By Stefan Dorn, Security Consultant
It’s common knowledge that humans are the greatest threat to security, especially for a small business. Employees often possess inside knowledge and levels of access that make them a threat with high potential impact, even if the probability is low. Let’s be honest: every business owner, manager and supervisor is concerned with an insider potentially harming the business, whether it is intentional or by accident.
Businesses have a need to monitor the actions and behavior of employees while they are working. Crafting a solution that accomplishes what the business needs but meets ethical and privacy concerns can be tricky. When you establish a monitoring program you can maintain employee trust by minimizing the impact on their privacy. Unless there is a justified reason for intrusive monitoring- like a security incident or valid request from a manager- you need to avoid the observation of personal information, contents of personal email, and details of personal accounts. Particularly avoid viewing protected conversations, like those between an employee and their doctor or lawyer.
Three Steps to Establishing a Monitoring Program
- Create written policies and employee agreements, and make sure to define what constitutes non-work activity. For example, an Employee Information Security Policy should include topics like:
- Acceptable Use of Information Resources
- Internet and Social Media Use
- Email Use
- Mobile Device Use
- Train your employees on the policies annually. Include some information security awareness training and you’ll cover most needs with regulatory requirements and your liability or data breach insurance policies. After the training has been completed, have your employees sign agreements stating they have read, understand, and acknowledge the policies. Keep a record of who attended training, and when.
- Use technology to automate most of the monitoring. Don’t let monitoring add a bunch of overhead to your business. Leverage technology and focus on the basics first:
- Web filtering services can filter web sites based on categories. Cheap, effective, and they help protect against malware, too!
- Data Loss Prevention (DLP) policies in modern email systems, cloud services, and on endpoints will help prevent data from having an opportunity to leave.
- High-definition video surveillance cameras provide physical monitoring, and are proven to help deter criminal activity in and around facilities. These have a huge bang for the buck!
- Managers should review reports on their employee’s web browsing and email activity from firewalls, proxies, and email systems at least quarterly. Reviewing activity can establish patterns- but be careful of privacy violations if you go further and review the contents of employee web and email activity!
If you’re unfamiliar with the process of policy development and deployment, implementing and administering monitoring technologies, or need an expert to help with training your team, we can help! Contact us now and we’ll help you get started on building a safer, more secure business that can withstand today’s most prevalent threats.
Until next time!