By 2015, 60 percent of employers are likely to be eavesdropping on our social media selves to make sure our e-blabbing isn’t poking security holes into their outfits, Gartner says.
According to Gartner’s predictions, published on Tuesday in a report entitled “Conduct Digital Surveillance Ethically and Legally: 2012 Update“, employers that are now only monitoring their brands and their marketing are going to broaden their foci to include tracking employees’ social media doings as part of security monitoring.
As it is, Gartner says, less than 10 percent of organizations are currently monitoring their employees’ social media activities as part of security monitoring. Instead, they’re keeping an eye on security around internal infrastructure.
The cloud’s going to change that, as will the Bring Your Own Device culture and the popular use of iGadgets in the workplace. As organizations’ data migrate onto these technologies, security’s got to follow, Gartner says.
Here’s how Andrew Walls, research vice president of Gartner, put it in a press release:
Security monitoring and surveillance must follow enterprise information assets and work processes into whichever technical environments are used by employees to execute work. Given that employees with legitimate access to enterprise information assets are involved in most security violations, security monitoring must focus on employee actions and behavior wherever the employees pursue business-related interactions on digital systems. In other words, the development of effective security intelligence and control depends on the ability to capture and analyze user actions that take place inside and outside of the enterprise IT environment.
There certainly seems to be no shortage of internet usage monitoring tools, performing a simple Google search results in pages of products.
But here’s the rub: how does an organization:
- Sift through the huge volume of irrelevant social media material to find actual threats;
- Keep its security staff from becoming creepy, voyeuristic stalkers; and
- Avoid breaking privacy laws (which, mind you, differ from state to state and country to country)?
Here’s what Wall says:
While automated, covert monitoring of computer use by staff suspected of serious policy violations can produce hard evidence of inappropriate or illegal behaviors, and guide management response, it might also violate privacy laws. In addition, user awareness of focused monitoring can be a deterrent for illicit behavior, but surveillance activities may be seen as a violation of legislation, regulations, policies or cultural expectations. There are also various laws in multiple countries that restrict the legality of interception of communications or covert monitoring of human activity.
Beyond that, how are employees going to feel about all this monitoring?
My guess is they’re going to start paying a lot more attention to privacy controls in social media, as well as the intricacies of what’s legal for their employers to do.
If you’re curious to know whether your employer can covertly and legally sift through your activity, say, by reading your encrypted email messages, a good resource is the Privacy Rights Clearinghouse’s fact sheet on workplace privacy and employee monitoring.
As far as whether or not we can be fired over what we post on social media sites, the PRC says it depends on your employer’s policies and your state’s law.
A few helpful snippets from PRC on that matter:
Many companies have social media policies that limit what you can and cannot post on social networking sites about your employer. A website called Compliance Building has a database of social media policies for hundreds of companies. You should ask your supervisor or human resources department what the policy is for your company.
Some states, including California, Colorado, Connecticut, North Dakota and New York, have laws that prohibit employers from disciplining an employee based on off-duty activity on social networking sites, unless the activity can be shown to damage the company in some way. In general, posts that are work-related have the potential to cause the company damage.
"There is no federal law that we are aware of that an employer is breaking by monitoring employees on social networking sites. In fact, employers can even hire third-party companies to monitor online employee activity for them.
True that. In fact, as the PRC points out, in March 2010 a company called Teneros launched the “Social Sentry” service to track online activity of employees across social networking sites.
Interestingly enough, that service isn’t available anymore. That might have something to do with cultural expectations about privacy.
Those expectations are reflected in some of the headlines that greeted Social Sentry’s release: “Sayonara, Social Sentry: Bosses Can Spy for Free With Web Tools”, “Teneros Blows a Chill over Social Networks”, and “Big Brother is Indeed Watching You: The Spy Side of Social”.
I would feel sorry for privacy-deprived employees, but you guys are, evidently, security poison.
It’s like CIO reported on Wednesday: at Infosecurity London last month, attendees rated employees scarier when it comes to security than hackers, consultants, third parties, or domestic or foreign government agencies.
In other words, 71 percent of 300 polled attendees said that the people creeping around their own hallways were their biggest data breach threats. Bigger than domestic or foreign government agencies, bigger than Anonymous.
Network security risks from employees are pretty easy to grasp – employees could open a malware-containing email, act carelessly with company trade secrets or intellectual property, or bring insecure devices into the workplace.
Likewise, employees on social media can give away trade secrets or simply act like unprofessional idiots and thereby embarrass their employers. They can also click on scams in Facebook.
Should employers monitor their employees’ social media use? It’s hard to say no, given the potential security risks of social media.
But as we move toward workplaces with ever more pervasive surveillance, I’d suggest that organizations take the time to study the privacy laws. Those laws continue to evolve. You might be within your rights today but seen as a leering Big Brother tomorrow.