Web Monitoring: How to Track Employee Data Access (Without Going Overboard)

Monitoring access to corporate data can be an effective way to keep the crown jewels from walking out the door, but it requires a careful balancing act.

Today, Moynihan consults with other states and gives presentations to both public- and private-sector audiences on how to take a commonsense approach to data surveillance, web monitoring and privacy policies. Chief among his advice is to create a strong data access policy, train employees on that policy and then enforce violations. Sounds simple enough, but there are many traps for the unwary.

Unlike when Massachusetts started its homegrown approach, technology and tools now exist to scan and store just about anythingâ¬employee access to databases, as well as e-mails, instant messaging transcripts, Web surfing habits, keywords entered and even each individual keystroke in files. (For a list of tools providers, see "Who's Who" at www.csoonline.com/printlinks.) In addition, it's long been established that employees have no expectation of privacy in their use of company systems. But how do you do this well and cost-effectively? It takes an assessment of your organizationâ¬the purpose of your business, the kind of data you have, the nature of employees' work and the culture that allows them to be successfulâ¬balanced with the need to secure the integrity of your key information assets.

Risk Begins at Home

Information security has for the most part focused on the perimeter of the network. But experts and CISOs agree that the biggest threat to data security comes from insiders who have free and easy access to the data, not outsiders who manage through extraordinary means to penetrate a firewall and various authentication measures.

"I worry most about the insider threat. An unhappy employee is far and away the most difficult to track down and potentially the most dangerous," says David Mortman, CISO for Siebel Systems, a customer relationship management software maker in San Mateo, Calif.

To combat the internal menace, you've got two choices: Lock down data access (not possible or desirable for most companies) or keep watch over what employees are doing with your critical corporate data. If the most valuable intellectual property (IP) your company possesses is about to walk out the door (on a laptop, USB drive, MP3 player or CD, or sent to an FTP site), wouldn't you want to know about it? There might be a perfectly innocent reason the employee did what he did. Then again, maybe not.

Many companies also need to monitor the way employees interact with data to ensure adherence to policies for compliance with Sarbanes-Oxley and other regulations. "We monitor key corporate financial systems to ensure there is no inappropriate activity," says Anne Rogers, director of information safeguards for Waste Management, a $12.5 billion publicly held trash services provider. The company also uses Web filtering software to block access to sites that contain inappropriate material.