Security monitoring of employee behaviour on the rise - Gartner
Two-thirds of companies will have formal monitoring programmes by 2015, with social media the focus, say analysts - but there are risks
Staff can increasingly expect to be monitored by their employers – and not just what they do online during working hours, but also their contributions to social media – for the purpose of corporate security.
That is according to analyst group Gartner, which claims that 60 per cent of companies will have implemented formal programmes for monitoring external social media by 2015.
Many organisations already engage in social media monitoring as part of brand management and marketing activities, but fewer than 10 per cent currently use these same techniques as part of their security monitoring programme.
"The growth in monitoring employee behavior in digital environments is increasingly enabled by new technology and services," said Andrew Walls, research vice president of Gartner. "Surveillance of individuals, however, can both mitigate and create risk, which must be managed carefully to comply with ethical and legal standards."
To prevent, detect and remediate security incidents, IT security organisations have traditionally focused attention on monitoring their internal infrastructure. The impact of IT consumerisation, cloud services and social media renders this traditional approach inadequate for guiding decisions regarding the security of enterprise information and work processes, claims Gartner.
"Given that employees with legitimate access to enterprise information assets are involved in most security violations, security monitoring must focus on employee actions and behavior wherever the employees pursue business-related interactions on digital systems. In other words, the development of effective security intelligence and control depends on the ability to capture and analyse user actions that take place inside and outside the enterprise IT environment," said Walls.
The popularity of consumer cloud platforms, such as Facebook, Twitter and LinkedIn, has also provided new targets for security monitoring, but surveillance of user activity in these services is fraught with ethical and legal risks.
For example, accessing social media information in some circumstances can generate serious liabilities, such as a manager reviewing an employee's Facebook profile to determine their religion or sexual orientation, in violation of equal employment opportunity and privacy regulations.
Some organisation have even gone as far as requesting Facebook login information from job candidates. "Although that particular practice will gradually fade, employers will continue to pursue greater visibility of social media conversations held by employees, customers and the general public when the topics are of interest to the corporation."
Security organisations are beginning to see value in capturing and analysing social media content, not just for internal security surveillance, but also to detect shifting threats that might affect the organisation. These might include physical threats to facilities revealed through postings, or planned attacks by hacktivists.
However, adds Walls, such surveillance tools can also produce large volumes of irrelevant information and they could also be used by security staff themselves for the wrong reasons. In some countries, it could also violate privacy and other laws.
• Bring your own device (BYOD) policies may also challenge corporate monitoring policies and make them unworkable. Employees' awareness of monitoring may affect their behaviour and also risk undermining trust – especially when many employees voluntarily do out-of-hours work via their own and corporate devices, suggests Computing Research.
• Computing Research is a new offering from Computing. Highlight findings from our ongoing research programmes, carried out among our readership of senior IT leaders, now appear in each fortnightly print issue, accompanied by in-depth, complementary information online.