When IT is asked to spy

IT managers are being put in the awkward position of monitoring fellow employees.

It's 9:00 in the morning, or 3:00 in the afternoon, or even 10:00 at night. Do you know what your users are up to? More than ever, IT managers can answer, "Oh, yes."

As corporate functions, including voice and video, converge onto IP-based networks, more employee infractions are happening online. Employees leak intellectual property or trade secrets, either on purpose or inadvertently; violate laws against sexual harassment or child pornography; and waste time while looking like they're hard at work.

In response -- spurred in part by the need to comply with stricter rules and regulations -- organizations are not only filtering and blocking Web sites and scanning e-mail. Many are also watching what employees post on social networks and blogs.

They're collecting and retaining mobile phone calls and text messages. They can even track employees' physical locations using the GPS feature on smartphones.

More often that not, IT workers are the ones asked to do the digital dirty work, primarily because they're the people with the technical know-how to get the job done, says Nancy Flynn, executive director of The ePolicy Institute, a Columbus, Ohio-based consultancy that helps companies establish Internet and computer usage policies.

Statistics are hard to come by, but Flynn and other industry observers agree that monitoring and surveillance are becoming a bigger part of IT's job.

Michael Workman, an associate professor at the Florida Institute of Technology who studies corporate IT security and employee behavior, estimates that monitoring responsibilities take up at least 20% of the average IT manager's time.

Yet most IT professionals never expected they'd be asked to police their colleagues and co-workers in quite this way. So, how do they feel about this growing responsibility?

Workman says he sees a split among tech workers. Those who specialize in security issues feel that it's a valid part of IT's job. But those who have more of a generalist's role, such as network administrators, often don't like it.

IT managers interviewed for this story hold a wide variety of views, ranging from discomfort at having to baby-sit their co-workers to righteous convictions about the need to protect the integrity of their companies' systems.

The Reluctant Beat Cop

Monitoring employees has become a bigger part of IT's job at ENE Systems Inc., an energy and building automation company in Canton, Mass. A new state law regarding the security of personal data has increased the importance of monitoring online activity, says Barry Thompson, network services manager at the $30 million company, which has 140 employees.

Previously, Thompson checked the logs from the company's Microsoft ISA (Internet Security and Acceleration) Server, which tracks what Web sites people access, only if a supervisor suspected an employee of violating the company's stated policies.

Corporate Crackdown

Not only do corporations appear to be monitoring their employees more frequently and more closely, but they're also punishing violators more severely when they do get caught. Some are even terminating employees who violate company policies.

Percentage of companies that have terminated employees who violated stated policies on the use of:

* The Internet: 26%

* E-mail: 26%

* Cell phones: 6%

* Instant messaging: 4%

* Text messaging: 3%

* Social networking: 2%

* Video sharing: 1%

* Personal blogs: 1%

* Corporate blogs: 1%

Base: 586 companies

Source: Survey by the American Management Association and The ePolicy Institute, July 2009

Now, one of his five IT staffers regularly reviews the logs, even without a specific request. "That's all he does for one day a week," says Thompson. "He goes through the logs to see if there's anything in there that needs to be exposed or discussed." Activity related to porn, gambling or hate speech automatically raises red flags, he says.

Thompson and his staff aren't exactly comfortable with this task. "We're IT guys. We're not baby sitters," he says. "It's a difficult position to be in, but it does come with the territory."

It helps that his IT staff isn't responsible for confronting violators, only finding them. If a problem pops up, the IT staff reports it to Thompson, who then determines whether to report the violation to the employee's supervisor.

He's like the neighborhood beat cop, who might catch kids stealing from the corner store but let them off with a warning the first time. "I do it on a case-by-case basis, based on my own gut feeling about what [the violator is] telling me," he says. "I'm a pretty good judge of whether or not someone's lying."

In the 10 years he's been with the company, Thompson says, he has officially reported inappropriate Internet usage to a supervisor on just two occasions.

The reason for that low number? "We regularly communicate to the rank-and-file employees that all Internet access is monitored and logged, so they know they are being watched," Thompson says. "In my view, that keeps the majority of people honest."

In addition to energy and automation systems, ENE offers IT services, including Web site development and e-mail. Thompson says he's seen increased interest in employee monitoring among ENE's customers, which include large institutions such as the Boston public school system and State Street Bank. "More and more frequently, our customers want to know, 'What was that guy doing when [his computer] got that virus?' for example," he says.

