Technology can safeguard your firm from employee activity.
Hackers and virus writers hog the headlines but security surveys
repeatedly show that the greatest risk to an organisation comes
from its own staff.
This, together with the increasing pressure of compliance with
legislation and the need for clear audit trails has seen the
arrival of new interest in technology to monitor and evaluate staff
behaviour.
Such systems can help in the early detection of fraud, protect an
organisation's network and data from attack and boost worker
productivity and efficiency.
If an implementation is clumsily handled, the effect can be
disastrous. Last July, for example, 500 British Airways customer
service workers, including check-in and ticket-desk staff, walked
out for two days in protest at the introduction of an automated
swipe-card system for recording their attendance. The airline was
forced to cancel or divert 500 flights affecting 100,000
passengers.
The action by British Airways staff is not typical. Attendance
tracking systems are now widespread across public and private
sector organisations, and are used to monitor staff absence levels
and trends, and lateness and productivity statistics.
A spectrum of other technologies is now available from a range of
hardware and software suppliers, service providers and systems
integrators, covering other aspects of staff tracking.
But if an organisation is not transparent about its monitoring
activities, or gathers an excessive amount of data, it could fall
foul of the law.
"Proper management and publication of your security policy is key,"
said Andy Kellett, senior research analyst with Butler Group, said.
"When people join an organisation, they need to understand what the
rules are and these need to be well displayed and clear."
It is possible to monitor an employee's physical whereabouts and
attendance; activities on the internet or e-mail; instant messaging
traffic; document workflows; the content of telephone
conversations; and the usage of removable media devices.
Systems such as Computer Associates' eTrust 20/20 can monitor a
range of activities from the doors staff open and close to their
e-mail activities and what they do on the web.
The most common and least intrusive form of monitoring is web and
e-mail filtering, which is available from a variety of antivirus
and security suppliers and internet service providers.
An innovative example comes from Autonomy, whose software can check
in real time whether staff are engaged in an activity that is
against company policy. Such activity might include insider
trading, or providing misleading accounts or even sending racist or
sexist e-mails. The technology works across a number of formats
such as e-mail, mobile phones, PDAs and instant messaging,
according to Autonomy.
Another product, Smartfilter from Secure Computing, can bar
undesirable websites. These might include online shopping, gambling
and instant messaging. Smartfilter can highlight web usage and
document inappropriate web activity, allowing organisations to
enforce their web usage policies.
A technical whitepaper from Secure Computing outlined the benefits
and drawbacks of filtering and monitoring software. Although
filtering can block most inappropriate content and does not raise
privacy concerns, it does not notify an employer when abuse has
taken place, nor create a record of misuse for justifying
disciplinary actions.
Monitoring software on the other hand can identify and stop certain
offensive practices and allow an employer to identify and document
electronic abuse, but may also raise privacy issues and undermine
employee morale.
According to security software supplier Websense, its employee
monitoring software can set policies to ensure that staff do not
log on to inappropriate sites or download instant messages and can
also discern whether an employee has accidentally clicked on a spam
or phishing e-mail or is actively searching out malicious
information. Websense users include several large newspaper
publishers, department stores and education authorities.
As well as monitoring internet usage, organisations can monitor
staff phone calls using voice monitoring systems.
Derbyshire Council uses an interactive voice response system from
HTK called Homecare, which is provided as a managed service by BT.
The system allows the council to monitor staff and to use
voice-enabled systems.
The council has used a staff monitoring system since 1998 for about
2,000 staff, who care for the aged in their own homes. It allows
staff to phone in their timesheets rather than send paper ones. The
system has reduced the chances of staff entering timesheets
fraudulently, and is faster and less error-prone than the previous
paper-based system.
The need to track instant messaging traffic is a growing concern
for IT managers.
A survey from analyst Meta Group earlier this month found that 57%
of respondents used instant messaging at work for personal reasons.
Perhaps more surprising is its finding that 56% use instant
messaging at home for business purposes.
"Firms should view these numbers as alarming," said Ted Tzirimis,
senior research analyst at Meta Group. "Although instant messaging
can be a valuable tool for communication and collaboration, it can
also have a viral effect when not regulated. Organisations must
implement strategies to harness the value that can be derived from
sanctioned use of instant messaging while limiting personal use of
the application."
But Tzirimis said that policy enforcement was the solution rather
than implementing more technology. "The good news for companies is
that although policy creation is not a silver bullet to stop
unsanctioned use of instant messaging, it is easy and relatively
inexpensive. Moreover, our survey suggests it can also be a fairly
effective measure for controlling use of instant messaging."
Ken Charman, European director of business development at FaceTime,
a developer of instant messaging tracking software said, "The
security issues that face instant messaging are bigger than those
posed by e-mail because instant messaging clients are designed to
slip past existing IT security, and, unlike most other threats,
work from the inside out, which is why most firewalls and URL
blocking solutions fall short for instant messaging.
"Instant messaging clients are adept at finding their way through
obstacles such as perimeter network defences and are, by their very
nature, promiscuous. They will move from one firewall port to the
next until they eventually find a way out. This provides an
unsecured channel for viruses, worms, rogue protocols and other
malicious content to travel freely into and around the
company."
Monitoring: keep within the law
- An employer must be aware of the legal mesh created by the Data
Protection Act, the Human Rights Act and the Regulation of
Investigatory Powers Act. If an employer has not advised an
employee of the sort of monitoring it intends to carry out, it may
not, irrespective of what the employee is up to, be able to use any
evidence it has gathered to support a dismissal. It may even find
itself on the receiving end of legal proceedings for infringing the
employee's rights.
- Tracking staff e-mails, web activity, phone calls and movements
may not only infringe the right to privacy under the Human Rights
Act, but also the Data Protection Act, which provides for the
processing of personal data in accordance with the rights of data
subjects under the Act. Source: Simon Halberstam, partner and head
of e-commerce law at
Sprecher Grier & Halberstam and Weblaw
Document tracking technology
Document and workflow tracking are becoming core to
collaborative tools, making employees accountable for their
input.
Microsoft Office documents have used tracking techniques for
some time, attaching the details of a particular user to any
changes they make to a document.
Adobe recently added more sophisticated version control, and
tracking and collaboration features to version 7 of its Acrobat
document tool. Even users of the free Acrobat Reader 7.0 can take
part in the collaboration process, which tracks their additions and
changes to documents.
In software development, version control is used so that teams
and individuals are accountable for their work. Microsoft's
forthcoming Visual Studio 2005 Team System, IBM's forthcoming
Rational developer tools, and Borland's Delphi 2005 are three
examples of developer frameworks that will have enhanced individual
and team collaboration, and subsequently, stronger version
control.