Defenses Mount Against Internal ThreatsDefenses Mount Against Internal Threats

Business-technology executives are realizing the potential implications of inappropriate use of technology in the workplace. And they're not relying on employee discretion to decide what's fitting conduct.

Executives are taking a more hands-on approach to employee management. At most companies, this means more than formal policies that dictate standards of conduct. Businesses are doing more to monitor how employees are using technology. While some of this tracking is for accounting purposes and to understand dips in worker productivity, employee surveillance is predominately occurring to uncover inappropriate use.

Nearly 40% of the 3,425 companies in information Research's U.S. Information Security Survey report--a study fielded by PricewaterhouseCoopers that examines security incidents and strategies among businesses--monitor employees for phone, E-mail, and Internet misuse.

Monitoring is arguably justified. Company trade secrets can end up anywhere in the world with one click of a mouse, while the internal circulation of offensive material can land a company in legal hot water if left unchecked.

Yet not all businesses are championing the need for employee surveillance. Smaller companies are less inclined to take such protective measures. Almost half of the study's 1,348 small businesses--companies with less than $50 million in annual revenue--and nearly a third of 429 sites with revenue between $100 million and $500 million have yet to make employee surveillance an IT priority. But four out of five of the study's 696 companies with annual revenue of more than $500 million track employee use of company-owned technology.

It will be surprising if this reluctance persists over time. Seventy-three percent of U.S. companies report liability as a driver of security investments.

What's your company doing to curb internal exploitation of technology? Let us know at the address below.

Helen D'Antoni
Research Manager
[email protected]

Globally Acknowledged
U.S. companies aren't alone in keeping a watchful eye on employee activities. Companies in Europe and Asia are recognizing the need to understand how staff members are using technology. Companies abroad are also using surveillance, although use is slightly less frequent than in the United States.

Compared with 38% of 3,425 U.S. sites surveyed in this year's Global Information Security Survey that are monitoring inappropriate employee use of E-mail, phone, and the Internet, 34% of the study's 3,082 European companies and 31% of the survey's 857 Asian sites say they're monitoring employees' technology use.

Self-Disciplined
As businesses recognize the value of Internet access and more employees take to the Web during work hours, Internet misuse becomes a greater business concern. Some companies are already prepared to tackle misuse.

To keep Web surfing in check, nearly a third of sites surveyed are already operating Web-surveillance software to watch employees' online activities. But a majority of U.S. companies have yet to add employee Web-surveillance software to their IT infrastructure. Instead, 69% of U.S. sites are leaving employees to manage their own online activities.

Protective Measures
Businesses are working hard to gather and store information about customer transactions. Most companies are proactively educating employees about their privacy practices and standards pertaining to client information. While 72% of midsize and 62% of small companies are informing employees of their responsibilities, 82% of businesses with annual revenue of $500 million or more have made the internal communication of customer-privacy practices and standards a priority.

Return Visitors
To be effective, security initiatives need to consider more than just occasional breaches from full-time employees. Workers are wreaking havoc at some businesses even after a pink slip has been served.

Of the 1,610 U.S. companies that admitted to a security breach in the past year, 12% suspect a former employee as the source of the incident. Former staff members are more often a thorn in the side of large companies. One in 10 businesses with revenue of less than $500 million suspect a former employee to be behind a security attack in the past year; two in five larger sites report the same suspicion.