Employee monitoring under the radar, says security expert

Edward Snowden has stirred debate about US and UK spy agency internet surveillance, but corporate employee monitoring barely gets a mention, says David Melnick chief executive of WebLife Balance.

“Everyone is talking about online surveillance at a national level, but no-one is talking about employee monitoring by corporates, which is the great untold story,” he told Computer Weekly.

The tension between security and privacy is as great within corporate environments as it is at a national level, said Melnick, a former Deloitte consultant and board member of security certification body (ISC)2.

US privacy law is relatively weak and corporates have taken advantage by getting employees to sign up to policies that allow a degree of online surveillance that has caused outrage in the national context.

In a recent article in the Guardian, Australian correspondent Misa Han detailed how in a previous job she was coerced into working for no pay after accessing Facebook during work hours.

This type of monitoring is common in US companies that draw up permissive policies in the name of information security, corporate governance and regulatory compliance, said Melnick.

However, such practices enabled by data leakage prevention systems are being challenged by European data protection authorities and employee representatives at US-owned multinational companies.

Pushback from the French data protection authority CNIL highlighted the problem for Melnick, who was inspired to pioneer a service that enables an alternative approach to security and privacy.

“Organisations are having to confront the reality that employees are bringing their own devices to work and accessing the corporate network for personal web use, but traditional approaches to employee monitoring are simply not working and even leading to abuse,” he said.

Melnick founded WebLife Balance in 2013 on the idea that if personal and work activities online are separated, companies can monitor all activity on the corporate network without infringing employee privacy.

Separation is achieved by enabling employees to connect to the internet through a secure tunnel via the corporate network using a browser in a virtualenvironment.

This gives employees some privacy, while improving cyber security by isolating and protecting the corporate network from web-based malware infections.

Because the corporate network usage policies are so extreme, they are typically flouted by employees and IT departments turn a blind eye, which in practice creates weaknesses in malware defences.

This approach also guarantees that employees will not be able to send company data out through web-based services by preventing the transfer of any files or content between corporate and private environments.

By blinding themselves to employee activities online, companies gain the additional benefit of reducing liability for employee actions.

Once the virtual environment is established as a route to the internet, organisations can gradually move all online activity into this channel and lock down the corporate network without affecting productivity.

While this is a win-win situation, Melnick said companies typically find it difficult to grasp that by granting employees greater privacy, they can improve the organisation’s data protection capability.

“This is more about a cultural shift than a technical shift because it requires companies to think and act differently,” said Melnick.

“This requires buy-in across the business, including the heads of privacy, finance, legal and human resources,” he said.

It also requires training of employees and managers to help them understand that by empowering employees they can become part of the security solution rather than remain part of the problem.

Armed with a Fortune 500 customer in the highly regulated pharmaceutical sector and the second iteration of the PersonalWork platform, Melnick plans to take WebLife Balance to RSA Conference 2014.

He hopes to engage organisations in highly regulated industries and multinational companies faced with data protection and privacy regulations in multiple jurisdictions that stand to gain the most.

Later this year, Melnick is to meet with CNIL and other European data protection authorities to discuss in detail how far the approach they have approved in principle addresses European privacy concerns.


Leave a Reply