Security

Prevent your employees from "going rogue"

There is often a personal crisis trigger that causes an already borderline employee to cross the border. Would intervention prevent information compromise or system loss? Can an employee be helped in a way which prevents an incident?

We’re continuously bombarded by statistics showing insider activities as an organization’s biggest threat.  Vendors ply marketing of insider exploit detection tools and other security products, ostensibly to protect our organizations from their employees.  However, proactive detection and intervention processes to identify potential employee security risks and prevent them from becoming security incidents are usually ignored. 

In this post, I step through behavior characteristics usually present before an employee intentionally causes a security breach.  I use research conducted to assess why convicted spies violated national security protocols including,

Although most of us aren’t protecting national defense secrets, I believe the reasons our employees “go rogue” are very similar to why spies betray our trust.

Why employees decide to do the wrong thing

Most of the employees who I personally found violating security policy were at one time valued employees.  They earned the trust of their peers and their managers.  But in every case, there was a trigger that caused an already borderline employee to cross the border.  Could we have prevented these security incidents?  Would intervention have prevented information compromise or system loss?  Could the employee have been helped in a way that prevented an incident?  The answer to all these questions is maybe.

Dr. Mike Gelles researched convicted spies to understand what made them commit treason.  They had all undergone background investigations, were granted security clearances, and, for a time, performed as expected.  Gelles found three conditions which explained why they betrayed their country: presence of a character weakness, a precipitating crisis, and lack of intervention.

No one trait by itself is typically enough to trigger unwanted behavior.  Rather, it is a collection of conditions and character issues which cause an otherwise reliable person to intentionally compromise security.

Employee Security Risk Cartoon

 (from Security and Suitability Issues)

Character weakness

According to Gelles, a personality or character weakness is “A pattern of behavior that is poorly adapted to the circumstances in which it occurs.”  This behavior, often observable by co-workers, leads to difficulties at work, problems with relationships, and periodic emotional shifts.  The two most common weaknesses observed are anti-social personality and narcissism.

Anti-social in this context does not refer to someone who avoids contact with others.  Rather, it describes a character flaw resulting in rejection of social norms and rules.  Anti-social behavior may lead to a person being unable to develop strong loyalties.

Narcissism results in unwarranted feelings of self-importance.  A person with this character trait is unable to accept failure or criticism.  He or she might accept social rules or norms, but feels he or she is above them. 

A character weakness by itself is usually not enough to cause a person to do the wrong thing. 

Precipitating crisis

Crises come in many forms.  An economic downturn can result in career uncertainty.  Financial problems can apply significant pressure on employees and their families.  Office politics, perception of mistreatment, or a belief that a person is not getting what he or she deserves can also push an employee toward the wrong side of the line dividing acceptable and criminal behavior.

Lack of intervention

Employees about to go rogue often exhibit behavior observable by co-workers.  Examples include (Security and Suitability Issues),

  • Appearing intoxicated at work
  • Sleeping at the desk
  • Unexplained, repeated absences on Monday or Friday
  • Actual or threatened use of force or violence
  • Pattern of disregard for rules and regulations
  • Spouse or child abuse or neglect
  • Attempts to enlist others in illegal or questionable activity
  • Drug abuse
  • Pattern of significant change from past behavior, especially relating to increased nervousness or anxiety, unexplained depression, hyperactivity, decline in performance or work habits, deterioration of personal hygiene, increased friction in relationships with co-workers, isolating oneself by rejecting any social interaction
  • Expression of bizarre thoughts, perceptions, or expectations
  • Pattern of lying and deception of co-workers or supervisors
  • Talk of or attempt to harm oneself
  • Argumentative or insulting behavior toward work associates or family to the extent that this has generated workplace discussion or has disrupted the workplace environment
  • Writing bad checks
  • Failure to make child support payments
  • Attempting to circumvent or defeat security or auditing systems, without prior authorization from the system administrator, other than as part of a legitimate system testing or security research

The problem is that co-workers and managers either don't recognize the signs or are unwilling to get involved.  If employees learn to identify and report predictive behavior, steps can be taken to prevent possible security incidents.    

Preventing rogue behavior

Most organizations have controls in place to detect or prevent unwanted behavior.  But as we know, no control or set of controls is 100 percent effective, especially when the attacker is an authorized user of our information resources.  We also know that prevention is much better than trying to detect, contain, and recover from an incident.  So, how can we prevent employees from doing bad things?

The most effective means of identifying a potential employee security threat is employee education and participation.  Train your employees to look for suspicious or questionable behavior.  Provide a means to report this behavior and allow anonymity.  Employee understanding of danger signals and a willingness to report them is your best insider threat control.

