E-mail expert Nancy Flynn travels around the country advising companies and serving as a witness in lawsuits where electronic messages are a central issue.
Although she deals with corporate e-mail issues all the time, Flynn says she’s still amazed by the stories she hears of employees who are authorized to monitor coworkers’ e-mail abusing the privilege. She’s heard of workers who talk about the contents of messages, and in one particular egregious case, an individual blackmailing someone who had violated company policy.
“My recommendation is that you take advantage of technology and don’t have an individual read e-mail,” says Flynn, director of the ePolicy Institute in Columbus, Ohio.
Companies have legitimate reasons for monitoring employees and employee communications. However, there’s a big difference between making sure workers are doing their jobs and spying on fellow employees or snooping through confidential company information, according to Flynn and other business security experts.
But as Flynn’s experience shows, it’s not uncommon for workers to take advantage of their position to look at e-mail and other sensitive company information. In fact, one third of 300 senior IT professionals in a June 2008 survey admitted using high-level administrative passwords to snoop on fellow employees. Another 47 percent said they accessed data that wasn’t relevant to their job, according to the report from Cyber-Ark, an information security vendor.
Though somewhat self-serving in that it points out the need for the products it sells, Cyber-Ark’s survey underlines the importance of having proper data safeguards in place, according to e-mail and other security experts. The experts suggest those safeguards include:
Classifying and organizing confidential information -- You can’t expect employees to follow privacy protocols if your company doesn’t have a good system for determining what information is confidential, says Javed Ikbal, principal at zSquad, an IT security consultant in Boston. Start by classifying information as confidential, highly confidential or the company’s “crown jewel” -- the secret pizza sauce or the pending patent for example -- never to be shared. Next, decide how such information will be labeled plus where it will be stored and who has access to it inside and outside the company, Ikbal says.
To make sure sensitive material doesn’t go where it’s not supposed to, use a naming protocol for electronic documents and tie it to e-mail scanning software from vendors such as Sophos, Webroot Software, and Proofpoint. For example, companies could ID a file as “Internal Restricted” by typing the words in a document’s footer field and then set that phrase as a keyword in scanning software. “If someone tries to send it, even by mistake, the system will flag it,” Ikbal says.
Role-based access -- Another way to prevent spying is to give employees the minimum access to IT systems that they need to do their job, something security experts call the principle of least privilege.
Password administration -- Bad things can happen when only a few or even one person control high-level system passwords. San Francisco city officials learned that the hard way in mid-July when a technology department network administrator used a password only he knew to block access to a multi-million-dollar computer network that stored city payroll files, jail inmates’ bookings, and other sensitive files. The employee went to jail rather than divulge the code, tying up the network for days while IT staff tried to unlock it, according to news reports.
In a small business where only one person has an IT system administrator password, put an emergency plan in place in case anything happens, Ikbal says. The password could be locked in a company’s safe or safety deposit box, he says. Larger companies can use password vaults, also called privilege account management (PAM) technology from companies such as Cyber-Ark, e-DMZ, Quest and Symark.
Written policies -- Once policies are in place, make sure employees know them. Don’t just tack rules up in the lunchroom, have a discussion of what is and isn’t allowed. Make sure rules explicitly include policies against IT, HR, or other personnel going through employee records or e-mail for fun, says Lewis Maltby, president of The National Workrights Institute, a Princeton, N.J., labor rights advocate. While there’s no law forcing companies to disclose monitoring practices, “However their system works, every employer ought to tell every employee what it is doing,” Maltby says.
Companies that operate in health care or financial services or other regulated industries have extra reason to warn employees against spying on coworkers or peeking into confidential materials. Employees who find and accidentally or purposely leak patient health records could be violating federal confidentiality regulations and put themselves and their companies at risk for stiff financial penalties, security experts say.