Employee Monitoring

CWmike writes "Michael Workman, an associate professor at the Florida Institute of Technology's Nathan M. Bisk College of Business, estimates that monitoring responsibilities take up at least 20% of the average IT manager's time. Yet most IT professionals never expected they'd be asked to police their colleagues and co-workers in quite this way. How do they feel about this growing responsibility? Workman says he sees a split among tech workers. Those who specialize in security issues feel that it's a valid part of IT's job. But those who have more of a generalist's role, such as network administrators, often don't like it. Computerworld contributor Tam Harbert found a wide variety of viewpoints from IT managers, ranging from discomfort at having to 'babysit' employees to righteous beliefs about 'protecting the integrity of the system.'"

As an IT Manager for a small company

[ircmaxell]

I personally don't care what other people do in general. I am not their boss, and it's not my job to police what they do during work hours. I do keep logs, so if a person's manager wants to see what they've been doing I can give them a report. The only thing that I personally care about is employee behavior that may compromise my network. I do watch TCP traffic for abnormalities, and do have a black list of sites that will alert me if someone tries to visit something dangerous. Other then that, I really could care less if someone spends half their day on Facebook. It's not my job to make sure that other people are working...

Re:You have to.

[betterunixthanunix]

What bothers me about this whole situation is that the IT guys are not managers -- so why are they watching over the employees to any degree? It is one thing if someone happens to stumble across something unusual, such as your example with the excessive disk space, and then reports that to a manager, but it is quite another story when IT guys are being asked to actively monitor other employees. The managers should be the people who watch over the employees and make sure that the equipment (i.e. computers) is being used properly, and they should not try to pass off that responsibility to someone else.

Re:it's a valid part of IT's job

[betterunixthanunix]

By analogy, imagine a railroad. Instead of computers, we have locomotives, and instead of IT staff, we have mechanics who maintain those locomotives. Now, whose responsibility should it be to check it on the employees who operate the locomotives to make sure they are doing their job, the mechanics, or the manager?

Passive monitoring is one thing -- if an IT worker sees something strange, like an employee storing many terabytes of porn on company computers, then of course that should be reported to the boss. Active monitoring is another story -- IT staff should not be expected to check in on employee activity on the computers to make sure that people are working. Actively monitoring the employees is a manager's job.

There's some paranoia at play, too.

[Delusion_]

I worked IT at a mortgage company run by someone without much in the way of morals. He wanted a print-tracking solution to monitor who was printing and what they were printing. As it happens, I later worked for a company which provided this exact solution, but ultimately it didn't matter because what he wanted was something he didn't want to spend any actual money on, and at the time any solutions were resource-intensive for a file and print server running on a then-midline Pentium 166 MHz, so it would have required spending money on hardware upgrades, too.

He wanted this solution to protect his leads, which he was convinced were walking out the door from employees taking them and selling them to his competitors; ultimately, it was one of those cases of suspecting other people were doing exactly what he would have done in their situation. I suspect there's a fair amount of this attitude, and it's probably more common in smaller businesses than Fortune 500 companies, who are generally more interested in liability.

Re:Know when

[morgan_greywolf]

You make sound as if Internet monitoring is the only sort of monitoring being done these days. Many big corporations now keep logs of files that have been executed, and some even install keyloggers and computer forensics software.

So it isn't even just a matter of porn or file downloads or webmail. They're tracking everything done on the computer. I wonder just how useful that tracking can be, considering the huge volume of data on any network of significant size.

Re:Waste of time...

Depends on the management's response while something happens. A few years back I was asked to keep an eye on employee's internet habits at the workplace though the management made if difficult for me to do but expected it to be done. Damn if you Damn if you don't. Anyway I spotted someone visiting porn sites during office hours, management said ignore it and replied then what is the point of me monitoring if no action is taken. Over the a few weeks the person went from general porn to kiddiw stuff, my management tried to sweep it under the carpet and pretend however here in the UK if you are IT staff and you are exposed you have to report it to avoid punishment yourself so I rang the Police and in the end the person who was view the porn got sack (and eventually prosecuted), management (the one's who tried to cover it up got sacked) and I got a heft pay cheque off the Chairman of the board to doing the right thing!!

Re:it's a valid part of IT's job

[nurb432]

Its not an accurate analogy to compare locomotive mechanics and IT staff. Using a airline, and stewardesses would be closer since train mechanics don't ride with the passengers

But that said, i don't care who you are, if management says you are to monitor, then its your job. Hell, if the says 'don't worry about the servers, go mop the floor', then that is your job for the day.

Re:Know when

[CastrTroy]

To add to that, who actually browses porn at work. I mean, every few months, I hear a story about some politician or city employee being caught browsing porn on work hours, and I just think wow. Is your job that boring? Is your life that boring? Of all the things there are on the internet that won't get you in quite so much trouble, they choose to look at porn. Not that there's anything wrong with doing it on their own time, but they have to just know it's going to end up badly. When I'm bored at work, I visit lots of non-work related websites, but I just really don't understand the porn-at-work thing.

Summary is Redundant

[Thumper_SVX]

I realize it's a matter of perspective... hell I've filled both roles so I know how it goes. However, the "generalist network admin" is monitoring employee actions and behaviours already. If they're not, then they're not doing a very good job. The perspective difference comes in the fact that most of the time said generalist is doing reactive monitoring, not proactive. As a result, the network admin typically does not realize that someone is attempting to compromise systems until the attempt is already occurring. There is a certain amount of proactive monitoring that the generalist does, but it tends to be limited.

Proactive monitoring at the employees desktop or application level does sometimes tend to highlight trends in employee actions before they get anywhere in a compromise situation. That means that the good generalist with a wider scope will be able to predict much better that problems are or will be occurring and take appropriate actions.