 

Excessive spending cartoon

(from Security and Suitability Issues)

The paper, People Who Made a Difference, contains several examples of how government employees helped identify security risks, including the following:

A co-worker reported in 1986 that Michael H. Allen was spending excessive time at the photocopier in their office. This report led to investigation by the Naval Investigative Service. A hidden camera was installed near the photocopier in Allen’s office. The resulting videotape showed Allen copying documents and hiding them in his pocket.

Allen was a retired Navy Senior Chief Radioman working at the Cubi Point Naval Air Station in the Philippines. He confessed to passing classified information to Philippine Intelligence in an effort to promote his local business interests. He was found guilty of ten counts of espionage.

It also contains examples of what happens when employees either look the other way or don’t think about what they see.

Army Warrant Officer James W. Hall, III was sentenced to 40 years in prison for spying for both the former East Germany and Soviet Union from 1982 to 1988. He compromised U.S. and NATO plans for the defense of Western Europe. After his arrest, Hall said there were many indicators visible to those around him that he was involved in questionable activity.

Hall sometimes spent up to two hours of his workday reproducing classified documents to provide to the Soviets and East Germans. Concerned that he was not putting in his regular duty time, he consistently worked late to complete his regular assignments. Using his illegal income, Hall paid cash for a brand new Volvo and a new truck. He also made a large down payment on a home and took flying lessons. He is said to have given his military colleagues at least six conflicting stories to explain his lavish life style, but Hall's co-workers never reported any of his unusual activities. After returning from Germany to the U.S., he traveled to Vienna, Austria, to meet with his Soviet handler.

Once an employee is identified as having an issue, and before he or she actually commits a crime, intervention might be the answer.  Encouraging an employee to make use of services, like an Employee Assistance Program, might help him or her get the counseling or other help necessary to deal with personal or family crises.  Often, employees suffering from common psychological conditions, such as depression, receive the help they need.  They gradually find their way back from the brink, you get to keep a valuable member of your workforce, and your information assets remain safe.

The final word

Yes, employees are an organization’s biggest security threat.  But they are also its greatest defense against employees who might cross over to the dark side.  Make sure your employee security awareness training includes information about detecting and reporting suspicious behavior.

About

Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be publish...

52 comments
minstrelmike
minstrelmike

I think the three factors are essentially bogus, especially character weakness. I regard loyalty to a person or a corporation as a character weakness; many people don't, yet the person or corporation can be evil. Enron survived on the loyalty of its employees. OTOH, if you are loyal to an ideal, then you cannot be loyal to evil people. Look up Berrigan and the Pentagon Papers. And if you think that going along with the majority is always best (never exhibit anti-social behavior at all), then slavery would have never been fought in the US. Oh, and that would also mean you think George Washington and Jesus Christ were wrong because they were anti-social. There are good rogues and bad rogues, collectively as companies and individually as people, and you cannot tell them apart easily. I think who ever did this analysis needs to examine what they mean by strength of character because I don't believe Washington, Jesus, and Daniel Berrigan exhibited weakness of character.

Photogenic Memory
Photogenic Memory

Actually it doesn't. It makes a lot of sense. However; after a hard days work doing other peoples jobs for them and reproducing small miracles, this article touched a nerve! Most places don't care about people. They care about the bottom line. They already don't trust and treat employees like a piece of meat for the grinder. Once properly ground up and no longer palatable; your thrown out with the rest of refuse. There's lot's of work environments were everyone is considered "expendable". My point being is that this article just basically states that people are at fault, flawed, and inadequate for the tasks. Maybe I'm internalizing too much because it's the end of my work day. But, hostile environments that devalue employees is a contributor that can't be overlooked! Although most times; in my experience, it's promoted from the very top so good luck on changing it. Scary stuff!

mikifinaz1
mikifinaz1

Don't ever trust anyone and setup your security accordingly. This attitude will prevent these problems.

reisen55
reisen55

In 2006 I spent eight months in hell at Continuum Health Partners, hospital chain in Manhattan consisting of Roosevelt, St. Lukes and Beth Israel. Their IT operation was outsourced to First Consulting Group and this was the WORST job I have EVER had. Inside of that time, I experienced job dread at the train station. Our IT group was understaffed to start with, over 11,000 systems with Windows XP, 2000 and NT all over the landscape. Virus, Malware and Porn were frequent residents and a GHOST image of a system for restoration would solve these issues for perhaps 2 or 3 days. The end user? Patients, people in beds, wired up and their physicians could not get to their medical data often because systems were so compromised. 30 systems walked out of St. Lukes, stolen. A common usage system in the Roosevelt cafeteria was stolen within 2 hours after I used it. System for the Parson's office at St. Lukes was stolen too. FCG just fudged inventory to cover it all up. A colleague was also conducting a BCP/DR study at the same time and the server areas were a disaster waiting to happen, and that mean killing people. Literally. HIPAA violations galore too. My stress level went through the roof and beyond. To this day, this is the one job I was glad I was fired from. FCG was thrown out of NY Presbertyrian in 2005 and University of PA health systems in 2007, they have since been bought by Computer Sciences Corp and have more or less vanished.

