Sophos Cloud Optix
By 2015, 60 percent of employers are likely to be eavesdropping on our social media selves to make sure our e-blabbing isn’t poking security holes into their outfits, Gartner says.
According to Gartner’s predictions, published on Tuesday in a report entitled “Conduct Digital Surveillance Ethically and Legally: 2012 Update“, employers that are now only monitoring their brands and their marketing are going to broaden their foci to include tracking employees’ social media doings as part of security monitoring.
As it is, Gartner says, less than 10 percent of organizations are currently monitoring their employees’ social media activities as part of security monitoring. Instead, they’re keeping an eye on security around internal infrastructure.
The cloud’s going to change that, as will the Bring Your Own Device culture and the popular use of iGadgets in the workplace. As organizations’ data migrate onto these technologies, security’s got to follow, Gartner says.
Here’s how Andrew Walls, research vice president of Gartner, put it in a press release:
Security monitoring and surveillance must follow enterprise information assets and work processes into whichever technical environments are used by employees to execute work. Given that employees with legitimate access to enterprise information assets are involved in most security violations, security monitoring must focus on employee actions and behavior wherever the employees pursue business-related interactions on digital systems. In other words, the development of effective security intelligence and control depends on the ability to capture and analyze user actions that take place inside and outside of the enterprise IT environment.
There certainly seems to be no shortage of internet usage monitoring tools, performing a simple Google search results in pages of products.
But here’s the rub: how does an organization:
- Sift through the huge volume of irrelevant social media material to find actual threats;
- Keep its security staff from becoming creepy, voyeuristic stalkers; and
- Avoid breaking privacy laws (which, mind you, differ from state to state and country to country)?
Here’s what Wall says:
While automated, covert monitoring of computer use by staff suspected of serious policy violations can produce hard evidence of inappropriate or illegal behaviors, and guide management response, it might also violate privacy laws. In addition, user awareness of focused monitoring can be a deterrent for illicit behavior, but surveillance activities may be seen as a violation of legislation, regulations, policies or cultural expectations. There are also various laws in multiple countries that restrict the legality of interception of communications or covert monitoring of human activity.
Beyond that, how are employees going to feel about all this monitoring?
My guess is they’re going to start paying a lot more attention to privacy controls in social media, as well as the intricacies of what’s legal for their employers to do.
If you’re curious to know whether your employer can covertly and legally sift through your activity, say, by reading your encrypted email messages, a good resource is the Privacy Rights Clearinghouse’s fact sheet on workplace privacy and employee monitoring.
As far as whether or not we can be fired over what we post on social media sites, the PRC says it depends on your employer’s policies and your state’s law.
A few helpful snippets from PRC on that matter:
Many companies have social media policies that limit what you can and cannot post on social networking sites about your employer. A website called Compliance Building has a database of social media policies for hundreds of companies. You should ask your supervisor or human resources department what the policy is for your company.
Some states, including California, Colorado, Connecticut, North Dakota and New York, have laws that prohibit employers from disciplining an employee based on off-duty activity on social networking sites, unless the activity can be shown to damage the company in some way. In general, posts that are work-related have the potential to cause the company damage.
"There is no federal law that we are aware of that an employer is breaking by monitoring employees on social networking sites. In fact, employers can even hire third-party companies to monitor online employee activity for them.
True that. In fact, as the PRC points out, in March 2010 a company called Teneros launched the “Social Sentry” service to track online activity of employees across social networking sites.
Interestingly enough, that service isn’t available anymore. That might have something to do with cultural expectations about privacy.
Those expectations are reflected in some of the headlines that greeted Social Sentry’s release: “Sayonara, Social Sentry: Bosses Can Spy for Free With Web Tools”, “Teneros Blows a Chill over Social Networks”, and “Big Brother is Indeed Watching You: The Spy Side of Social”.
I would feel sorry for privacy-deprived employees, but you guys are, evidently, security poison.
It’s like CIO reported on Wednesday: at Infosecurity London last month, attendees rated employees scarier when it comes to security than hackers, consultants, third parties, or domestic or foreign government agencies.
In other words, 71 percent of 300 polled attendees said that the people creeping around their own hallways were their biggest data breach threats. Bigger than domestic or foreign government agencies, bigger than Anonymous.
Network security risks from employees are pretty easy to grasp – employees could open a malware-containing email, act carelessly with company trade secrets or intellectual property, or bring insecure devices into the workplace.
Likewise, employees on social media can give away trade secrets or simply act like unprofessional idiots and thereby embarrass their employers. They can also click on scams in Facebook.
Should employers monitor their employees’ social media use? It’s hard to say no, given the potential security risks of social media.
But as we move toward workplaces with ever more pervasive surveillance, I’d suggest that organizations take the time to study the privacy laws. Those laws continue to evolve. You might be within your rights today but seen as a leering Big Brother tomorrow.
