Whitepaper: Increasing role of employee monitoring within public and private sector organisations. GOOD GOVERNANCE OR BIG BROTHER STATE? So what do we mean by Network or Employee monitoring? For the purpose of this Whitepaper we have given it the definition of: To monitor, review and report on the traffic that is carried across an organisational LAN for the benefit of ensuring sound governance and corporate responsibility. There are a number of ways a network can be monitored, both as a managed process, or a malicious invasion. Monitoring can occur at a client level (the desktop/laptop) or at a network level (switch/server fabric). Regardless of where, or how traffic is monitored, it is good governance to be aware of the nature of the network and how your staff are conducting themselves as they represent the organisation you are responsible for. Or is it an imposition of the organisation and an infringement of the rights of the employee? We will look at the infringement of civil liberties and the invasion of privacy balanced against the organisation remaining compliant with the regulations, protecting data security and managing staff productivity. REASONS FOR USING NETWORK MONITORING: Broadly speaking, there are, two reasons for network monitoring; firstly, that a reasonable balance is maintained in the social management of staff, the protection of the company assets such as database records, brand and the highest levels of productivity. Secondly, to ensure the correct technical management of the network from the system administration point of view and that the optimum value for money is being realised by the ICT team for the organisation. Value for Money: A network is the balance of proven technology and cutting edge development aimed at increasing the speed of the network and thus productivity of the organisation. Knowing how traffic is flowing across the network, where bottlenecks occur, where potential risks that may cause disruption may arise is a constant task for the ICT team. Managing this process ensures value for money as investment can be made in areas that are most in need of development. 1
Compliance: Whether the regulations are ISO, PCI-DSS, Sarbanes Oxley, HiPPA, or any other industry sector requirement, compliance is a set of rules, a standard, a process. The organisation, when audited, needs to be able to show it has a clear process. It follows the process, reviews the process, can measure the process, can monitor, report and cross check the process, so that it can take action when needed. Otherwise compliance may not be attained. A good network monitoring tool will ensure this can happen. 1 in 5 employees would remove company data at least 5 days prior to resigning. Staff Productivity: Is often quoted as a benefit of many technologies, however it is very hard to prove. With the right tool, actual activity can be measured and performance can be quantified. This works as both a positive influence for the awarding of bonuses for management by objectives and a deterrent and guardian against inappropriate use of organisational property and resources. In some instances assessing staff productivity through activity, document and application usage, organisations are able to deal with redundancies in a fair and just way. Data Security: With modern Anti-Virus, Anti-SPAM, filtering and external threat management tools being so effective, the biggest risk to an organisation is from within. 1 in 5 employees would remove company data at least 5 days prior to resigning. Without real time reporting how else will your organisation be able to be aware of breaches in security? In the worst-case examples, would your organisation rather have a forensic archive of activity for proof? Billing and Fraud: Organisations that have fee-earning practitioners must be able to prove the value of the service to their clients. Specific applications have been designed to help in this, however, being able to prove without question can only enhance the client perception of your organisation, which in turn builds increased customer relations and trust. In the unlikely event that a member of staff claims for work that hasn t been done due to the employee being distracted with other tasks, or personal activities. This would open the organisation to accusations of fraud. Monitoring will ensure this rarely progresses to become an issue. 2
MYTHS OF NETWORK MONITORING: Common misleading statements that are heard when discussing network monitoring are: It s a bit Big Brother, isn t it? This is an invasion of privacy. This is an abuse of civil liberties. All three revolve around the idea of the individual being spied upon. Network monitoring does not spy on anyone individual, but looks at the network as a whole. The fact that a good system can provide granular analysis at an individual level is a reflection that a network is made of many individual machines and users. Invasion of Privacy: Regulation or statute that protects a person s right to be left alone, and governs collection, storage, and release of his or her financial, medical, and other personal information. http://www.businessdictionary.com/definition/privacy-law.html Of all the human rights in the international catalogue, privacy is perhaps the most difficult to define. Definitions of privacy vary widely according to context and environment. In many countries, the concept has been fused with data protection, which interprets privacy in terms of management of personal information. https://www.privacyinternational.org/survey/phr2003/overview.htm No one should be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks on his honour or reputation. Everyone has the right to the protection of the law against such interferences or attacks. 1948; Universal Declaration of Human Rights, Article 12. (1) Everyone has the right to respect for his private and family life, his home and his correspondence. (2) There shall be no interference by a public authority with the exercise of this right except as in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health of morals, or for the protection of the rights and freedoms of others. 1950; European Convention for the Protection of Human Rights and Fundamental Freedoms, Article 8. 3