One customer put Thompson in an ethical dilemma when it asked ENE to secretly install SpectorSoft Corp.'s surveillance software on its employees' PCs. SpectorSoft records everything: e-mails, IMs, Web site visits and searches, programs run and files transferred. It even logs keystrokes and takes screenshots.

The owner of the company, a landscaping firm, wanted Thompson's staff to lie if employees asked what they were installing on the PCs. (Although most companies spell out monitoring policies in employee manuals, only two states -- Delaware and Connecticut -- actually require that companies notify employees that they're being monitored.)

Thompson refused. "What he asked us to do crossed the line," he says. "I told him, 'We'll install the software, we'll help you use the software, we'll help you monitor your employees. If somebody does something wrong, we'll help you collect the information to fire them. But we're not going to look your employees in the eye and lie about what we're doing.' "

Thompson says the customer was "a bit unhappy" but accepted his position.

The Legal Eagle

"Daryl" -- who requested anonymity -- is an IT manager at a midsize industrial manufacturer in the U.K. He strongly believes that IT has the right, and the duty, to monitor employee activity in order to protect the interests of the company.

He once caught an employee engaged in criminal activity involving intellectual property that could have resulted in a big financial loss for the company.

He went to the CEO, and the employee was dismissed. The employer didn't press charges, however, because "it would've been embarrassing for the company," Daryl says.

Daryl's complaint isn't that he has to police employees, but that he's not allowed to do it properly.

His graduate-level college studies in IT security and forensics taught him how to properly preserve electronic evidence so that it is admissible in U.K. courts. For the information from a laptop to be admissible, he says, the hard drive needs to be removed and cloned, and then the clone is examined while the original evidence is left untouched.

But his bosses aren't interested in that. "The process my managers want me to follow is inappropriate," he says. They want him to skip the cloning and examine hard drives directly. "It's highly unlikely that they would ever be able to bring a successful prosecution [because] they insist on using a practice that would invalidate any evidence obtained," he says.

The Conscientious Objector

"Our department philosophy is that if the users fear us, the job gets 10 times harder," says Dan Olson, IT director at Farstad Oil Inc., a Minot, N.D., company with 500 employees. "Fear leads to coverup and spin. When we are trying to find [the cause of] a problem, what we need is the truth."

Fear of IT used to be a problem at Farstad. In the mid-1990s, after an employee was caught spending too much time in chat rooms, IT was directed to monitor employees and report those who did non-work-related activities on their PCs.

"We had never agreed to that, nor were we consulted on it," Olson says. He mostly ignored the directive, partly because it was never a written policy. Nonetheless, he says, "the next two years were miserable for [IT], as everyone feared that we would assume they were guilty until proven innocent."

At one point, management became concerned that employees were using instant messaging for personal business. A memo cautioning employees about this caused even more anxiety. "I remember people clicking their mice and quickly closing windows as I walked by," says Olson.

That fear was counterproductive, he says. If employees' PCs caught a virus, for example, he had trouble getting them to say what they'd been doing or what Web sites they'd visited.

Shortly thereafter, Olson persuaded management to ease the restriction. "We explained that we wouldn't be watching [workers] all the time. We would only check the logs if their manager complained that they weren't getting their work done," he says.

The new policy has made for much better working relationships between employees and the IT staff, he notes, with employees more willing to inform IT promptly about technology snafus and IT able to get the information it needs to remedy the problems.

Get Used to It

In the future, companies like Farstad that have policies that favor minimal monitoring are likely to be in the minority. Observers say IT managers can expect to be asked to take on even more monitoring duties, such as reviewing surveillance videos, examining text messages, tracking employees' whereabouts via GPS or monitoring activity on social media.

Will IT managers resist this expansion or chalk it up to just doing their jobs?

Florida Institute of Technology's Workman doesn't envision much pushback. "I see them doing it," he says, "but I don't see them being completely comfortable with the practice.

Harbert is a Washington, D.C.-based writer specializing in technology, business and public policy. You can contact her at her Web site, TamHarbert.com.

This story was originally published in Computerworld's print edition. It was adapted from an earlier version that first appeared on Computerworld.com.

This story, "When IT is asked to spy" was originally published by Computerworld.

Copyright © 2010 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022