When Big Brother Watches IT

bdking writes "In an effort to protect sensitive data from internal security threats, some organizations are 'using new technology to look at the language of their IT staff's emails to determine whether their behavior or mind-set has changed,' the Wall Street Journal reports. Is secretly spying on and linguistically interpreting employee emails going too far in the name of security? From the article: 'I understand the need to be aware of the attitudes of workers with high-level access to data and networks, but this strikes me as creepy. What if an IT employee suddenly has relationship problems or family issues? Will they then be flagged by HR as potentially troublesome or even a data security risk? And all without them even knowing there's a dossier being created of them and their "suspect" behavior?'"

Prevention cheaper

[Tablizer]

Wouldn't it just be cheaper to not treat workers like shit?

Re:Prevention cheaper

Wouldn't it just be cheaper to not treat workers like shit?

This one's going on the list.

Re:Prevention cheaper

[JosephTX]

you're confusing those types of bosses with people who see you as something more than an exchangeable cash cow.

Re:Prevention cheaper

[alexander_686]

It’s one of odd things – how do you monitor employees without draconian controls? I think the trust of these programs is not that they can detect fraud per say, but rather they can identify people and situations which generate extra temptation. It does not matter how well you treat your employees, if somebody develops a gambling addiction (see below) it does not matter how well you pay them.

Here's another article.
http://www.economist.com/node/21547833

In this case they are talking about detecting fraud with people who have level access to the books – think rouge trades and embezzling employers. However, from the article fraud comes from “incentive, rationalisation and opportunity”. You try to hire competent, well paid staff and put in controls. However, eventually you hit limits.

From personal experience, I know of a case in my company where a mid level middle age employee who had been with the company for over 20 years developed a gambling addiction. Over the course of 18 months she embezzled over $200,000 from the company via hundreds of transactions. She had been around long enough to know that the individual small amounts would never trigger a review

I would

Re:Prevention cheaper

[PopeRatzo]

In this case they are talking about detecting fraud with people who have level access to the books â" think rouge trades and embezzling employers. However, from the article fraud comes from âoeincentive, rationalisation and opportunityâ. You try to hire competent, well paid staff and put in controls. However, eventually you hit limits.

One limit you hit is that mechanisms like you describe and like the ones in this article are never applied to top management and the board of directors. So, the ones who are in the greatest position to hurt the company the most are left out of any security regime.

And if you tried to put such mechanisms in place for the top people, they would all simply refuse, and nobody is there to call them on it, because everyone else at their level has the same attitude. This is one of the biggest dangers of income disparity. When it gets beyond a certain point, the elite "break away" from the social mechanisms and requirements.

Re:Prevention cheaper

[alexander_686]

In my experience, as you move up the chain of command, any formalized controls become more stringent – not less. In my case, every level I move up in the company I have to disclose more, with the CEO having to disclose the most.

On the other hand, I have found misalignment increases. CEO’s don’t (normally) need to commit outright fraud – there is a host of grey areas to exploit.

The corporate jet is a classic example. It helps the CEO meet with clients, survey the business, saves time, etc. All of time & money will be well disclosed in the annual reports. If the CEO uses it for personal reasons, he has to pay it out of pocket. So everything is above board. Yet, who do a disproportionate number of CEO schedule official trips to Aspin during skiing season and during the summer?

Re:Prevention cheaper

[__aaltlg1547]

Those are not only the people in the greatest position to hurt the company, but also those with the greatest incentive not to do so - why hurt a company that is paying you millions of dollars a year? Top management positions aren't that common that one would risk losing one.

This flies in the face of reality. In the real world, some top managers develop such an inflated sense of entitlement that they believe they are worth far more than what they legitimately earn, deserve whatever they can take and that they will never get caught when they break the law.

Re:Prevention cheaper

[turbidostato]

" why hurt a company that is paying you millions of dollars a year?"

Because they can get even more by hurting them *and* getting their golden parachutes after the havoc?

Re:Prevention cheaper

[Deekin_Scalesinger]

Why is any IT employee in their right minds sending our personal communications from their work computer? Come on - that's like common sense 101 stuff there, or at least, take some precautions...VPN, GPG, smartphone...

Re:Prevention cheaper

[RulerOf]

Because they can get even more by hurting them *and* getting their golden parachutes after the havoc?

I wonder if I'm the only person who hears or reads "golden parachute" and gets a mental image of a CEO jumping from a burning plane with his company's stock ticker on the side, holding on to a dozen overstuffed briefcases full of cash like he's a modern-day DB Cooper. :D

Re:Prevention cheaper

[10101001+10101001]

Those are not only the people in the greatest position to hurt the company, but also those with the greatest incentive not to do so - why hurt a company that is paying you millions of dollars a year?

