Employee monitoring as a means for data security
Employee monitoring as a means for data security
In a time of computer revolution, more and more business processes and operational activities are based on IT systems. Only last year approx. 32% of respondents in the poll conducted by B2B International and Kaspersky Lab had had to tackle a data leak resulting from employee negligence. Purposeful incidents were observed by as many as 18% of companies. That is why it is critical to have solutions guaranteeing a full protection. It can be offered not only by antivirus software, but also by programs for monitoring employee activity on computers. Special software allows the monitoring of computer traffic, unauthorized actions, the connection of portable disks and the legality of the installed software. It will secure not only the IT resources, but also the reputation of the company, employees’ intellectual property and customer privacy. Most employers see monitoring as a method to improve productiveness. On the other hand, employees fear control and consider it as a method of invigilation. That is why monitoring software is commonly called the software for spying on employees. However, is invigilation really the point of it all? Thorough control of employees’ actions and improvement of the usage index of their equipment does not always give better results, attain goals and the success of the company. Sometimes relationships, mutual trust, the atmosphere or creativeness get hurt in the process. Everything depends on how the employees are informed about the issues related to the monitoring of devices they are using. Employee monitoring software can help to improve work productiveness, but will never replace effective goal-oriented management, not the time which the employees are to spend actively using a machine. From the perspective of IT departments, employee productiveness is not so important – for people responsible for telecommunications and IT infrastructure in the company, the most important aspect of such monitoring is IT security and the opportunity to limit those – often inadvertent – employees’ actions, which might harm it. [divider] [/divider] “While implementing employee monitoring in an organization, you must remember that control itself is not enough. This is not about retroactively learning what happened in the past, analyzing it and taking actions. Primarily, we want to prevent threats: to be proactive, not to repair damage. Thus, let’s take care about the proper training of employees in the scope of the rules and principles of company security policy, data protection, IT bylaws, etc. Let’s provide them with constant access to documents containing the above provisions. Let’s respond to their questions, clarify doubts and give advice on how to meet the provisions of security regulations in day-to-day work. Without such preparation, the monitoring itself simply has no sense,” explains Grzegorz Oleksy, director of Axence, a company offering nVision software for corporate network security monitoring. [divider] [/divider] Experiments carried out within companies show that even informing the employees that they would be monitored is very mobilizing – work breaks are shorter, the number of printouts is reduced, fewer people use social media portals and deal with private affairs while at work. Only in a justified case, e.g. when an incident is suspected, which threatens the company security or its reputation, is making a detailed analysis of the monitoring data or even resort to cyclical screenshots worthwhile – in an extreme situation it will allow for the effective collection of electronic evidence. Companies are collecting more and more data, and at the same time the equipment processing these data is growing more diversified. Guaranteeing the security of confidential information in such a variable and demanding environment is one of the key challenges of contemporary legislation. As average users of the digital world, we are not always aware of its threats, and therefore education in this scope seems to be necessary. Education in legal matters also seems to be needed, especially with regard to sensitive, confidential data, as their secure processing constitutes not only a special challenge, but also an obligation. [divider] [/divider] “Unfortunately, many companies still believe that investing in an advanced technological solution is a guarantee of sufficient security. However, the fact that the security policy should involve technical measures, full information about procedures and physical security should not be forgotten. Risks for data stored in the IT system are related to threats coming from various sources – these can be conscious or fully unintentional user errors as well as cyber-attacks. If intruders get unauthorized access to the system, they can interfere with services, interrupt system operation, and also change, delete or simply steal valuable information,” says Grzegorz Oleksy. [divider] [/divider] Companies are beginning to understand that they are facing a multitude of serious threats, such as sniffing, spoofing, anonymizing proxy, connection tunneling and redirecting, tabnabbing, clickjacking, DoS, DDoS, SQL Injection, ARP Cache Poisoning and or Password Guess. These threats may lead to the violation of the rules of conduct or – even worse – to a crime. An equally unpleasant consequence is the loss of reliability, which goes hand in hand with the loss of customers and financial losses. Contrary to the common stereotype about the threats posed by a hacking attack, much bigger losses are related to internal negligence within companies and the so-called human factor. Last year’s report by Fortinet indicated that the number of people willing to break the corporate rules of use of own devices in the workplace grew by 42% in comparison to the 2012 survey. In view of increased employee mobility and the more and more popular trend to work on private devices, companies should be paying much more attention to the application of protection measures in the scope of infrastructure, also the technological one, as the interruption of business continuity may even result in the loss of customers and market position. [divider] [/divider] “You must be aware that even seemingly petty matters may have unexpectedly dire consequences. One wrong move, incorrectly saved files, a lost portable disk full of data may have a tremendous impact. According to article 51 of the act on the protection of personal data, data administrators, who provide access to data to an unauthorized person or make it possible to access such data are subject to fines, restriction of liberty or imprisonment of up to two years. Therefore consequences – even of an unintentional action – might be enormous. That is why it is both important to monitor what is happening with the data and to train the employees as well,” adds Oleksy. [divider] [/divider] It is the responsibility of each company not only to take care of the security of IT system infrastructure, which is the duty of IT departments, but also to develop and implement procedures related to information security policy, which governs the manner of management, protection and distribution of information containing personal data. Another grave aspect related to security is the issue of reputation. As indicated in 2013 in Deloitte survey, as much as 70% of representatives of small companies does not believe or is not aware that the violation of data security would have financial consequences or would have a negative impact on the credibility of their business. For companies, protection against critical situations brings many obvious benefits, such as more efficient operation or the elimination of additional costs related to data loss. Application of the monitoring software not only protects the company against unpleasant consequences, but also constitutes a guarantee for the customers that their data are protected in many ways. This can be one of the company’s distinguishing features in the market and can improve its competitive edge. It is only important that the scope and method of control are adequate to the objective assumed by the employer. The objective must also be rationally explicable. Therefore, the employer can only apply such measures, which improve the productiveness of its employees or guarantee the safety of corporate data and do not aim to collect the private data of the employees, watch them at all times, or to harass them as a consequence.
Other articles
Join us for the Admin Days Global conference
10/10/2024Autumn’s coming - with upgrades! Back to work with Axence nVision®
10/8/2024Shift up a gear with Axence nVision® 15.5! Crank up your IT to the highest speed!
10/8/2024Infinite Possibilities with Remote Access in Axence nVision® 15.0!
10/8/2024Take Your Network Security to the Next Level with Axence nVision® 14.5!
10/8/2024Join us for Admin Days Global on April 25-27!
10/8/2024CyberSec Day - an event recap
10/8/2024IT Asset Inventory
10/8/2024The release of Axence nVision® 14
10/8/2024Cybersecurity Alert: 'Follina' Zero-Day Vulnerability
10/8/2024The premiere of Axence nVision® 13.5
10/8/2024Cybersecurity in a nutshell
10/8/2024