Web Monitoring: How to Track Employee Data Access (Without Going Overboard)

The Massachusetts Department of Revenue has been practicing data surveillance longer than most. More than a decade ago, top managers at the state agency realized that some employees would be unable to resist the lure of the department’s treasure trove of personal taxpayer information.

“Sports figures seem to be the biggest draw. It’s like a disease. People just can’t seem to resist” peeking at athletes’ private financial information, says John Moynihan, a 22-year veteran of the department who’s now deputy commissioner and internal control officer.

Other people’s tax data may be a draw for the curious, but resist they must, as it is against department policy for anyone, including employees, to access taxpayer data without a legitimate business reason. And it’s illegal under Massachusetts law for anyone to disclose such data. So in 1992 the agency built a homegrown system that would alert the information security department every time an employee accessed a high-profile resident’s income tax file. The system worked well, catching a handful of illegal browsers (some of whom immediately lost their jobs) each year, including a case where an employee accessed the income tax records of one of her husband’s coworkers. Seems the husband had been passed over for a promotion (which went to the coworker), and snooping through that person’s financial data made the couple feel better.

Eventually, Moynihanâ¬and his boss, the commissionerâ¬realized the DoR had to monitor every access of every taxpayer’s personal information on the database. Integrity of the process was not only an ethical matterâ¬a public-sector breach could lead to major political ramifications. “If at any time a confidentiality problem hit the papers and taxpayers felt the system was not protecting their information, it could impact voluntary [income tax] compliance. The consequences could be immeasurable,” he says.

In 1997, the Department of Revenue spent $300,000 (out of an overall IT budget of $25 million) to custom develop its Transaction Tracking system based on a Unisys mainframe. The system captures every access of taxpayer data in Massachusetts and creates audit trails for future reference. Once auditors monitoring the database identify a potential violation of the data access policy, such as an anomaly in the audit trail, they give the employee a chance to explain. If there is no reasonable explanation for the data access, the case is referred to internal investigators for further analysis and an interview with the employee. Disciplinary actions that could follow include firing an employee for a first offense.

Today, Moynihan consults with other states and gives presentations to both public- and private-sector audiences on how to take a commonsense approach to data surveillance, web monitoring and privacy policies. Chief among his advice is to create a strong data access policy, train employees on that policy and then enforce violations. Sounds simple enough, but there are many traps for the unwary.

Unlike when Massachusetts started its homegrown approach, technology and tools now exist to scan and store just about anythingâ¬employee access to databases, as well as e-mails, instant messaging transcripts, Web surfing habits, keywords entered and even each individual keystroke in files. (For a list of tools providers, see “Who’s Who” at www.csoonline.com/printlinks.) In addition, it’s long been established that employees have no expectation of privacy in their use of company systems. But how do you do this well and cost-effectively? It takes an assessment of your organizationâ¬the purpose of your business, the kind of data you have, the nature of employees’ work and the culture that allows them to be successfulâ¬balanced with the need to secure the integrity of your key information assets.

Risk Begins at Home

Information security has for the most part focused on the perimeter of the network. But experts and CISOs agree that the biggest threat to data security comes from insiders who have free and easy access to the data, not outsiders who manage through extraordinary means to penetrate a firewall and various authentication measures.

“I worry most about the insider threat. An unhappy employee is far and away the most difficult to track down and potentially the most dangerous,” says David Mortman, CISO for Siebel Systems, a customer relationship management software maker in San Mateo, Calif.

To combat the internal menace, you’ve got two choices: Lock down data access (not possible or desirable for most companies) or keep watch over what employees are doing with your critical corporate data. If the most valuable intellectual property (IP) your company possesses is about to walk out the door (on a laptop, USB drive, MP3 player or CD, or sent to an FTP site), wouldn’t you want to know about it? There might be a perfectly innocent reason the employee did what he did. Then again, maybe not.

Many companies also need to monitor the way employees interact with data to ensure adherence to policies for compliance with Sarbanes-Oxley and other regulations. “We monitor key corporate financial systems to ensure there is no inappropriate activity,” says Anne Rogers, director of information safeguards for Waste Management, a $12.5 billion publicly held trash services provider. The company also uses Web filtering software to block access to sites that contain inappropriate material.

Rogers says her job is not made easier by the fact that most of the company’s 56,000 employees (such as the garbage collectors) do not use computers. She says that “while only about one-third of our employees work on the computer systems,” a number of factorsâ¬network and application configurations, the number of company locations, variations in user roles and compliance requirements among themâ¬drive the information access and protection workload.

Know Where the Crown Jewels Are

You could make a reasonable case (as the vendors do, every day) that data monitoring is a cost-justified, loss-avoidance tool that every company should employ. Surely all public companies that are subject to Sarbanes-Oxley and similar regulations should use some form of data monitoring to ensure compliance as well as safeguard data. But every company is unique in terms of the kind of data it keeps, the value of different data and its intellectual property.

Some companies would suffer much more than others in the event of a data security breach. If you possess that which would cause irreparable harm if it got out of the company, data monitoring is an effective way to ensure it stays put. For example, if the recipe for Coke were published on the Internet tomorrow, the world’s largest soft drink company could be irreversibly damaged. Financial services catering to consumers have already discovered the perils of leaving data open to vicious acts by employees.