Um, because? Seriously, you make it sound like it's a well considered and rational action of self-destruction to become a gambling addict and to start embezzling money. Sure, there are rationalized steps in the process to reduce the risk of getting caught, but one presumes that all employees are only really there to earn a paycheck, getting caught means criminal charges and/or being blacklisted from most companies, and that while people do tend to expand their spending to meet their paycheck, the less the paycheck overall is, the less savings you have and hence the more you really need that job. When you're talking about a million dollars a year, well that's equivalent to 20 years of $50,000/year*, which leaves a lot of room to not really care about a company.

Top management positions aren't that common that one would risk losing one.

How many CEOs, after having ran one business into the ground, have been hired up again to be CEO at another company? I guess that might be because as much as "top management positions aren't that common", it also holds people with top management position experience aren't that common; and why not hire someone with experience, even if it's mostly bad, rather than risk a person with no experience? Really, unless the CEO is stupid enough to be caught outright embezzling money, they're probably in the clear; and considering how much stuff can seemingly be written often as a "business expense" or "perk", it could take quite a lot. That's not to say, of course, it doesn't happen and people haven't been caught/punished; but, the CEO and other top management positions are in the best position of burying evidence, and vague accusations without proof might be enough to force a resignation but maybe not enough to prevent them being rehired elsewhere. After all, if your CEO was robbing you blind, would you like the world to know? And wouldn't you like it best if after they resigned they were rehired by a competitor who you can secretly hope they'll embezzle from as well?

*Yea, I know, because of progressive taxation it's probably closer to 3/4ths that, but then the discussion was "millions of dollars", so feel free to scale up that round figure of a million dollars to compensate--I'm sure the CEO would.

Who manages it?

[GeneralTurgidson]

If an HR department can install and manage software that interfaces with a companies email without IT knowing about, that company has bigger security concerns. If IT manages it, IT can circumvent it.

Re:Who manages it?

[jroysdon]

As we tell our staff, get a smart phone and do whatever you want. Just never connect it to our network (including even USB to charge), and never use our network/PCs for personal use. Don't want to spring for a smart phone? Surf at home.

Pretty much proves the point

What if an IT employee suddenly has relationship problems or family issues?

There's definitely something suspicious going on when IT employees have relationships, nevermind relationship problems.

Personal emails at work?

[PT_1]

"I understand the need to be aware of the attitudes of workers with high-level access to data and networks, but this strikes me as creepy. What if an IT employee suddenly has relationship problems or family issues?"

Not commenting on whether monitoring employee emails is right or wrong, but why would somebody use their corporate email account to deal with relationship or family issues? In a world where companies can and often will read their employees' emails, that anyone would use their work email for anything personal seems short-sited. Sign up for one of the free web-based mail accounts.

Creepy but...

[PastBlast]

That's why I never send personal email on the company's system. I also don't keep any personal files on the company supplied computer nor do web browsing on it. It's a hassle sometimes, especially when I need to carry around my personal laptop. And, in reverse, I never do "work" on my personal computers. While I don't think my company is spying on me, I go by that assumption because they can start at any time without my knowledge. It's my way of mitigating that risk. In general, I think it's also a good way to keep my personal life separate from work. I learned that years ago during some stress reduction workshops I participated in.

kick 'em when they're down

[tverbeek]

What if an IT employee suddenly has relationship problems or family issues? Will they then be flagged by HR as potentially troublesome or even a data security risk?

I got suddenly canned from a sysadmin job when I showed signs of irritability and started requesting half-days off here and there. Except in this case it was because my boyfriend was critically ill, and they knew that. They just didn't give a fuck.

Re:kick 'em when they're down

[Rakishi]

And those other people are also a liability because they may not be able to do the job. Even if they can do the job it'd take them 2-3 months to get up to full efficiency at doing their job.

Furthermore, every other employee, including the replacement, now knows that the company will fire them at the drop of a hat. In other words, they now have a signal that they may want to start sending out resumes before it happens to them. The fired person's social network will now also know that the employer is an asshole and to steer clear if possible.

So yes, caring does pay the bills if a company cares about anything but the short term balance sheet (not even short term productivity).

Re:kick 'em when they're down

[laughingcoyote]

Aside from the fact that what you're saying shows a total lack of humanity, it's also wrong.

If I saw another employee I worked with being treated that way, believe me, I'm looking for a new job the moment I get off work that day. And then all of the training, experience, etc., that they've paid me well to develop, walks right out the door.

