Monitoring tools are being used prominently, but can be too easily used for surveillance.
Speaking at the Gartner Security and Risk Management summit in London, analyst Andrew Walls said that employers often say that they are not doing surveillance, but often gather data via technologies on users. He said: “You are gathering tons of information all of the time. Are you conscious of it and are you taking steps to leverage it to benefit of the organisation?”
He said that surveillance is frequently done in IT to know how systems are running, but there is a clear difference between surveillance and monitoring; as one is about gathering data, while surveillance is about correlating data on a group of individuals.
“If you are monitoring to track a person, then you are engaging in surveillance,” he said. “If the tools are technical monitoring tools, it doesn’t matter. It is the intent behind monitoring and if it focuses on people, that is surveillance and you need to be aware of that.”
He recommended defining what your technical capabilities and limitations are, as it relates to how far you go and where you say no, as monitoring often far expand what employees expect you to do.
He said: “Be clear whether you are focusing on a person or a system, as you need metadata associated with a log event. If data is of use, it is dangerous as others will find it useful, and if you collect information on people, people will access it. It needs to be secured as much as other critical data in an organisation, and often there are no laws on employee data, but they are coming.”
Walls recommended reviewing company policies, as they are regularly out of date and not legally binding, and also to destroy data and be clear on your monitoring objectives. “Don’t collect it if you don’t need it, don’t keep it if don’t need it,” he said.
“Integrity of data matters, and make sure you have got it right if you use it. Be clear on your objectives and why you are engaging in surveillance and data collection, and who is allowed to access the data. Make sure monitoring is barely enough, and do not buy tools that vastly exceed your objectives, and that your data lifecycle is well defined and enforce it.
“Treat all information as personally identifiably. Once used it, destroy it, don’t just encrypt it and store it away. Have a policy rigidly enforced to user lifecycle management. In terms of risk it is a great powerful tool, but be careful as it can be very effective.”
