Web Monitoring: How to Track Employee Data Access (Without Going Overboard)

Monitoring access to corporate data can be an effective way to keep the crown jewels from walking out the door, but it requires a careful balancing act.

Rogers says her job is not made easier by the fact that most of the company's 56,000 employees (such as the garbage collectors) do not use computers. She says that "while only about one-third of our employees work on the computer systems," a number of factorsâ¬network and application configurations, the number of company locations, variations in user roles and compliance requirements among themâ¬drive the information access and protection workload.

Know Where the Crown Jewels Are

You could make a reasonable case (as the vendors do, every day) that data monitoring is a cost-justified, loss-avoidance tool that every company should employ. Surely all public companies that are subject to Sarbanes-Oxley and similar regulations should use some form of data monitoring to ensure compliance as well as safeguard data. But every company is unique in terms of the kind of data it keeps, the value of different data and its intellectual property.

Some companies would suffer much more than others in the event of a data security breach. If you possess that which would cause irreparable harm if it got out of the company, data monitoring is an effective way to ensure it stays put. For example, if the recipe for Coke were published on the Internet tomorrow, the world's largest soft drink company could be irreversibly damaged. Financial services catering to consumers have already discovered the perils of leaving data open to vicious acts by employees.

Then there are the cases where data monitoring may not be critical but merely advisable. For example, a salesperson could copy your client database onto a CD before walking out the door to your competitor. Or an employee may copy source code to a USB drive to work on it at home (it's legit, but wouldn't it at least be nice to know it's happening?).

Teach Users Proper Access

Some CISOs elect not to alert employees that they are being monitored, preferring to watch the activity in its raw state. Others give explicit warnings about the monitoring and consequences of improper behavior.

Moynihan of the Massachusetts Department of Revenue says it is essential to let them know in advance. If there is no legitimate business justification for accessing the taxpayer's file, the employee (any employee) could be dismissed the first time (see copy of the department's seven-page confidentiality memo at www.csoonline.com/printlinks). He also believes the up-front warning has a deterrent effect.

Along with the stern warning, Moynihan's agency helps workers avoid inadvertent improper behavior. He has set up a training program to educate employees on everything from what constitutes legitimate file access to what employees should do if they access the wrong file by mistake. The agency has gone so far as to show a training video that new hires see during orientation and everyone else can see via the agency's intranet. Every single employee, from the lowest to the highest, must sign the confidentiality memo once a year.