Surveillance tools for logging and monitoring employee activities for security and compliance are getting increased attention in the enterprise, but a recent high-profile incident indicates that the same technology may also be putting organizations at risk.
Earlier this month, an employee at retail giant Wal-Mart, reportedly a systems technician, was fired for conducting unauthorized recording of communications between Wal-Mart’s PR department and a New York Times reporter.
The incident brought into question the kinds of technology organizations deploy to facilitate system health checks, employee monitoring and compliance. The issue also puts forth issues around governance and acceptable-use policies that accompany or should accompany those technologies.
Thus emerges the question, ‘Who is watching the watchdog?’ Although Wal-Mart was mum on the details, at least one IT security specialist viewed the incident as a case of “human nature running amok — a legitimate investigation that got out of hand.”
“I believe that what we are seeing here is symptomatic of a larger issue facing the security and privacy community,” said ComputerWorld (U.S.) blogger Perry Carpenter, an information security and privacy expert. Carpenter previously worked at Wal-Mart as part of its IT security group.
“Lets’ face it, the cloak-and-dagger aspect of penetration testing and investigation has a certain appeal to it. Without proper and strict oversight, the employee engaged in these activities can easily give in to natural human curiosity and step over the line of acceptable and authorized behaviour,” Carpenter wrote on his blog.
When organizations deploy tools such as employee activity logging and monitoring, penetration testing and other similar exercises, the IT department is typically the custodians and users of these tools. Where some organizations often fail is in having the right process and policies in place to ensure that these devices are used accordingly, and not abused, said Adel Melek, global leader for privacy and security services at Toronto-based professional services firm Deloitte.
“In many instances, organizations are fast into deploying these new technologies without fully understanding the ramifications that would be associated with the business process,” Melek said.
For instance, when an IT staffer is tasked to conduct workplace surveillance, such as monitoring and logging of e-mails and other communications, there needs to be a check-and-balance procedure to ensure that the IT personnel is not using those surveillance tools beyond what has been authorized.
In the Wal-Mart case, what seems to have been missing was oversight, said Carpenter. “Just because the tools can be used appropriately in one context does not automatically mean that they should be used in other contexts (i.e. corporate investigations),” he pointed out.
Just as there are tools available to conduct workplace monitoring, there are also tools that enable employers to watch those enterprise watchdogs, noted John Boufford, president of the Canadian Information Processing Society (CIPS).
But having those tools available and actually taking advantage of them are two different things. And often, when an organization falls outside of the regulatory realm, governance is not always on its radar screen, said Boufford.
“When something goes wrong, [firms] often think it’s a failure of the employee and not the failure of the processes around how that employee works,” he said.
Deloitte’s Melek said organizations today are more likely to engage in workplace monitoring and logging, partly driven by regulatory and compliance requirements, as well as breach and fraud prevention.
However, most organizations have not been proactive in setting policies and guidelines that govern the conduct of workplace surveillance, he said.
“[Organizations] would be more motivated with introducing the technology, but not necessarily focused on how to properly govern it, how to ensure that there are adequate business processes and procedures supporting that,” Melek noted.
An ideal governance strategy, Melek explained, involves segregation of duties, change control systems so that no one person would have the capability to monitor all employees, and providing audit trails to examine what items or entities are being monitored.
Employers should also prohibit monitoring from remote points, he added. “There is no justification [for allowing] a system admin to conduct such monitoring from home.”