Long ago, I spoke about employee monitoring, exploring the topic of monitoring employee and computer usage violations. What was a popular and challenging topic over a decade ago has seemingly become a nonissue in the corporate world today.

We’ve likely all violated acceptable usage policies, and people working in IT and security witness these issues on a daily basis. Management hears about it — sometimes. Other times they’re out of the loop. Regardless, computer misuse is often swept under the rug in businesses both small and large. I’m not convinced that’s the best approach.

Don’t Ask, Don’t Tell?

Do you simply use technical controls to keep your users in check? Blocking certain websites is certainly a great step toward setting people up for success. The problem that I often see is that most employees can’t tell you whether there’s a policy against them doing what they’re doing. They’re often out of the loop with no expectations set by management.

Do you get HR and higher levels of management involved? Of course. Computer usage violations are a management problem, not an IT or security problem. IT and security team members are there only to serve as experts in implementing what management wants and what they need to know about. They aren’t there to write and enforce the rules.

Do you ignore and move on? Perhaps a “don’t ask, don’t tell” policy is best for your business culture and politics. But even if that is the best fit, it still doesn’t justify computer abuses that may be creating untold business risks that have yet to be realized.

Monitoring Computer Usage Violations

If you rely on technical security controls such as web content filtering systems, you not only need to ensure their ongoing oversight, but you need to test them regularly as well. I find it interesting that so many content filtering implementations are half-baked. Some don’t block certain categories (i.e., adult content) while restricting access to legitimate social media sites and other online resources. Although a few of these sites may fall into the category of hacking, many of us in IT and security depend on them for knowledge.

Some content filtering systems are enabled on the corporate Wi-Fi network but are more lenient or disabled altogether on guest Wi-Fi. Perhaps the guest environment is deemed less important? Or could it be general ignorance over how guests (and occasionally employees) are abusing it? Either way, the bad traffic that’s getting through is still originating from your corporate network and could be creating unnecessary risks.

Only you know what’s best for your organization. The important thing is to think about this issue at the highest level possible, such as your corporate information security, audit committee or other executive level. Simply assuming everyone is doing the right thing all the time, or ignoring the fact that people are choosing to bypass your policies and abuse your systems, won’t cut it.

Assess. Acknowledge. Respond. That’s the recipe for an effective information security program — computer usage and all.