Monthly Archives: April 2013

European Security Blogger Awards – Voting Time! (Get yours in before Sunday 21st April)

ID-10045442We are delighted to have been nominated in the following categories:

  • Best Corporate Security Blog as has our Security for UK Legals Blog
  • Most Entertaining Blog
  • Most Educational Blog
  • Best New Security Blog (For our School Security Blog)
  • And Grand Prix for Best Overall Security Blog

You can vote for your choice here. https://www.surveymonkey.com/s/EUSecurityBloggerAwards

Winners Announced during Infosec (At the Security bloggers Meet-Up http://securitybloggersmeetup.eventbrite.ie/ ) – watch this space for news

image courtesy of freedigitalphotos.net

Advertisements

Advent IM at INFOSEC Europe and Counter Terror Expo 2013

The Security Insititute, Mike Gillespie, Advent IM Director

Mike Gillespie – Advent IM MD, newly elected Director for The Security Institute, is speaking at CTX

It is that time of year again and the great and good of the world of security will be gathering in our nation’s capital for two of our industry’s key events. This year is an exciting one for Advent IM as Mike Gillespie our Director will be speaking at Counter Terror Expo. More further on…


Advent IM will be around at both events and if you are hoping to meet up then there are a couple of options. If you are at Infosec on 23rd (day 1), we will be represented on the Malvern Cyber Security Cluster stand  – K84 as we are a member of this group. Or you can live tweet us and arrange a meet up @Advent_IM using the hashtag #AdventInfosecinfosec logo

Advent IM CTX Counter Terror ExpoIf you are attending Counter Terror Expo, you may be interested to know that Mike will be speaking at the Cyber Security and Electronic Terrorism Conference on the 24th at 9.30am. His subject will be The Cyber Threat to the Built Estate. Click here for details. If you want to meet up with one of the team you can live tweet us @Advent_IM using the hashtag #AdventCTX

If you are a Security blogger then you might be interested in the Security Bloggers Meet-Up on the evening of the 23rd April. You can sign up here and don’t forget you can also vote for your favorite Security blogs. The results will be revealed at the Meet-Up. 

If you are a member of The Security Institute then you will also be able to find us at the reception on the evening of the 24th. Again if you want to arrange to meet up via Twitter then you can tweet us @Advent_IM using the hashtag #AdventSyI

We look forward to meeting you and hope you enjoy these events.

MP900216025

Effective Employee Monitoring or Snooping?

Advent IM, data protection act 1998 Advent IM consultants

CCTV? Phone monitoring? Email monitoring? Vehicle tracking? Personal Data that all falls within The Data Protection Act 1998

Originally published in HR Zone http://www.hrzone .co.uk April 2013

Monitoring employees for potential disciplinary reasons is a standard part of the HR role, however a lack of awareness of how to do this within ICO guidelines and Data Protection best practice could end up in a costly tribunal for employers.

Do you monitor your employees? At a recent Employment Law Seminar (1), I asked that question and hardly anyone showed hands. So I asked if anyone used CCTV, indoors or outdoors. I asked if their vehicles had trackers on them and if they did, were the vehicles allowed for personal use. I asked if they were allowed for personal use, did they switch the tracking off outside of business hours. I asked if internet use was monitored or restricted. Lastly I asked if they monitored phone or email use. I pointed out that even something installed for the safety and security of employees like CCTV is in fact monitoring them and the images could potentially form part of a disciplinary if required. Then I asked again if anyone monitored their employees and virtually everyone raised their hand.

iStock_000015534900XSmallOK so there were some areas of monitoring employers might not have realised they were doing as they had not actively instigated them for monitoring employees with a view to disciplining them. There are other areas of monitoring that are started for clear improvement or disciplinary reasons. It might be an employee using company email for more than the occasional personal purpose or an employee constantly online shopping or browsing porn in work hours on a work computer, or an accusation of physical intimidation of one employee by another. These are example scenarios that might require a business to start surveillance on its employees. However, before swinging into action a business needs to be absolutely certain how to proceed or there may be unintended consequences for the business. These unintended consequences could prove to be costly, not only financially but reputationally.
Certain things need to be in place before effective surveillance can take place. Robust policy is obviously the first place to start. For instance, if employees are allowed to use laptops for personal use and an employee uses it to view porn outside of work hours, have they contravened the policy? Was the policy absolutely crystal clear as to whether or not this would be a disciplinary offense? Do they understand it? The other part of the equation is the policy on monitoring. Are both employers and employees clear on the policy and procedures around monitoring? If you are going to monitor them, you have to be certain. You also cannot simply blanket monitor all employees. You cannot covertly monitor them, your intention or objectives must to be clear and consistent. You must be able to explain to employees:
• Why you are monitoring
• What the process is
• What you are monitoring – systems, applications, hardware etc
• When you will be monitoring
• Who will be responsible for monitoring
• Who will have access to the data generated by the monitoring
• How that resulting data will be held, managed and eventually destroyed
It is vital that the last four points are not overlooked. In our IT driven environment, it frequently falls to IT to roll out the software to carry out monitoring or surveillance. This may be the most practicable solution to initiating the monitoring process, but is it appropriate for IT to have access to the resulting data? Any resulting data from surveillance is sensitive and so employees have every right to expect it to be treated with the same care of duty that their other sensitive or personal information is treated. The data generated from monitoring will be covered by the Data Protection Act (1998) and so clear understanding of who can access it, when they can access it or when it should be destroyed, is vital. Remember, employees have every right to request the data (through a Subject Access Request and this would include CCTV images) that employers hold on them or demand that it be destroyed, if it is felt that retention is not appropriate and in accordance with the Act and local policy. This is because the Act states that the data and images are their property and not their employers. Interestingly a recent survey (3) on Insider Fraud indicated CCTV surveillance as a new monitoring means being enabled by businesses, specifically to combat fraud by employees and not, as has traditionally been, to ensure their safety and security.

Emails or browser histories are fairly obvious data generators, as is call-monitoring. It is worth noting that this kind of information is possibly best routed directly to HR, rather than monitored by IT. Serious misconduct such as viewing child pornography could be inadvertently compounded if it is handled by someone unaware of the law around such matters. In the case of something like child porn, then a well-meaning person accessing whatever images had been viewed or downloaded and saving or downloading them as proof would perhaps not realise that every time they are viewed or downloaded it is an offence…

So making sure that employees know, understand (and confirm they understand) relevant policies relating to their conduct is the start. Ensuring they know, understand (and confirm they understand) the employee monitoring policy is the next stage and presuming the policy is fit for purpose, monitoring can commence. Employers need to be absolutely certain they are conducting monitoring in accordance with the ICO guidelines and within the Data Protection Act (1998). A simple guide exists on the ICO website (2), which is a good place to start.

Clarity, openness and best practice – the cornerstones of good business are the bywords for effective employee monitoring and also help keep a business out of Employment Tribunals.

_________________________________________________________________________

1 Waldrons Solicitors Breakfast Seminar Employment Law – available on Slideshare http://www.slideshare.net/Advent_IM_Security
2 Quick Guide to Employment Practices Code http://www.ico.gov.uk/for_organisations/sector_guides/~/media/documents/library/Data_Protection/Practical_application/quick_guide_to_the_employment_practices_code.ashx
3 Ponemon Institute – The Risk of Insider Fraud – Second Annual Study.

Scribd, “world’s largest online library,” admits to network intrusion, password breach