June 13, 2016 By Kevin Beaver 2 min read

Long ago, I spoke about employee monitoring, exploring the topic of monitoring employee and computer usage violations. What was a popular and challenging topic over a decade ago has seemingly become a nonissue in the corporate world today.

We’ve likely all violated acceptable usage policies, and people working in IT and security witness these issues on a daily basis. Management hears about it — sometimes. Other times they’re out of the loop. Regardless, computer misuse is often swept under the rug in businesses both small and large. I’m not convinced that’s the best approach.

Don’t Ask, Don’t Tell?

Do you simply use technical controls to keep your users in check? Blocking certain websites is certainly a great step toward setting people up for success. The problem that I often see is that most employees can’t tell you whether there’s a policy against them doing what they’re doing. They’re often out of the loop with no expectations set by management.

Do you get HR and higher levels of management involved? Of course. Computer usage violations are a management problem, not an IT or security problem. IT and security team members are there only to serve as experts in implementing what management wants and what they need to know about. They aren’t there to write and enforce the rules.

Do you ignore and move on? Perhaps a “don’t ask, don’t tell” policy is best for your business culture and politics. But even if that is the best fit, it still doesn’t justify computer abuses that may be creating untold business risks that have yet to be realized.

Monitoring Computer Usage Violations

If you rely on technical security controls such as web content filtering systems, you not only need to ensure their ongoing oversight, but you need to test them regularly as well. I find it interesting that so many content filtering implementations are half-baked. Some don’t block certain categories (i.e., adult content) while restricting access to legitimate social media sites and other online resources. Although a few of these sites may fall into the category of hacking, many of us in IT and security depend on them for knowledge.

Some content filtering systems are enabled on the corporate Wi-Fi network but are more lenient or disabled altogether on guest Wi-Fi. Perhaps the guest environment is deemed less important? Or could it be general ignorance over how guests (and occasionally employees) are abusing it? Either way, the bad traffic that’s getting through is still originating from your corporate network and could be creating unnecessary risks.

Only you know what’s best for your organization. The important thing is to think about this issue at the highest level possible, such as your corporate information security, audit committee or other executive level. Simply assuming everyone is doing the right thing all the time, or ignoring the fact that people are choosing to bypass your policies and abuse your systems, won’t cut it.

Assess. Acknowledge. Respond. That’s the recipe for an effective information security program — computer usage and all.

More from Risk Management

2024 roundup: Top data breach stories and industry trends

3 min read - With 2025 on the horizon, it’s important to reflect on the developments and various setbacks that happened in cybersecurity this past year. While there have been many improvements in security technologies and growing awareness of emerging cybersecurity threats, 2024 was also a hard reminder that the ongoing fight against cyber criminals is far from over.We've summarized this past year's top five data breach stories and industry trends, with key takeaways from each that organizations should note going into the following…

Black Friday chaos: The return of Gozi malware

4 min read - On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The Black Friday connection Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity…

How TikTok is reframing cybersecurity efforts

4 min read - You might think of TikTok as the place to go to find out new recipes and laugh at silly videos. And as a cybersecurity professional, TikTok’s potential data security issues are also likely to come to mind. However, in recent years, TikTok has worked to promote cybersecurity through its channels and programs. To highlight its efforts, TikTok celebrated Cybersecurity Month by promoting its cybersecurity focus and sharing cybersecurity TikTok creators.Global Bug Bounty program with HackerOneDuring Cybersecurity Month, the social media…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today