Striking a balance: Employees in social media and corporate cyber security

Trust, Facebook, privacy, hacker breaches, and employee access to monitoring reports were all hot topics in a discussion between social media expert Angelo Fernando and Safetica's CTO Pavel Krátký and Business Development Manager Marwan Chanawani in the Daily FT, a leading business paper in Sri Lanka.

Their discussion was part of the Safetica launch in this country.  Below is an edited version of the article:

Angelo: In the year we are in, where there is so much about information intelligence leaks and privacy issues of government and society how does this fall in to the ‘productivity’ side of things?

Pavel: There are sources today that monitor social activity or Facebook activity, etc., usually going very deep. That means they monitor specific things, like the content of the message sent. What Safetica does is, kind of at a higher level. We do not go too deep in to the privacy of the employee. We monitor specific times he spends on Facebook, his interaction, finding out the actual time he spent there. So from a productivity point of view we usually proceed in a way that we give the employee some time to visit Facebook, Twitter or games or whatever, during work time, but only for a limited time.

We can also find out whether that active time spent on social media has crossed the line. There could be a company policy that would say that it should be for one hour a day. So Safetica counts the active time spent and alert the managers if it crosses the line.

Angelo: In my book (‘Chat Republic’), I talk about how companies should upgrade to a more collaborative, trusting corporate culture, using Web 2.0 tools ... So how can Safetica create trust in an organization rather than suspicion?

Marwan: Well it’s simple. It gives employees access. Some of our customers take productivity monitoring in a different manner. It’s not [just] the managers who evaluate the data. It’s both the employees and the mangers.

Angelo: So the employees get to see the data? That’s interesting!

Marwan: Yes, it is transparent; employees can see their own data. They can see what they have done in the past week.  It can make you think about how you spend your work time, which makes it more effective. With this type of approach in monitoring I think we can build up trust. When your boss is monitoring you and when you know nothing about the software, the trust usually breaks.

Pavel:   Trust is to do with human relations. Every powerful tool is only as good as how you want to use it. So if some people can have some self-criticism, that’s the time you can pull data out of the system which will tell you very quickly if the person had spent his time productively during the last three weeks or not.  This gives the business owner the information he needs at the end of the day. Do you want to really pay people who have not put in their share of work?

Angelo: Let’s talk about leaks. What is there to stop an employee from crossing the line; does the software monitor every data stream on email, etc.?

Pavel: Usually you have the DLP software which only prevents data leakages the moment it happens. Safetica connects monitoring with file activity. That means you can see that someone is uploading files, copying files or someone is opening or accessing a lot of files, which would be unusual. So you can monitor file activity. The traffic of the user could be a sign of a data breach. Safetica even alerts of suspicious activity, measured by the number of copies being uploaded.How Safetica works is that it is like a sand box, which doesn’t need the support of specific network protocol or specific device. You take data and you say that you want this data to be in one place, for instance to stay in a work station or in a file server and that you cannot bring it out or upload it, or you cannot copy paste it or you cannot even screen capture it… so the system basically covers the data from all the different points, even the printouts and flash disks everything.

Angelo: If I want to, for example, even for benign purposes, to print out a PDF and take it home to read, will it prevent me from doing that?

Pavel: If the PDF is in a file that is prohibited for printing, then it will be prohibited. 97% of the breaches are unintentional. People just think that they need to work from home and I will send the file over there but on the way the file can get lost. I think there is a conflict between security and availability. You cannot have both at the same time; if you chose security you lose availability. There needs to be a balance between them.

The complete article is online and definitely worth reading.