Reining in Web 2.0
COMPANIES ARE increasingly allowing or even encouraging employees to use Web 2.0 tools such as social networking, blogs, and Internet Messaging (IM). The upside is that it can be a great way for the company to extend its brand and communicate with customers. But doing so carries security risks. Social networking, for instance, has become a growing target for scams such as phishing. Risks also include data leakage and repercussions from inappropriate content that workers may post either in the name of the company or using company resources.
To address those concerns, companies are seeking new ways to protect themselves from Web 2.0-related threats. Organizations are using new employee monitoring technology, for example, which can record and archive detailed end-user information. Such tools can help identify potentially dangerous Web sites and assist administrators in decisions on sites to block. They can also help companies enforce acceptable-use policies.
When John Zayac, president of IBG Business Services, sought a monitoring tool a few years ago, two main concerns were employee productivity and client privacy.
He looked at a few solutions, but quickly chose one from SpectorSoft of Vero Beach, Florida. SpectorSoft, about a decade old, began by selling its software as a parental computer monitoring tool. In the past few years, the firm has made “significant” business market inroads, says Doug Taylor, head of marketing.
Zayac says he chose the product, Spector 360, partly for its breadth of features. Spector 360 can take regular screen shots that can be stored and watched later in video-like format. Administrators can receive automatic alerts when custom keywords or phrases are entered into a keyboard. More than 50 customizable reports can analyze and compare activities of individuals, departments, and the company.
IBG permits most social networking sites, Zayac says. The company has no problem with employees conducting personal activities during lunch and “breaks.”
But he checks reports about once a month for unusual behavior. Occasionally, he has mentioned certain activities to employees. In a few cases, the software has helped root out more serious issues, one involving inappropriate content and another concerning misleading or erroneous information provided by an employee about a potential deal. One case ended in a dismissal. On both occasions, SpectorSoft helped Zayac search past data including emails and instant messages. “The screen shots were irrefutable,” he says.
At about $2,000, Spector 360 was worth the investment, Zayac says, if only for productivity gains. If each employee works an additional 10 minutes per week, the firm would save about $1,000 per employee annually, which would add up to about $30,000 for the company over the course of a year.
Zayac says that the product has reduced many concerns he might have had about Web 2.0 and other sites. “It acts like a guard rail.”
Another example of how a company is addressing Web 2.0 risks is Bass Underwriters, an insurance and financial services firm, that began using a Web filtering product from Trend Micro about a year ago. Mid-year, it added a new Trend product called the Advanced Reporting and Management module (ARM).
Before ARM, employees frequently bypassed blocked sites through methods such as proxy site tunneling, says Rudy Dellafiore, IT manager. Malware infections often brought computers down.
But ARM has provided significantly better visibility into employees’ computer activities. Before, Dellafiore could obtain reports such as the top 10 sites visited in a 24-hour period. ARM lets him view and record user activity in real time. He has gained a better sense of which sites to block, he says. If someone tries to access a prohibited site, he can sometimes “watch them do it,” he says. He can then block sites by individual, department, or company. He can also take action against the individual if appropriate. Malware is also down significantly as a result, he says.
Courts have generally found that companies have the right to conduct this type of monitoring as long as employees are put on notice about the policy. Most companies use language stating they might monitor electronic activities, says Lisa Sotto, a partner at the law firm Hunton & Williams. If the equipment is company-owned, organizations are fairly well protected in virtually all U.S. states against privacy invasion claims.
For SpectorSoft customers, one issue appears to be how and when to disclose the software’s use. In most cases, customers will run the program for a period without telling employees, Taylor says. This helps establish an activities “baseline” and sometimes sharply spotlights potential issues. Taylor says SpectorSoft advises companies to clearly communicate usage from the beginning. Sotto agrees that forthright communication could add extra protection against litigation and make “good overall business sense.”