Social media blackboard and employer spying, courtesy of Shutterstock.
Employers are now trying to manage the private lives of employees they have no right poking their noses into. The human rights act grants us all the right to a private life and employer paranoia means they are sticking their noses in where it does not belong.
If Facebook is a security risk for employers to get malware from then why not just block access to it from work systems? This whole thing is leading to a massive slide towards a level of spying on individuals Orwell would be shocked about.
In the end, it is everybody's responsibility to carefully consider what they post in public. Posting on Facebook is just like writing your thoughts on a T-shirt and wearing it to work.
No, it isn't at all. If you have your privacy levels set appropriately it is more like having a conversation with a group of friends. Last I checked, employers have no right to interfere with this kind of personal activity.
"If you have your privacy levels set appropriately…"
We've all seen that privacy settings are not dependable. If it's on the internet, assume ANYBODY can see it. Remember, www = World Wide Web. What anybody does with what was posted is fair game.
My opinion may not be popular, but it's mine sooo…I fully agree the employer has no right to snoop into my private life, whether by creeping my FB if I'm to dense enough not to know how to set my privacy, nor should they be able to 'demand' me to friend them or give them my PW (which is a violation of T&C) Doesn't give the employer much faith in my integrity if I pick and choose what rules to violate does it? Having said that, I don't think employees should be wasting the company's time on FB or texting friends at work unless it is part of the job description. Keep it above board at work and the problem solves itself.
Matt,
If your line of reasoning was valid, then one could successfully argue that because someone's security controls are poor, breaking into their (computer, website, wall safe, child's nursery) is a legitimate act. If an individual takes steps to limit what they post, then it could be considered a privileged conversation and if an employer took steps to see what they post, it would be a privacy violation. The quality of the controls is irrelevant, the INTENT of individual and the INTENT of the employer are relevant. Again, arguing about the judgement or lack thereof when it comes to what is posted isn't relevant. If someone attempts to make their communications private, then an employer is violating personal privacy when they try to read it and making comments in private is very different from making them in public.
Topol,
I agree with what you say regarding legitimacy and intent. It would be fantastic if the world actually worked this way. My point is, do not post things that you prefer others not to see. Whether they gain access legitimately or illegally, they gained access and can make whatever judgements they like. If a prospective employer does not like what they see, you may not get the job. Here judgement is relevant.
Granted I agree with you that a lack of security does not justify anyone to hack the account of a person if said person is careless with their passwords or do not manage their privacy controls. But people suck. And it WILL still happen. Imagine if you went out drinking with your friends and, in your inebriated state, you (INSERT EMBARRASSING MOMENT HERE), who's fault is it if suddenly you find pictures of that posted all over Facebook? Hell, forget Facebook. How about if its on the television or in the local papers? Or gossiped around the water cooler on Monday at the office? News reporters do this all the time.
The point I'm making is: You must always be aware of your conduct and behavior, wherever you are, whether online or offline, because the world is not truly private in any sense, and you WILL be judged, whether you like it or not. Yes it sucks, but that's the way it is.
This basically come's down to trying to control people in every aspect of their life.
as the late great Bill Hicks would say "you are free…. to do as we tell you"
If your at work and it's there computers then i don't see a problum But no way would i give my password or friend someone as part of my job.They can kms. They have no right to our privet lifes….BTW I no my spelling sucks, But you get the point
I disagree with Ms Vaas’ view that monitoring of employee’s online activities is an acceptable way of managing potential security risks. Organisations should only be able to monitor employees when they have good reason to suspect the employee is engaged in illegal conduct. I acknowledge that employers feel increasingly susceptible to security concerns, but there are other ways of managing security risks. One alternative is to block personal online activity on company owned computer equipment. Some would argue that employees would be inconvenienced if they could not access company owned computer equipment for their personal use. However, I think a little inconvenience is a small price to pay to safeguard the privacy of employees. Besides, most working individuals own an internet-capable personal device these days. Unlike Ms Vaas who describes employees as ‘security poison’, I believe that employees are human beings whose fundamental right to privacy should be respected. Ms Vaas suggests that employers take the time to study the privacy laws so that their monitoring is legal. Instead of ensuring that monitoring is legal, let’s examine the detrimental effects monitoring can have on the overall performance of employees which, in turn, affects the company’s bottom line.
Monitoring deprives employees of their privacy, which is in breach of a basic human right. Stanley Benn (Open Polytechnic, 2015) argues that privacy enables us to create or maintain our individual human personalities, and provides freedom from intrusion. Because privacy is integral to our identity, Martin and Freeman (2003) assert that privacy is a social good which is fundamental to society. An employer-employee relationship contains an inherently uneven power balance because the employer is in control of the employee’s source of income. Allowing employers to collect and monitor personal online information only adds to the power imbalance in this relationship, which can lead the employee to feel disempowered and less confident (Sarpong & Rees, 2014).