Then there are the cases where data monitoring may not be critical but merely advisable. For example, a salesperson could copy your client database onto a CD before walking out the door to your competitor. Or an employee may copy source code to a USB drive to work on it at home (it’s legit, but wouldn’t it at least be nice to know it’s happening?).

Teach Users Proper Access

Some CISOs elect not to alert employees that they are being monitored, preferring to watch the activity in its raw state. Others give explicit warnings about the monitoring and consequences of improper behavior.

Moynihan of the Massachusetts Department of Revenue says it is essential to let them know in advance. If there is no legitimate business justification for accessing the taxpayer’s file, the employee (any employee) could be dismissed the first time (see copy of the department’s seven-page confidentiality memo at www.csoonline.com/printlinks). He also believes the up-front warning has a deterrent effect.

Along with the stern warning, Moynihan’s agency helps workers avoid inadvertent improper behavior. He has set up a training program to educate employees on everything from what constitutes legitimate file access to what employees should do if they access the wrong file by mistake. The agency has gone so far as to show a training video that new hires see during orientation and everyone else can see via the agency’s intranet. Every single employee, from the lowest to the highest, must sign the confidentiality memo once a year.

These are excellent practices, says Nancy Flynn, executive director of The ePolicy Institute, a training consultancy. Once you define a thorough electronic data policy (covering everything from application and database access to e-mail, IM and Web usage), the next step is training the employees (see “The 3 E’s of E-Risk Management,” Page 48). “You need to explain they have no reasonable expectation of privacy in the workplace and what are the ramifications if they violate the policy,” says Flynn. The final step is to enforce the policy consistently, no matter who the violator might be.

Following these steps will help shield you from potential legal issues. “The last thing you want is to terminate an employee for violating your data policy and they don’t even know you have one. Or they know about the policy but it has not been enforced across the board,” says Flynn. As with anything else, following these guidelines will not prevent a disgruntled employee from filing a suit, but some courts have found companies are not legally liable so long as the policy is comprehensive, known to employees and enforced uniformly.

Beware the Downside of Being Watched

Joe Rizzo, acting CISO at multiplayer online game developer Perpetual Entertainment, acknowledges that it is a continuing struggle for organizations to find the right balance between knowing what’s happening with data and maintaining employee morale. “It’s touchy because our employees don’t want to feel like they’re being watched,” he says.

Rizzo has arrived at what appears to be a reasonable compromise: Perpetual uses Tablus’s Content Monitor Alarm to monitor access of its game source code, especially since it often works with third-party developers. The system makes a digital footprint of the source code. “It’s our livelihood. We have to control and monitor that data. If we see our IP leaving, we will take action,” he says. But he does not block any websites or curtail the use of IM.

Siebel is like Perpetual Entertainment in that it employs highly skilled programmers who balk at the notion of being watched by their employer. “I don’t like playing Net cop. I do as little data surveillance as possible,” says CISO Mortman. And privacy laws are much more restrictive for the employer in other countries in which Siebel operates, including France. But a few years ago, the results of a Siebel customer satisfaction survey were leaked by an insider. That got Mortman’s attention, for sure.

But his inclination at this point is to protect the data by restricting access through rights-management software as opposed to implementing data monitoring tools.

Many companies fail to take a critical step toward safeguarding employee morale: Making sure the policies regarding data malfeasance are applied evenhandedly. Often due to political pressures, security officers choose to look the other way when the violator happens to occupy the corner suite. That’s understandable, but not advisable. “You can’t pick and choose who will be fired for violating [electronic data] policies,” says Flynn. Doing so could leave you legally vulnerable if an employee sued. She applauds Boeing for its widely publicized ousting in March of its CEOâ¬can’t get much higher than thatâ¬for violating e-mail and ethics policies in carrying on an affair with a female employee.

Don’t Forget Contract Workers

In addition to making sure employees are on the straight and narrow and proving compliance with regulations, many companies are finding data monitoring to be an excellent way to keep tabs on business partners such as outsourcers.

Seth Birnbaum, CEO of Verdasys, says many customers are using its Digital Guardian software tool to track and archive what outsourcers are doing. In one case a customer was able to prove a point with an outsourcer by going back to the logs generated by Digital Guardian.

“It circumvented the whole back-and-forth ‘You have a problem,’ ‘No we don’t’ cycle,” says Birnbaum. “The customer came in to them with proof in hand, so the outsourcer was forced to simply acknowledge the issue and do something about it.”

Companies that work with skilled contractors (such as software developers, technical writers, product designers and engineers) should consider using data monitoring to verify that the hired gun’s intentions (and actions) are pure.

Data surveillance is one of the few data protection techniques that do not restrict employee access to that data. Veteran Moynihan of the Massachusetts Department of Revenue would rather watch behind the scenes and simply verify employee access and see what files employees access as opposed to curbing their ability to get at the data (and do their jobs). With the comfort of a successful deployment under his belt, Moynihan takes the high road. Sensitive data will always be at risk. “But this is highly confidential stuff, and damn it, if we can’t protect the data, we shouldn’t be doing this job.”

(This story originally ran in CSO as “Keystroke Cops.”)