Information monitoring: How far should it go?
10 min read
02 November 2013
Information monitoring is a tricky subject. We all want to be able to trust others with data, but information theft and data leakage happen all too often, and organizations are asking themselves how much they should be monitoring the way company information is used. But why is it an issue and how should it be done?
Why is it an issue?
There are two primary reasons to consider stricter information monitoring. Firstly, not all company secrets and confidential information is lost by theft and hacking – much is lost by accident, with staff not realizing what they are doing. It is therefore a means of protecting against both intentional and unintentional data loss.
Secondly, under governance and compliance rules and legislation, it is the owner of the equipment – that is, the company not the employee – that will be held liable for legal compliance standards. These can range from the loss of personal and/or company confidential intellectual property to harassment and bullying within the company; and can lead to increasingly large fines and loss of brand reputation.
The owner of the equipment being responsible for illegal content held on the equipment also applies to both local and Cloud. The data controller (usually a person within the company, but effectively the company) is responsible for protecting personal data.
The question of whether to monitor staff thus becomes a business issue rather than a simple IT security issue. It transcends both the IT and legal departments – and because it involves staff, it must also include the HR department.
Can it be done legally?
The first question, in an age of increasing privacy protection from the EU in Europe, and federal and state laws in the US, is simple: is it legal to monitor staff communications? Precise details vary from country to country. Germany, for example, has particularly stringent privacy rules. But provided that staff have agreed to or have accepted the monitoring, and provided that the monitoring is for business purposes on business equipment, then in general communication between staff on the company network can be monitored, and emails received or sent by staff on company computers can be monitored.
Nevertheless, if it is done, it is best done sensitively and discreetly. The starting point should be the formal company fair use policy, making it clear what staff can and cannot do, and more specifically a clear statement that business communications will be monitored. This policy should then be part of the conditions of employment. Staff will consequently know what is happening, and employers will have redress if necessary.
Think before you click ‘send’!
If staff in your business use email and IM for fun, perhaps these stories will illuminate the dangers to them…
Sending ‘rude’ (offensive) jokes is also an issue.
Should it be done?
On a purely logical basis, yes, it should be done. Here are three main reasons:
1. Staff working from home
The boundaries between office and home are breaking down. More and more staff work at home in the evenings and at weekends, and they find ways to transfer data from office computers to home computers for the best of reasons. This could be via file synchronization services such as Box and Dropbox, or simply by emailing the file as an attachment to a personal webmail account such as Gmail or Hotmail. It is important that a CISO knows where company information is at all times, because once it’s outside of the company network, they can no longer defend it. It could be the source of a data leak.
2. Legal liability
But they, or at least the company, will still be legally liable for what. The EU approach is typical: it is not the employee who is responsible, but the data controller – which is, effectively, the company. If data is lost or misused, then it is the company that will be fined, and it is the company’s reputation that will suffer.
3. The increasing technical competence of cyber attackers
No company is immune from attack, and those attacks are becoming more and more sophisticated. While still important, traditional perimeter defenses like a simple firewall and anti-virus software can no longer be relied upon to keep out hackers: they will not stop a zero-day vulnerability that delivers new malware. It is no longer just a case of prevention; it is as much a case of discovery and remediation.
According to Trend Micro1, 91 per cent of all successful APT attacks start with a spear-phishing email. The automated monitoring of email – both inbound and outbound – is a valuable way of defending staff against spear-phishing.
Once an attacker is inside the network, they can spend weeks and months finding the data they want to steal, and working out an exit strategy that will go unnoticed. One such route is to take over a legitimate staff account and mail the data out. Unless that email and the data itself is analyzed, it will simply pass through the firewall as legitimate traffic. If it is personal or financial data it can attract legal action and loss of brand; if it is intellectual property it can affect the very future of the business; and if it is military data it could affect us all.
How should it be done?
If the logical conclusion is that information monitoring is an important part of data loss prevention, the logical question is: how?
The first thing to realise is that this is not just an IT problem. It affects the whole business and requires a whole business approach. While the role of CISO is increasingly absorbing the role of compliance, in many companies ‘information security’ still comes under a CISO attached to the IT department, while ‘compliance’ comes under a risk manager attached to the Risk department.
An amalgamation is important since compliance is often seen as little more than a tick-box requirement, while information security needs a more holistic approach. Compliance alone does not deliver the security that compliance seeks.
This is further complicated by the need to involve the legal department in both the staff contracts and the legal compliance issues; and the HR department to ensure the policy is workable and delivered. Finally, it is worth noting that some CISOs are now involving the company marketing department to develop a strategy that will help ‘sell’ the policy to the staff.
Such a multi-departmental approach in the delivery of a staff monitoring business plan is more likely to attract Board attention, and more likely to gain the support necessary for implementation.
With Board approval, it then becomes a question of how to implement information monitoring. In anything but the tiniest of one-man-and-his dog companies, this cannot be done manually – there is simply far too much traffic to monitor. That means an automated system must be brought in; but since this is effectively a bolt-on product, it must be chosen with care so it can be integrated seamlessly, efficiently, and unobtrusively into your existing infrastructure.
It must also be scalable for when you grow, and part of a holistic view of your data security. It must be ready to take its place in the wider context of big data analytics so that the CISO is able to spot threats in real time rather than after the event, and to remediate those threats before they cause damage. It is a fundamental part of intelligence-led security.
But remember, when it comes to information monitoring it is not only essential that we monitor our staff, but that we learn how to implement a culture change, and nurture a security compliant culture. Without a culture that understands and implements the policies that you have in place, they quite simply will not work.
Written by IT security consultancy Clearswift