What all these quotes illustrate is the notion of home and privacy. Without roaming into a wider dialogue of the intricacies of legal definition the exceptions are considered for crime, morals, rights and freedoms of others. But this is still within the home environment. Network monitoring is in the sole area of the business context and does not extend into the home. If someone is working from home they are in context at work, being paid by the organisation to fulfil their responsibilities as an employee. When at work we are contracted to be at work and accept the remunerations awarded to us for representing our organisation, not to undertake our own activities, post CVs, visit job websites, take company data and use social media for personal gain. Privacy is for us as individuals, when we join a company, we become part of that organisation, utilising our knowledge and character, accepting a salary so that our actions will benefit the whole. Big Brother: George Orwell s story 1984, of the state controlling, conditioning and organising the life of an individual, leaving them without choice of action and subjugating them through fear of retribution, is not what network monitoring does. There is more concern with the number of CCTV cameras that are currently in operation in the UK. At present the figure varies between 1 for every 30 to 40 people depending on whose figures you read. https://www.cctvusergroup.com/art.php?art=94 A general understanding is that rules, laws, the monitoring and policing of them are of no concern for those that keep them, they only bother those who break them. Children understand the meaning of words and actions as black and white. Adults will rationalise shades of grey relative to their own social environmental and educational upbringing. What might be right for one person might not be for another. Network Monitoring should only be used to monitor staff under suspicion: Ironically, this is more Orwellian than simply monitoring the whole network. It jeopardises the HR function and can open the organisation to discrimination tribunals, constructive dismissal and victimisation claim. All of which are voided when everyone is included in the process of network monitoring. 4
ETHICS AND NETWORK MONITORING: It is a de facto standard in that all organisations to some degree have got a level of monitoring already in place, such as: Anti-Virus Anti-SPAM Web filtering All of which can monitor traffic and report on activity. Acceptable Use Policy (AUP): All organisations have an AUP now that email and Internet usage is so common place. Within a standard AUP it clearly states what is expected of an employee and that the system will be monitored. So much so that the Department for Trade and Industry via Business Link have given guidelines stating what an acceptable AUP should contain, see the link for details. http://www.businesslink.gov.uk/bdotg/action/detail?itemid=1076142227&type =RESOURCES To quote directly from the text: Use of email by employees of [business name] is permitted and encouraged where such use supports the goals and objectives of the business. Supporting the goals and objectives of the business does not include personal use. The document then goes on to say. the employee must ensure that they: comply with current legislation; use email in an acceptable way; do not create unnecessary business risk to the company by their misuse of the Internet. Not creating unnecessary business risk, any business has the right to protect itself from malicious attack whether from the outside or from within. The text then goes on to list what is considered unacceptable behaviour including: personal business, breach of confidentiality, distribution of indecent material, hacking, breaking, or wasting network resources etc. Finally the document recognises the valuable use of email but that misuse will have a negative impact on the productivity and reputation of the business. To this end quoting the text again... In order to ensure compliance with this policy, the company also reserves the right to use monitoring software in order to check upon the use and content of emails. 5
Contract of Employment: Every member of staff would normally have signed a contract of employment, which binds them in agreement to working for your organisation during certain times with a remuneration package in return. This contract will include AUP, confidentiality, equal opportunities, health and safety clauses. So how do organisations police breaching this contract? Most organisations don t and only realise this after the event when it is often too late to take effective action. As part of the daily log on process a popup window can appear informing the user that they are using a system that is monitored as part of company procedure. Thus ensuring compliance, AUP, confidentiality at a corporate level. EXAMPLES OF NETWORK MONITORING: For the purpose of this Whitepaper we will not name names of companies, or organisations involved, but will relay their experiences. Monitoring of the network is widespread within both the public and private sectors. We have seen it effectively working within education from primary through secondary to university level. In law enforcement, agencies have used this for analysis of data traffic and the elimination of potential corruption. In legal and accountancy firms the use of monitoring to prove billable hours. In banks the implementation of software as a combatant to illegal trading. In firms generally spotting when a member of staff is looking at job sites and posting their CV whilst at work. Being able to see that the company as a whole spends a disproportionate amount of time using the Internet, seeing who and when is doing what can save an organisation time and increase productivity. The anguish of low quality lingers long after the sweetness of low cost is forgotten. Peter Gregory, CISSP, CISA 6
SUMMARY: Monitoring the network is a necessary part of modern communications. Primarily from the point of view of the organisation ensuring it gets as quick a return on investment as possible so that it realises the greatest value for money from the technology it purchases. In addition protecting company assets whether from internal or external threat is good practice; to ignore either threat is negligent. To know how to do it is simple, the difficulty is doing it. Chinese Proverb For those that worry about the social impact of network monitoring it does depend on how the information is used once a picture of who is doing what, within the network is gained. If the organisation sees there is a trend of private email, surfing Internet and inactivity during the work hours, it has a choice of either removing staff members (which will only cost more money to replace) or embarking on a social capital investment with motivation, coaching, team-building development programmes. The technology we offer will monitor your network conclusively, we are also able to offer Employment Law specialists for free consultations once the software is in place and we are able to do the same for social capital programmes in people development. 7