One company's spyware is another's monitoring tool |
 |
By Edward Hurley, SearchSecurity.com News Writer
25 Jun 2004 | SearchWinIT.com |
|
|
This article was originally featured on SearchSecurity.com
Enterprises often take steps to protect against spyware, in much the same way they do against viruses and worms. But some companies also use spyware to monitor employees suspected of illicit behavior.
Spyware is considered malicious code on many fronts, but it can have legitimate uses. It can yield vital forensics used in investigations. When a keystroke-logging program is installed, for example, spyware can determine whether an employee is stealing intellectual property.
Though some enterprises go this route, the percentage of companies actually doing it is low, experts say.
"Installing spyware on your employees' computers is an extreme measure," said Bob Baldwin, a partner with Plus Five Consulting Inc., in Palo Alto, Calif. "There are certain liability issues. It shouldn't be done often."
Among those issues are potential violations of federal law if, for example, a company captures an employee's sensitive personal information, like credit card numbers. Such data could be intercepted if workers are shopping online, and federal law prohibits possession of such information without authorization. Companies also risk exposure of intellectual property and other sensitive data through the use of spyware.
To minimize both kinds of risk, Baldwin recommends that companies that suspect an employee of misdeeds call an outside party to investigate (and install the spyware if need be). Bringing in an investigator protects the company from some liability and helps to make the investigation objective.
Experts also recommend that access to the information gathered by spyware in an investigation flow through proper channels.
"This is definitely not an IT-only issue. IT and/or security people should not be the only people that have access to it -– period," said Kevin Beaver, principal consultant with Principle Logic in Kennesaw, Ga., in a recent e-mail interview. "Employee monitoring is a management-HR-legal issue.
"I've seen IT and security people doing this by themselves -- being the only ones doing the monitoring and owning the data -- and I've yet to see it work effectively."
Yet some people question any internal use of spyware.
"Spyware does little to effectively control the areas of risk [companies] are concerned about," said a software engineer from Texas who asked to remain anonymous. "They should be more concerned about unknown agents spying on their employees and install anti-spyware [software]."
FEEDBACK: Would you consider installing spyware to monitor your employees' behavior?
Send your feedback to the SearchSecurity.com news team.
|
