June 13, 2016 By Kevin Beaver 2 min read

Long ago, I spoke about employee monitoring, exploring the topic of monitoring employee and computer usage violations. What was a popular and challenging topic over a decade ago has seemingly become a nonissue in the corporate world today.

We’ve likely all violated acceptable usage policies, and people working in IT and security witness these issues on a daily basis. Management hears about it — sometimes. Other times they’re out of the loop. Regardless, computer misuse is often swept under the rug in businesses both small and large. I’m not convinced that’s the best approach.

Don’t Ask, Don’t Tell?

Do you simply use technical controls to keep your users in check? Blocking certain websites is certainly a great step toward setting people up for success. The problem that I often see is that most employees can’t tell you whether there’s a policy against them doing what they’re doing. They’re often out of the loop with no expectations set by management.

Do you get HR and higher levels of management involved? Of course. Computer usage violations are a management problem, not an IT or security problem. IT and security team members are there only to serve as experts in implementing what management wants and what they need to know about. They aren’t there to write and enforce the rules.

Do you ignore and move on? Perhaps a “don’t ask, don’t tell” policy is best for your business culture and politics. But even if that is the best fit, it still doesn’t justify computer abuses that may be creating untold business risks that have yet to be realized.

Monitoring Computer Usage Violations

If you rely on technical security controls such as web content filtering systems, you not only need to ensure their ongoing oversight, but you need to test them regularly as well. I find it interesting that so many content filtering implementations are half-baked. Some don’t block certain categories (i.e., adult content) while restricting access to legitimate social media sites and other online resources. Although a few of these sites may fall into the category of hacking, many of us in IT and security depend on them for knowledge.

Some content filtering systems are enabled on the corporate Wi-Fi network but are more lenient or disabled altogether on guest Wi-Fi. Perhaps the guest environment is deemed less important? Or could it be general ignorance over how guests (and occasionally employees) are abusing it? Either way, the bad traffic that’s getting through is still originating from your corporate network and could be creating unnecessary risks.

Only you know what’s best for your organization. The important thing is to think about this issue at the highest level possible, such as your corporate information security, audit committee or other executive level. Simply assuming everyone is doing the right thing all the time, or ignoring the fact that people are choosing to bypass your policies and abuse your systems, won’t cut it.

Assess. Acknowledge. Respond. That’s the recipe for an effective information security program — computer usage and all.

More from Risk Management

New Fakext malware targets Latin American banks

6 min read - This article was made possible thanks to contributions from Itzhak Chimino, Michael Gal and Liran Tiebloom. Browser extensions have become integral to our online experience. From productivity tools to entertainment add-ons, these small software modules offer customized features to suit individual preferences. Unfortunately, extensions can prove useful to malicious actors as well. Capitalizing on the favorable characteristics of an add-on, an attacker can leverage attributes like persistence, seamless installation, elevated privileges and unencrypted data exposure to distribute and operate banking…

Why federal agencies need a mission-centered cyber response

4 min read - Cybersecurity continues to be a top focus for government agencies with new cybersecurity requirements. Threats in recent years have crossed from the digital world to the physical and even involved critical infrastructure, such as the cyberattack on SolarWinds and the Colonial Pipeline ransomware attack. According to the IBM Cost of a Data Breach 2023 Report, a breach in the public sector, which includes government agencies, is up to $2.6 million from $2.07 million in 2022. Government agencies need to move…

Back to basics: Better security in the AI era

4 min read - The rise of artificial intelligence (AI), large language models (LLM) and IoT solutions has created a new security landscape. From generative AI tools that can be taught to create malicious code to the exploitation of connected devices as a way for attackers to move laterally across networks, enterprise IT teams find themselves constantly running to catch up. According to the Google Cloud Cybersecurity Forecast 2024 report, companies should anticipate a surge in attacks powered by generative AI tools and LLMs…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today