While it’s generally agreed that employees pose a greater security threat than hackers, virus creators, or other cybercriminals, what’s less well known is that some of the newest tools for ferreting out evidence of wrongdoing can play other roles within companies. That complicates the buying decision, certainly — are you trying to help employees find data or making sure they don’t make off with it? — but it hasn’t stopped a handful of emerging companies from developing new software products that do double duty: acting as cop or concierge, depending on your point of view.
While annual computer-crime statistics are probably enough to make companies interested in such products, that interest gets a boost from new compliance regulations that make companies more responsible for protecting the privacy of clients, monitoring E-mail exchanges, and more. At the same time, lost productivity due to improper employee computer use (that is, unmitigated Web surfing) is mounting.
Although many legal issues remain murky regarding how closely companies can, or should, watch employees, many experts say the law is firmly on the side of the employer. Renee S. Schor, a partner in global law firm Baker & McKenzie in San Diego, acknowledges that some new monitoring technology is already in use among the firm’s clients. Companies address privacy issues by advising employees of any monitoring policy through company handbooks and sometimes through a pop-up reminder when an employee logs onto his or her company computer for the first time, she say. The employee must then acknowledge his or her acceptance of the policy. Schor says that “so long as there is a business necessity for it, and the employee is advised that he or she does not have a reasonable expectation of privacy, companies are going to have a fair bit of comfort in utilizing these systems.” The issue is more complicated for global firms, because privacy laws in some countries give employees more protections.
The systems most often in place — Web-filtering software — track or prohibit employees from accessing certain Websites. While that category continues to see plenty of development, other related types of software are emerging that don’t simply look over an employee’s shoulder, but study that worker’s habits for clues as to whether something is afoot. “I believe that companies have the right to know what their employees are doing on their computers at work while they’re being paid to do a certain job under the employment contract that already exists,” says William L. Tafoya, an expert on cybercrime investigation and a professor in the Criminal Justice Department in the School of Public Safety and Professional Studies at the University of New Haven. He says that a variety of concepts and advanced technology under development have workplace potential for analyzing cyberbehavior and uncovering, or even anticipating, crime. Keyboard logging, systems that track online behavior to determine intent, and neurolinguistic analysis are among the techniques that, particularly when used in combination, could give an employer new insights into whether an employee poses a risk.
Aungate, a company with headquarters in San Francisco and Cambridge, England, offers a suite of software that can monitor and analyze E-mail, instant messaging, and voice-mail content for a variety of purposes. Used by government agencies (including the Securities and Exchange Commission), as well as many private companies, the software can sound an alert if something looks suspicious — critical information being E-mailed to unlikely recipients, for example — or simply provide a routing function to aid information-sharing. That is, the software can be sold on its merits as a fraud detector or as an aid to collaborative computing. One customer uses it to gauge the work of thousands of engineers, developing profiles of each employee’s area of expertise.
Ian Black, managing director of Aungate, says, “Our technology allows a customer to monitor an individual [employee] either covertly or overtly, and form a profile around [that employee]. That profile can be used to attract information to an employee that the employee might not have known about” — for example, if an employee is found to be working on a North American marketing campaign and someone else in the organization has developed useful intelligence on that topic, the report can be forwarded automatically — “or it can be used for issues such as compliance.” As an example of the latter, Black cites the “Chinese Wall” that exists within investment banks, and says Aungate’s technology would sound an alert if information appeared to be crossing that wall in any way deemed inappropriate.
Some of these products are still being researched — one, for example, is based on Air Force systems that detect a change in flight plans but could be adapted for the corporate world to look for deviations in work behavior that might signal ill intent. Another monitors atypical behavior — a bank employee who seems to be searching for accounts that hold large sums, but who quickly shifts back to regular work, simply taking a peek now and again. What they all have in common is the ability to assess vast amounts of information or behavior and put context around it.
Some analysts are skeptical. “In terms of automated profiling systems that do weird technology things based on how somebody types or based on their activity on Websites, I don’t see them as hugely effective,” says Rich Mogull of Gartner’s Information Security and Risk group. But he does see increased monitoring of E-mail and other forms of communications gaining in popularity. Others say that the use of software based on “predictive behavioral indicators” that develop profiles or patterns of behavior for employees will flow naturally from work now being done to prevent cyberattacks. Given that some of this software parallels the capabilities found in some CRM products, the notion of an employer that takes a keen interest in each and every employee — continuously — may not be so fanciful.
DeeDee Doke is a freelance writer based in Cambridgeshire, England.
Community Profiles
Many of us have been profiled by software, whether we like it or not. E-tailers that make customer recommendations (such as Amazon) do so by tracking what you’ve bought or looked at. A British company called APR SmartLogik is extending that concept into the workplace with a product called SmartLogik Recommend, which develops a profile of employees based on what they search for, what documents or news sources they find most useful, and other criteria. The goal, the company says, is not to fight fraud or other crime but to connect employees with data that’s relevant, and to other employees who might share similar interests. By alerting employees to both content and communities of interest, the product builds on SmartLogik’s expertise in search and information categorization. To date it has not landed any customers for this particular module, but it says government agencies and financial-services firms are likely users.