Monitoring not only undermines employees’ rights to privacy, it has also been linked to high levels of stress, anxiety and physical health problems (Sarpong & Rees, 2014). Some workers are believed to be apprehensive, due to the psychological strain of being continually monitored and the fear of disciplinary action. This strain can contribute to ill health and poor performance, leading to an increase in sick leave. In addition, monitoring can have a negative effect on workplace morale. Sarpong and Rees (2014) cite research which found suspicion and hostility in some workplaces where monitoring takes place. The research found that monitoring can cause employee resentment which, in turn, affects employee’s productivity, commitment and attendance. Therefore, it seems clear that invasion of privacy can actually have a counter effect on the productivity of an organisation.
Ms Vaas states that organisations monitor their employees in order to reduce network security risks and the theft of company trade secrets or intellectual property. But is that the only reason? Steve May (2014) suggests organisations are increasingly concerned that employees can instantly alert their friends and families to issues that employers would prefer to keep private, or ‘handle’ in a particular way. For example, May (2014) reports the sacking of a beauty editor of a woman’s magazine when her employer discovered she authored an anonymous blog that revealed truths about the beauty industry that were known in the industry, but not usually divulged to the general public. May (2014) reports a steady increase in US workers being fired specifically for violating their company’s social media policy. Employee monitoring of online activity raises the question: where is the boundary between an employer’s authority and an employee’s right to free expression? What employees do via social media and in personal email should be their own business.
Employee monitoring also has the potential to inflict harm on society through the employer’s ability to effectively silence any direct or implied criticism from their employees. They may be reducing the ability of employees to hold organisations accountable for inappropriate or illegal behaviour. Take the example of a lawsuit filed by six whistle-blowers at the Food and Drug Administration (Mintz, 2012). The complainants maintained that private correspondence from their password-protected personal email accounts was intercepted after they complained about serious irregularities in the agency’s review process. The lawsuit alleged that the FDA used the data to retaliate against the whistle-blowers (Mintz, 2012); we should all be concerned about the societal consequences if employees are forced into online silence simply to keep their jobs.
There is also the problem of bias and/or discrimination creeping into staff management decisions. People often share their personal views with their friends on social media. While organisations are viewing an employee’s social media for ‘security’ reasons, they might well come across religious, political, or personal beliefs which conflict with their own values. As Lewis Maltby of the Wall Street Journal (2014) notes, there is a real danger of people being penalised in the workplace for their personal views which have no bearing on the work they carry out.
The author argues that employers should monitor their employee’s online activities to avoid employees giving away trade secrets or acting like ‘unprofessional idiots’. But does monitoring really reduce these problems? It seems debatable. S. Kumar (2015) of Time points out that employees are not going to openly share serious infringements on social media. In addition, Kumar notes that the millennial generation are adept at controlling and manipulating their online presence. Also, many small to medium sized businesses simply do not have the resources to monitor the data that is being collected. Given these considerations, the limited effectiveness of employee monitoring may not actually be worth the time and expense.
Overall, I agree with Ms Vaas that rapidly changing technology poses new challenges and risks for companies. However, I disagree that monitoring of employees’ personal online activity is an acceptable or effective way to manage these risks. Monitoring undermines an employee’s rights to privacy, and can actually decrease morale and productivity. We cannot allow privacy to be constantly eroded in the name of ‘security’.
References
Kumar, S. (2015). Why monitoring employees’ social media is a bad idea. Time Magazine. Accessed online: http://time.com/3894276/social-media-monitoring-work/.
Maltby, L. (2014). Should companies monitor their employees’ social media? The Wall Street Journal. Accessed online: http://www.wsj.com/articles/should-companies-monitor-their-employees-social-media-1399648685.
Martin, K., & Freeman, E. (2003). Some problems with employee monitoring. Journal of Business Ethics, 43, 353-361.
May, S. (2012). Case studies in organizational communication: Ethical perspectives and practices (second edition). California: Sage.
Mintz, S. (20120. Should employers be allowed to monitor employee e-mail. Workplace ethics advice. Accessed online: http://www.workplaceethicsadvice.com/2012/02/should-employers-be-allowed-to-monitor-employee-e-mail.html.
Open Polytechnic of New Zealand. (2015) Module three. Business ethics course. Lower Hutt, NZ: Author.
Sarpong, S., & Reese, D. (2014). Assessing the effects of ‘big brother’ in a workplace: The case of WAST. European Management Journal, pp216-221.
How do you propose to “block personal online activity” of employees without monitoring their network traffic to decide whether they are working or not?