When it comes to weighing the needs of corporate security against the rights
of employees to privacy in the workplace, IT managers find there’s really no
It’s all about the security.
Increasingly, security managers and IT managers are looking down the barrel
of employing monitoring software. And it’s not always for monitoring the
perimeter. More and more of it is geared to monitoring people inside the
company — scanning incoming and outgoing emails for certain words that
might warn of corporate information being leaked, logging keystrokes, and
keeping track of what Web sites workers are going to.
And security analysts agree that it’s a necessary step to take, even if
monitoring people you have coffee with in the break room doesn’t feel
Despite most people’s fears that hackers will break into the company and
destroy data or steal critical information, more often than not, security
breaches come from the inside. It’s the company’s own employees — the man
working in HR, the office manager — who are wreaking havoc. They’re snooping
into colleagues’ personnel files. They’re changing their own records.
They’re even being paid by competitors to sneak key marketing or engineering
plans out of the office.
“Insider risk is still the single highest potential loss that a company
has,” says Dan Woolley, a vice president at SilentRunner, a network
security company. “We know historically that there are huge amounts of
potential risk associated with insider use of technology. It could be as
simple as someone leaving a wireless connection open. Or if somebody becomes
disgruntled or doesn’t like another employee, she can do things that will
cost the corporation a lot of money. That’s where you’ve got to be really
Gartner Inc., an industry analyst firm, reports that most financial losses
come at the hands of insiders — either working alone or with someone outside
the company. Other analyst firms suggest that as much as 70% to 90% of security breaches come from the inside.
And face it, it’s the employees — not the kid home alone after school and
not even paid corporate saboteurs — who know how best to hurt the company.
They can more easily guess at the boss’s password. Maybe they’ve even seen
the password on a Post-It stuck to her monitor. They know when new projects
are being planned out. They probably even know where the key information is
It’s all right there for the taking for anyone who has the motive to go get
“Look, we could be talking about people being paid $20,000 or $30,000 a
year,” says Woolley. “They’re being enlisted by people saying, ‘How would
you like us to pay for your daughter to go to college? You just need to get
us some information. How about $5,000?’ Corporate data is very critical, but
corporate networks are very porous. This happens a lot more than we’d like
to think it does.”
The figures about insider-based security problems are enough to make IT
managers look twice at the colleagues he’s passing in the hallway or sitting
beside in monthly meetings. But monitoring them is still not always an easy
step to take.
“Security managers and CIOs are well aware of the threat posed by insiders,
but often find it easier technically and politically to take action against
external threats instead,” says Victor S. Wheatman, managing vice president
for Gartner. “Businesses must take steps to secure themselves against
criminally intent insiders or resign themselves to suffering significant
losses from insider crimes.”
What About Employees’ Rights?
Once IT managers get around the fact that they’re monitoring their employees
and the fact that it’s going to take another bite out of their already
dwindling budgets, then they have to figure out what they have the right to
monitor. Do employees have the right to expect privacy in the workplace?
No, say most industry experts. When it comes to using the company network,
company computers, the corporate email system, even the company phone
system, everything that crosses those connections is company information. If
an employee is shopping online during his lunch break, it’s the company’s
business. If another employee is sending an email to his college roommate,
the company has the right to read it. If a worker is checking her personal
HotMail account, the company even has a right to read that since she’s
checking it over the corporate network and on the corporate computer.
“The law says that there should be no expectation of privacy in electronic
documents and email,” says Vincent Schiavone, president of
Philadelphia-based ePrivacy Group Inc. “No employee should expect privacy
in the workplace. The companies have a requirement to maintain a safe
workplace. That’s hard to do. They have a requirement to have adequate
security on the system.”
But they also have a requirement to set up a clearly stated policy regarding
employee usage of the Internet and email. If a company is going to monitor
employees, that also needs to be in the policy and employees need to be
educated about it, says Mark Rasch, senior vice president and chief security
counsel of Omaha, Neb.-based Solutionary, Inc.
“You have to tell employees that you intend to monitor email, Internet
use…” says Rasch, who notes that monitoring policies take a lot of
planning and should involve HR, the legal team, IT and business executives.
“You have to have the policies well posted and well-known in the company.
You have to have the employee’s consent for legal reasons.”
Rasch says federal and state wire tapping laws require employee notification
of all in-house monitoring. The federal Electronic Communications Privacy
Act extends wiretapping laws to electronic records, which includes email and
“You don’t want people to be caught by surprise,” adds Rasch. “You don’t
want people to think they have privacy when they don’t. You need to spell
out to employees that you plan to look at all that stuff. If you don’t plan
to look at it, then spell that out as well.”
Rasch says employers really need to drive home the point with workers that
they shouldn’t expect privacy in the workplace. Give them specifics. If the
company wants to be able to monitor personal emails sent over company
computers but on a personal Yahoo account, tell them so. If the company
plans on monitoring keystrokes when an employee is checking her online bank
account, tell them so. If employees shouldn’t be doing anything personal on
company time, spell that out.
“You’ve got to set up their expectations,” adds Rasch. “People say they
have no expectation of privacy and then they act like they do… One of the
problems is that people’s expectations of privacy are based not only on the
policy but on how the policy is enforced. If you have a usage policy that’s
never enforced or enforced indiscriminately, then people develop
expectations of privacy. Then they’ll be shocked and upset when you do