Now, the upper management trend of monitoring just to see exactly what their employees are doing... this I also think is fair so long as the rules are advertised and applied evenly. Remember, we are at work doing a job because we can and do. We are using company resources to do so, and we are paid for our work. I'll leave the conversation about whether we're paid enough to the individual, but I would contest that the best paycheck you're going to get from the job is about the same or less than everyone else in your field and location are demanding. Economics at work.

There is a point at which the monitoring becomes too much. I know my web habits are monitored by my management but I feel I have nothing to hide. I can justify every site I visit and the length of time I spend on those sites because when I'm at work, I'm working. I save personal web surfing for breaks or lunchtime and my management understands there are a few personal websites I visit on a frequent basis. Like Slashdot. I have worked in a much stricter environment where they absolutely stated no personal web surfing at work, and that was also fine because I just found other things to do during break and lunch. Note that I was also far more likely to go out and take my 1 hour lunch because of this policy... my current work environment's policy of "personal stuff OK at lunchtime" means that typically I'm at my desk during lunch so if something comes up, I'm here.

Maybe I'm just getting old, but I think the summary and the article are making generalizations that cannot be supported in the real world. Even when I started out as a junior network admin some 20 years ago give or take I understood the need and desire for monitoring employees. Since I also owned my own business for a while, I know what that desire is like but recognize that there's a balance to be found between "big brother" and "free reign".

Re:Know when

As a security professional in a VERY large company, you'd be amazed how many people go to porn sites on work computers. For some people, it seems like porn is like an addiction. They crave that "stimulation" so badly that they can't wait until they're somewhere else, or perhaps they don't have a computer at home, or perhaps the only computer at home is in a public area where other people can see what they're doing. There are many reasons why someone would chose to do something like that at work.

They also don't seem to believe the warning on the computer when they log in every morning telling them that we ARE monitoring their activities.

The problem is that new sites pop up all of the time, so trying to block them is like the old "whack a mole" game at the carnival.

I found one company-issued laptop with 16GB of porn videos, including kiddie porn. That was immediately turned over to the proper authorities and, if my information is correct, the former employee is now in prison.

Re:Employee monitoring is not really new

[iamhigh]

If the manager is not technically competent to monitor computer use, then there is a question of why that person is managing people who use computers for their work -- the manager should be competent with the equipment.

That's a bit much. The accounting manager should be able to keep up with the latest ways to hide computer usage? Does that mean the most able computer user should be the head of each department regardless of ability to manage that department? Also, aren't the guys trying to hide stuff more likely to become the most compentent user therefore allowing them to be the "boss". Of course that means as you go up the the chain of the company it just keeps being more and more technically superior people, regardless of ability to do the job.

No, I'll stick with the idea that the department manager should know his specific job better than anyone. That includes the IT Manager, and he should be ultimately responsible for all computer usage.

management- be careful what you ask for...

[xmundt]

Greetings and Salutations....
          A few years ago, one my my clients asked me to generate lists of the websites their employees had been on, and, how long they had spent on the sites. Since I run an in-house DNS server, not that hard to get. Well, I ran the reports for a few months, then, the project was quietly dropped. Why? It turned out that the only folks that spent significant amounts of time on porn sites and other non-business sites were the President of the company (who had ordered the reports) and his wife, the CFO of the company.
And THEY were burning a LOT of time on non-business related entertainment and shopping!
            What was really amusing to me about this was that these two folks had the attitude that they were the only ones doing anything positive for the company, and, the employees were the enemy - and were spending all their time trying to steal time and resources away from the company, cutting down on profit margin!
            Regards
            Dave Mundt

Re:Total BS

[Belial6]

You are correct. The one piece you missed is that the monitoring actually INCREASES liability to the company. By putting up filters and monitoring employees, the company is declaring that it is their responsibility to find out and stop employees from browsing porn. They are also claiming that they have the ability to stop employees from browsing porn. This INCREASES their liability.

Re:Total BS

[DaMattster]

Another true story. At my company, I sit close to the guys who monitor the content filters. They have connections to their computers outside the proxies, directly on the Internet. I see them all the time accessing their personal Gmail accounts, which is blatantly against the company's security policy. It's a bit like the police officers I see all the time driving 70 MPH on the 55 MPH-speed limit Interstate, or driving through red lights. Who watches the watchers? Oh yeah, that would be nobody. Oh, don't worry though, I'm sure they're browsing "responsibly" and don't need watching.

This happens daily at our company. In fact, I had a manager approach me and ask if she could have the same tool that I use for remote access to assist users and fix things. I flat out told her "no." She sniffed and walked away. The hubris of corporate America is astounding. Management mentality is still very much caught in "industrial revolution" mode of thinking where employees need constant micromanaging. Has it occured to anyone, that human beings hate micromanagement? Micromanagement is a moral destroyer and encourages rank and file employees to be mindless automatons. I often wonder why someone wants to become a manager. I think it is to gain more freedom to make decisions so they are less of an automaton. Many managers also forget from whence they came.

Re:Get the *real* security to do it.

[DaMattster]

Always become pals with the security and even the cleaners. Don't treat them as the help, treat them the way you would want to be treated. It is amazing what kind of insight they can provide. A retired federal special agent once told me that you can learn something from anyone and he was so right. A security guard overheard two people plotting a way to get rid of me. He told me the circumstance so I looked through my web logs for the sites that these ass clowns went to, had a neat little report assembled, and dropped it off at HR the next morning. At nine o'clock the next morning, the two stooges were called into the HR office and two hours later the two stooges were sent packing absolutely blind-sided. Moral: be honest, don't be devious, and most of all .... appreciate the jobs that your security and custodial folks do as they are real jobs and necessary.