arjanh
arjanh

Employees going rogue is the working place equivalent of a person found in his/her house being dead for more tha a month. In other words, it's a social problem. Carnagie Mellon/CERT have also been doing studies on this subject. Have a ook at www.cert.org/insider_threat/

prosenjit11
prosenjit11

These are some traits that the employers should investigate at the time of interviews I suppose, there are some employees/geeks who are very good at work and maybe careless in their personal life due to some circumstances or being betrayed by some rogue people. Basically, there are some backbiters who have the habit of creating mischiefs and try to portray themselves as the more responsible class but are none but with the masks. These guys are the real ones who hack the emails of employees, personal information, tapping the phone network and also the bank accounts. There have been such incidents when such persons have either been arrested or been murdered by certain groups because of their activities.

prosenjit11
prosenjit11

PERFECT AND THIS HAPPENS WHEN THE PROMISES MADE BY AN ORGANISATION IN TERMS OF SOCIAL COMMITTMENT OR FINANCIAL GAINS IS NEGATED. FIRST IS THE BREACH BY THE EMPLOYER. WHY IS IT THAT THE CHECKS BOUNCE? WHY IS THE CHILD SUPPORT NOT BEING PAID?

DelphiniumEve
DelphiniumEve

Okay, if I review this from a purely US standpoint, it is up to one's coworkers to possibly raise the red flag. In other consituencies, this is a much more troublesome problem. In certain EU countries, the employees can have stuff on their hardware that cannot be reviewed if it is marked "PERSONAL" or "PRIVATE." We in the US have placed personal rights in the back seat in some cases. I am annoyed because while EAPs should be helpful, my experience has varied greatly. Some companies actually cover a set of visits that can result in decent intervention. In other cases, it is only a referral. If someone is already experiencing financial difficulties, 2 visits is not enough. 6 visits appear to be more beneficial. Also, while EAP use is not supposed to be reported by a specific individual, it frequently does get back to HR. Under many US regs, companies can reverify any part of your credit record or references and evaluate the situation for changes. Most companies do not review their employees in such a manner due to cost. Much like we must re-evaluate our 3rd party providers, employees should also be reviewed in such a manner as situations DO change. I look at the list of behaviors in this article and see just about everyone I work with to some degree. There is so much frustration, piss-poor raises if any at all, and just general insecurity due to the current financial meltdown that almost anyone right now could be a suspect in my organization.

mark.reinertson
mark.reinertson

This is exactly how corporate America behaves towards it's workers! Abusive, creating an environment of fear and anxiety. Laying us off to hire in indentured servitude workers. Sending millions of jobs overseas and wondering why we won't buy anything? WE CAN'T AFFORD IT!!! NO JOBS!!! Constantly acting in an untrustworthy manner. Suddenly getting "bailed out" with 700 BILLION dollars for screwing up again and again and NOT firing the ones responsible, only the ones who were doing their best but dared to speak out against such insanity. HOW ABOUT WE STOP LETTING CORPORATIONS GO ROGUE???

StealthWiFi
StealthWiFi

Quote from OP "Train your employees to look for suspicious or questionable behavior. Provide a means to report this behavior and allow anonymity." Then after they inform on the malcontents have the ministry of truth send them to re education centers... Wow, why not just provide the employees the friendly environment and support people need and stop treating them as subjects with all your monitoring and mistrust. If someone feels like they are mistrusted they are much more likely to then do something untrustworthy. This may not be a good example but here it goes: How does Google treat their employees? What sort of enviroment do they work in? Now how many insider data breaches and rouge employees have they had...

StealthWiFi
StealthWiFi

BoxFiddler and Photogenic Memory looks like you guys are on the right track :) Good to see some people are understanding that how you treat employees does matter, it is not the end all be all solution but it's a start. Cheers,

StealthWiFi
StealthWiFi

If a user has access to a certain spreadsheet that contains company data that is valuable and part of their job may involve editing, adding, printing what ever then you can't lock them out of it so they don't steal it. Their job required them to do things to it that pose a threat. Hey, take your advice. Go take your PC, unplug it, put it in a safe, wrapt it in chains, encase it in concreate, add a biometric security devise just for Sh*&s, fly it over the ocean and drop it to the deepest part no man has reached in a random way so it cant be found. That will be the absolute most secure PC ever. Cheers,

prosenjit11
prosenjit11

Well said, infact what is the definition of mistrust? Is it that we are transferring information peer to peer on personal grounds OR making a shift to turn down the Business, this is never possible by a single person and history says that there has BEEN A COUP WHERE THE MOST TRUSTED PEOPLE WERE INVOLVED.

