This article was originally featured on SearchSecurity.com
Enterprises often take steps to protect against spyware, in much the same way they do against viruses and worms. But some companies also use spyware to monitor employees suspected
Requires Free Membership to View
When you register, you’ll also receive targeted alerts from my team of editorial writers and independent industry experts with the latest news, tips, and advice to help you do your job more efficiently and effectively. Our goal is to keep you informed on the hottest topics and biggest challenges faced by IT professionals today working with desktop management and security technologies.
Cathleen A. Gagne, Senior Editorial Director
of illicit behavior.
Spyware is considered malicious code on many fronts, but it can have legitimate uses. It can yield vital forensics used in investigations. When a keystroke-logging program is installed, for example, spyware can determine whether an employee is stealing intellectual property.
Though some enterprises go this route, the percentage of companies actually doing it is low, experts say.
"Installing spyware on your employees' computers is an extreme measure," said Bob Baldwin, a partner with Plus Five Consulting Inc., in Palo Alto, Calif. "There are certain liability issues. It shouldn't be done often."
Among those issues are potential violations of federal law if, for example, a company captures an employee's sensitive personal information, like credit card numbers. Such data could be intercepted if workers are shopping online, and federal law prohibits possession of such information without authorization. Companies also risk exposure of intellectual property and other sensitive data through the use of spyware.
To minimize both kinds of risk, Baldwin recommends that companies that suspect an employee of misdeeds call an outside party to investigate (and install the spyware if need be). Bringing in an investigator protects the company from some liability and helps to make the investigation objective.
Experts also recommend that access to the information gathered by spyware in an investigation flow through proper channels.
"This is definitely not an IT-only issue. IT and/or security people should not be the only people that have access to it -– period," said Kevin Beaver, principal consultant with Principle Logic in Kennesaw, Ga., in a recent e-mail interview. "Employee monitoring is a management-HR-legal issue.
"I've seen IT and security people doing this by themselves -- being the only ones doing the monitoring and owning the data -- and I've yet to see it work effectively."
Yet some people question any internal use of spyware.
"Spyware does little to effectively control the areas of risk [companies] are concerned about," said a software engineer from Texas who asked to remain anonymous. "They should be more concerned about unknown agents spying on their employees and install anti-spyware [software]."
FEEDBACK: Would you consider installing spyware to monitor your employees' behavior?
Send your feedback to the SearchSecurity.com news team.