CyberSecurity Institute

But now employers are going further than ever, thanks to technology that can capture e-mail and instant messaging conversations, or record a worker’s every keystroke. Websense, a maker of Internet monitoring tools, has seen its stock price nearly double in the last year, though it saw some gains erased late last week. Other top players in the market include SurfControl and Secure Computing.

“I think all these companies are seeing great demand,” said Katherine Egbert, an analyst with Jefferies & Co. “Lately, regulatory compliance issues, and deadlines for meeting those regulations, have been driving sales.” The regulatory factors include financial reporting rules under the Sarbanes-Oxley Act and health care privacy mandates set forth in the Health Insurance Portability and Accountability Act, also known as HIPAA. Liability concerns regarding employee e-mails and IMs are also on the rise, as lawyers increasingly turn to computer records as evidence in sexual harassment suits and other legal actions involving the workplace.

Even tech luminaries, such as Microsoft Chairman Bill Gates, have used corporate networks to send e-mail that proved embarrassing in court.

“Productivity is a concern; loss of confidential information is still a concern; security breaches are a concern. Employers are afraid of being sued,” said Nancy Flynn, executive director of the ePolicy Institute, which, together with the American Management Association (AMA), recently published a survey on e-mail and IM surveillance in the workplace. “In almost every workplace lawsuit being filed today, e-mail is being subpoenaed as evidence,” Flynn said.

“IM will soon be subpoenaed on a regular basis as well.”

Aiming at IM According to the ePolicy-AMA survey, 60 percent of U.S. companies now use software to monitor incoming and outgoing external e-mail, while 27 percent of employers use software to track internal e-mail between employees. By contrast, employers have been relatively slow to monitor instant messaging, with just 10 percent of companies surveyed indicating they have taken steps to listen in on desktop chat. “Employers think IM is an emerging technology and they don’t have to monitor it yet,” Flynn said. “But if they have employees in their 20s, chances are (those employees) probably have been using IM since high school and view it as old technology.

And if a company doesn’t provide enterprise IM, (workers will) probably go out on the Internet and download a free version.”

IM giants America Online and Yahoo launched plans two years ago to offer corporate versions of their IM products, promising better security, along with regulatory compliance features not found in their free versions. Both have since scaled back those plans, but other companies have stepped in to fill the void, including industry titans such as Sun Microsystems and IBM, which are embedding their own IM products into their existing applications, and smaller companies such as IMLogic, FaceTime Communications and Akonix.

“Industry estimates say that by the end of 2005, IM in the workplace will surpass e-mail in the workplace,” Flynn said. “IM is coming on fast, and given that, employers need to take the necessary steps now with their policies and monitoring software.”

Monitoring software downloads is a top issue as well, industry observers and legal experts say.

In 2002, an Arizona company paid $1 million to settle a lawsuit with the recording industry that charged copyright violations involving MP3s stored on the company’s computer systems.

Customers such as PepsiCo and Ford Motor use Websense software to track and report employee Internet usage, block access to some Web pages, and set temporary access windows that limit the times some sites are available. Many corporations have adopted policies banning file-swapping software in the office and installed network traffic management software to track down potential violators.

Despite hot prospects, the industry has not seen a flood of new players. Instead, it has seen a rise in consolidation, particularly this year, Jeffries analyst Egbert said. Among recent deals, Blue Coat purchased Cerberian, CyberGuard acquired Webwasher, and Internet Security Systems bought Cobion.

Courts have generally found that employers have the right to monitor equipment that they own on their premises, including telephones and computer systems. Nevertheless, laws surrounding the monitoring of employees’ electronic communications are not as cut-and-dried as they appear, legal experts say. The law, on the face of it, looks like it’s illegal. But the courts have ruled that viewing stored e-mail is not considered a violation of the wiretap laws,” said attorney Philip Gordon, chairman of the privacy practice group for law firm Littler Mendelson. In one U.S. Court of Appeals case, the court further detailed how it is only considered a violation of the Wiretap Act if an e-mail is intercepted while it is traveling through the network pipe and is between two points.

http://news.zdnet.com/2100-1040_22-5423220.html?part=rss&tag=feed&subj=zdnet

The poll of IT network and security administrators in SMEs to determine how they persuade management to change security practice found that almost half of respondents admit to advocating the fear factor. Many respondents indicated that they have to present worst case scenarios involving confidentiality breaches, lost customers or liability charges to justify investments in information security technology.

The use of scare tactics may be prompted by the fact that, according to additional findings from the poll, more than one in four (29 per cent) network administrators claim that senior management rarely, or never, change standard practices in response to security recommendations alone.

However, an encouraging 30 per cent indicated that rational facts, including cost-based analysis, productivity statistics and industry articles, are sufficient to prompt a reaction.

Additionally, 51 per cent of respondents reported that senior management implement changes to security practices based on their recommendations most or all of the time.

“This survey shows that SMEs can vary greatly in their approach to security. Despite high profile attacks and regulatory pressure, a strong security-conscious culture is still not second nature to all organisations,” said Mark Stevens, chief strategy officer at WatchGuard. “While many organisations treat security as a priority from the top down, and are very proactive in their approach, others require more persuasion to implement and update secure practices. To protect against the threat of attack, executive sponsorship is critical. Organisations need to adopt an approach that incorporates not only technology solutions, but ongoing user education as well as development and enforcement of security policies.”

http://www.vnunet.com/news/1158895