employees are, they should be articulated in policies that users sign off on. Acceptable use policies are crucial to preventing employees from claiming their privacy has been invaded.