Security software turns its attention from the external threats to the dangers within

Technology can safeguard your firm from employee activity.

Technology can safeguard your firm from employee activity.

Hackers and virus writers hog the headlines but security surveys repeatedly show that the greatest risk to an organisation comes from its own staff.

This, together with the increasing pressure of compliance with legislation and the need for clear audit trails has seen the arrival of new interest in technology to monitor and evaluate staff behaviour.

Such systems can help in the early detection of fraud, protect an organisation's network and data from attack and boost worker productivity and efficiency.

If an implementation is clumsily handled, the effect can be disastrous. Last July, for example, 500 British Airways customer service workers, including check-in and ticket-desk staff, walked out for two days in protest at the introduction of an automated swipe-card system for recording their attendance. The airline was forced to cancel or divert 500 flights affecting 100,000 passengers.

The action by British Airways staff is not typical. Attendance tracking systems are now widespread across public and private sector organisations, and are used to monitor staff absence levels and trends, and lateness and productivity statistics.

A spectrum of other technologies is now available from a range of hardware and software suppliers, service providers and systems integrators, covering other aspects of staff tracking.

But if an organisation is not transparent about its monitoring activities, or gathers an excessive amount of data, it could fall foul of the law.

"Proper management and publication of your security policy is key," said Andy Kellett, senior research analyst with Butler Group, said. "When people join an organisation, they need to understand what the rules are and these need to be well displayed and clear."

It is possible to monitor an employee's physical whereabouts and attendance; activities on the internet or e-mail; instant messaging traffic; document workflows; the content of telephone conversations; and the usage of removable media devices.

Systems such as Computer Associates' eTrust 20/20 can monitor a range of activities from the doors staff open and close to their e-mail activities and what they do on the web.

The most common and least intrusive form of monitoring is web and e-mail filtering, which is available from a variety of antivirus and security suppliers and internet service providers.

An innovative example comes from Autonomy, whose software can check in real time whether staff are engaged in an activity that is against company policy. Such activity might include insider trading, or providing misleading accounts or even sending racist or sexist e-mails. The technology works across a number of formats such as e-mail, mobile phones, PDAs and instant messaging, according to Autonomy.

Another product, Smartfilter from Secure Computing, can bar undesirable websites. These might include online shopping, gambling and instant messaging. Smartfilter can highlight web usage and document inappropriate web activity, allowing organisations to enforce their web usage policies.

A technical whitepaper from Secure Computing outlined the benefits and drawbacks of filtering and monitoring software. Although filtering can block most inappropriate content and does not raise privacy concerns, it does not notify an employer when abuse has taken place, nor create a record of misuse for justifying disciplinary actions.

Monitoring software on the other hand can identify and stop certain offensive practices and allow an employer to identify and document electronic abuse, but may also raise privacy issues and undermine employee morale.

According to security software supplier Websense, its employee monitoring software can set policies to ensure that staff do not log on to inappropriate sites or download instant messages and can also discern whether an employee has accidentally clicked on a spam or phishing e-mail or is actively searching out malicious information. Websense users include several large newspaper publishers, department stores and education authorities.

As well as monitoring internet usage, organisations can monitor staff phone calls using voice monitoring systems.

Derbyshire Council uses an interactive voice response system from HTK called Homecare, which is provided as a managed service by BT. The system allows the council to monitor staff and to use voice-enabled systems.

The council has used a staff monitoring system since 1998 for about 2,000 staff, who care for the aged in their own homes. It allows staff to phone in their timesheets rather than send paper ones. The system has reduced the chances of staff entering timesheets fraudulently, and is faster and less error-prone than the previous paper-based system.

The need to track instant messaging traffic is a growing concern for IT managers.

A survey from analyst Meta Group earlier this month found that 57% of respondents used instant messaging at work for personal reasons. Perhaps more surprising is its finding that 56% use instant messaging at home for business purposes.

"Firms should view these numbers as alarming," said Ted Tzirimis, senior research analyst at Meta Group. "Although instant messaging can be a valuable tool for communication and collaboration, it can also have a viral effect when not regulated. Organisations must implement strategies to harness the value that can be derived from sanctioned use of instant messaging while limiting personal use of the application."

But Tzirimis said that policy enforcement was the solution rather than implementing more technology. "The good news for companies is that although policy creation is not a silver bullet to stop unsanctioned use of instant messaging, it is easy and relatively inexpensive. Moreover, our survey suggests it can also be a fairly effective measure for controlling use of instant messaging."

Ken Charman, European director of business development at FaceTime, a developer of instant messaging tracking software said, "The security issues that face instant messaging are bigger than those posed by e-mail because instant messaging clients are designed to slip past existing IT security, and, unlike most other threats, work from the inside out, which is why most firewalls and URL blocking solutions fall short for instant messaging.

"Instant messaging clients are adept at finding their way through obstacles such as perimeter network defences and are, by their very nature, promiscuous. They will move from one firewall port to the next until they eventually find a way out. This provides an unsecured channel for viruses, worms, rogue protocols and other malicious content to travel freely into and around the company."

Monitoring: keep within the law

  • An employer must be aware of the legal mesh created by the Data Protection Act, the Human Rights Act and the Regulation of Investigatory Powers Act. If an employer has not advised an employee of the sort of monitoring it intends to carry out, it may not, irrespective of what the employee is up to, be able to use any evidence it has gathered to support a dismissal. It may even find itself on the receiving end of legal proceedings for infringing the employee's rights.
  • Tracking staff e-mails, web activity, phone calls and movements may not only infringe the right to privacy under the Human Rights Act, but also the Data Protection Act, which provides for the processing of personal data in accordance with the rights of data subjects under the Act. Source: Simon Halberstam, partner and head of e-commerce law at

Sprecher Grier & Halberstam and Weblaw


Document tracking technology       

Document and workflow tracking are becoming core to collaborative tools, making employees accountable for their input.  

Microsoft Office documents have used tracking techniques for some time, attaching the details of a particular user to any changes they make to a document.  

Adobe recently added more sophisticated version control, and tracking and collaboration features to version 7 of its Acrobat document tool. Even users of the free Acrobat Reader 7.0 can take part in the collaboration process, which tracks their additions and changes to documents.  

In software development, version control is used so that teams and individuals are accountable for their work. Microsoft's forthcoming Visual Studio 2005 Team System, IBM's forthcoming Rational developer tools, and Borland's Delphi 2005 are three examples of developer frameworks that will have enhanced individual and team collaboration, and subsequently, stronger version control.

Read more on Operating systems software