That aside, loyalty is meant to be reciprocal. As long as a company is "paying the bills" adequately, a little decency for those undergoing tough times and have spent years of their lives helping to build the company is not exactly uncalled for. I have worked several places that coworkers were more than happy to pick up some slack for someone in a tough situation, especially since it was well understood they could accept the same in return. That type of environment is far more productive than one where everyone spends half the day looking over their shoulder.

"It's just business" is not an excuse for unconscionable behavior, and it's been used that way for far too long.

Security

[nurb432]

The it security team trumps the it sysadmin team.

Re:Security

[JDG1980]

The it security team trumps the it sysadmin team.

This assumes a rather large company. Many organizations have one sysadmin who handles security issues as part of their job duties, or just a handful of "IT guys" who more or less handle everything. The library I work for has about 100-150 employees total; the notion of a separate "IT security team" and "IT sysadmin team" is ridiculous for an organization of this size. Our IT department is 6 people total.

Speaking as a state employee

[93+Escort+Wagon]

In Washington state, anyway, the email of all us state employees is considered to be part of the public record... so in theory this sort of monitoring would be relatively easy to implement. Funny thing is - as a Washington state employee, I feel less vulnerable to this sort of snooping than if I were employed by a private company.

If you don't trust your sys/network admin...

[gstrickler]

...do yourself and your admin a favor and get rid of him/her. He/she won't like working for someone who doesn't trust him/her, and you won't like constantly being suspicious.

I've given that advice to all my clients over the years. You can extend the concept to the rest of your IT and/or security team. That doesn't mean you shouldn't take precautions, have checks and balances in place, etc, but fundamentally, if there isn't a high level of trust, deal with the lack of trust, either by discussing it until there is an understanding and trust, or by ending the relationship.

Secretive monitoring is not the way to handle a lack of trust. The only exception is when there is already probable cause to believe a crime has been committed, then, in some cases, monitoring to gather proof may or may not be necessary or appropriate.

Re:A more important question.

[Zontar+The+Mindless]

A more important question is why would anyone take anything said at "ITWorld" as factual?

It's not just ITWorld's say-so. They cite this WSJ article, which also says so.

Re:An old enough industry to require unions

[Zontar+The+Mindless]

Unions do have their place. An IT shop is not one of them.

You should really try to be more open-minded about such things. Maybe even consider moving to Sweden, where nearly everyone is entitled to union representation whether they bother to join one or not.

When we got bought, and the new owners tried to take away nearly all my benefits, my IT workers' union did a pretty good job of nipping that nonsense in the bud. Maybe I should show my appreciation by signing up and paying them the ~$25 per month they want as dues for actual membership. That's only about 2% of what I would have lost if they'd not gone to bat for me.

They did something like this to the Enron Execs

[Karmashock]

I believe this was more of an analysis. They fed thousands of time stamped memos into an algorithlim. The idea was to look for differences in speech pattern or word choice in reference to the conspiracy.

What they found in Enron at least was that as people behaved increasingly corrupt they became increasingly formal with each other. Casual comments tended to be innocent ones where as memos concerning the corruption tended to unusually professional.

Personally, I don't care what the company does with my corporate email. Scan away. It's so boring that I understand why they want to have a computer read it instead. And who knows, they might actually uncover a problem.

Obviously people will be worried about false positives. But I doubt anyone is going to take the computer's opinion as gospel. Likely, the computer will just point to a given collection of emails and suggest management read those specifically. Where upon management can decide if they have a problem or not.

Suspicion is a dangerous thing

[anegg]

Isn't the real problem that yet another non-scientific unproven analytic tool is going to be deployed in an attempt to discern what people are really thinking? There may be lots of reasons why someone's language changes, including events in their personal lives that have no relationship to work as long as they continue to carry out their duties competently. Imagine being called to the bosses office or HR to "explain" why your behavior has changed when you may not have realized the change yourself, and it has nothing to do with work. Failure to provide a satisfactory explanation will result in greater suspicion of your intentions, especially if the system that detected your behavioral "abnormalities" was sold with the understanding that it really could spot bad eggs before they cracked.

Re:Suspicion is a dangerous thing

[joebagodonuts]

It's worse than "non scientific".

"If you start to feel differently about the company you work for and the people you work with, you'd be surprised how your language changes," says Ed Stroz, co-president at digital-risk-management firm Stroz Friedberg LLC, New York. The company, like other consulting firms such as Ernst & Young, makes technology to examine linguistics .

It's usefulness is being touted by those selling the software: