Online? At work? Your company will soon know what you’re doing

Big brother watching. Thing is, it’s not the made up avatar of an overarching, all-powerful, state. It’s far more likely that it’s a piece of software implemented by your company to see what you’ve been doing on social media.

In fact, some 60% of corporations are expected to implement formal programmes for monitoring external social media for security breaches and incidents by 2015, up from the less than 10% that currently do so,

According to tech research firm Gartner, monitoring employees will soon be viewed in the same way as monitoring social media is for brand management and marketing.

“The growth in monitoring employee behaviour in digital environments is increasingly enabled by new technology and services,” says Andrew Walls, research vice president of Gartner. “Surveillance of individuals, however, can both mitigate and create risk, which must be managed carefully to comply with ethical and legal standards.”

To prevent, detect and remediate security incidents, most tech security companies focus on the monitoring of internal infrastructure. The mass availability of consumer tech products, cloud services and social media means that this approach just doesn’t work any more.

According to Walls, the fact “that employees with legitimate access to enterprise information assets are involved in most security violations,” means that “security monitoring must focus on employee actions and behaviour” both inside and outside of the office systems.

The popularity of social services such as Facebook, YouTube and LinkedIn, provides new targets for security monitoring, but surveillance of user activity in these services generates additional ethical and legal risks.

There are times when the information available can assist in risk mitigation for an organisation, such as employees posting videos of inappropriate activities within corporate facilities. However, there are other times when accessing the information can generate serious liabilities, such as a manager looking at an employee’s Facebook profile to determine their religion or sexual orientation in violation of equal employment opportunity and privacy regulations.

Remember when companies were requesting Facebook logins from job candidates? Imagine that, but on a much larger scale. Although no one’s going to ask for your password any time soon Walls reckons that “employers will continue to pursue greater visibility of social media conversations held by employees, customers and the general public when the topics are of interest to the corporation.”

An industry is already growing up around social media monitoring. Most PR companies, for instance, already offer it as a standard service.

Security organisations are also beginning to see value in the capture and analysis of social media content, not just for internal security surveillance, but also to enable detection of shifting threats that impinge on the organisation. This might be physical threats to facilities and personnel revealed through postings concerning civil unrest or it may be threats of logical attacks by hacktivists. Early detection of shifting risks enables the organisation to vary its security posture to match and minimise negative impacts.

“The problem lies in the ability of surveillance tools and methods to produce large volumes of irrelevant information,” says Walls. “This personal information can be exposed accidentally or become the target of voyeuristic behaviour by security staff.”

There are a number of important issues that also need to be considered. While automated, covert monitoring of computer use by staff suspected of serious policy violations can produce hard evidence of inappropriate or illegal behaviours, and guide management response, it might also violate privacy laws. In addition, if people know they’re being watched they’re less likely to behave badly, but surveillance activities may be seen as a violation of legislation, regulations, policies or cultural expectations. There are also various laws in multiple countries that restrict the legality of interception of communications or covert monitoring of human activity.