reisen55
reisen55

In my rant about Continuum Health Partners, I indicated that 30 Dell computers were stolen from St. Lukes Hospital. The room on the sixth floor was locked and secure. There are only two groups that have keys to everything. Security and Housekeeping A stolen purse one day, in the pastor's office mind you, showed up with credit card transactions in a local pharmacy for baby and child care products. That indicated theft by housekeeping personnel. Lockstep with security (who knows what personal favors may have been granted) and you have a very bad situation indeed. St. Lukes was also weird on the upper floors, whole levels were dead empty with mattresses and cans, beer around, so you could hide anything up there forever. Rather frightening too.

TonytheTiger
TonytheTiger

do you really have the time to snoop on your coworkers? Sounds like management duties to me.

Timbo Zimbabwe
Timbo Zimbabwe

"How does Google treat their employees?" Depends on how you look at it. They provide a lot to their employees... to keep them at the office working much longer days. "What sort of enviroment do they work in?" It is like an amusement park with perks. But again, reference answer #1. "Now how many insider data breaches and rouge employees have they had..." Please define. They lose a lot of people because there is apparently no incentive to strive forward in your individual work. These employees leave either because of a lack of personal reward or lack of challenge. So an employee leaving with "company secrets" is nearly as bad as a rogue employee.

cyberdragon666
cyberdragon666

In this day and age the treatment of employees by their employers is pathetic (in most cases). If the employers took a step back and evaluated what they were actually doing is breeding mistrust I think they would realize that treating your employees as worthwhile contributors and NOT expendable "items" would inherently make employees more faithful and have less tendency to breach security and such.

NickNielsen
NickNielsen

The OP is not talking about reporting the usual "the boss sucks" conversations. He's talking about people whose work habits, workplace relationships, or financial situations appear to change drastically. It's not wrong to report new and unusual behavior by fellow employees; it's self-interest. Given the [admittedly rare] violent occurrences, it can even mean personal survival. Hypothetical situation: You notice a fellow employee starts to spend a lot of time at the copier and always leaves work with a bulging briefcase, but doesn't seem to carry as much back in the morning. When you kid him about it, he reacts strongly. A couple months before he leaves, he buys a new vehicle that you know he can't afford at his current pay rate. You blow everything off and forget about it. Soon after that, a competitor releases a new product almost identical to your employer's latest project. Although industrial espionage is suspected, there is no evidence that will stand up in court. Your employer is forced to take an [u]almost[/u] finished product to market too early, but can't catch up, and eventually declares Chapter 11. You lose your job. By blowing off your initial observations and not reporting them, have you not contributed to your own unemployment? Afterthought: rouge employees? What kind of rouge? Lip rouge? Jeweler's rouge? Did you mean rogue? ;) Edit: clarify

RU_Trustified
RU_Trustified

No amount of education can prevent an employee from going off the beam, or becoming vengeful. What if your trusted employee is compromised, by threats to the welfare of his family, addictions, gambling etc? Looking for warning signs is part of defense in depth. Decent treatment of staff may prevent some incidents, and alert co-workers can help too. What if the rogue employee is your CTO or system admin? Who watches the watchers? The same security principles of least privilege, separation of duties and dual key control will help where data is mission-critical or highly sensitive. What has long been missing in security is the authorization component, kicking in post-authentication. Mandatory access controls and multi-level security applied to most valuable data can prevent abuse. Tamper-proof audit logs are a great deterrent, as authorized users may have the privilege to access, but they will know they are hanging themselves if they abuse that privilege.

Forum Surfer
Forum Surfer

with well defined user groups. If someone needs access to a file from another group they need to request it. If a user has multiple roles, give them access to multiple user groups. If we're not using security to lock people out, let's just dump it all in one big folder and use one user name. It would sure make my backups easier! I say don't trust anyone, especially yourself since we all goof up. And after that rule...document everything! I have stuff in place that monitors what I do just in case I or someone on my staff ever goes over the limit.

StealthWiFi
StealthWiFi

Sounds like a hospital a friend of mine worked at. Other tech's would actually pick up a server, walk to security, tip them some cash and walk out. Management and some of the doctors had so much disgusting stuff on their PC's the tech's pretty much black mailed them into submission. Eventually some new blood was brought in to clean out the rif raff but I here it hasn't improved overly well. Maybe it's a hospital thing. Cheers,

Forum Surfer
Forum Surfer

But only when I have a problem that has bee narrowed down to a individual or an individual IP. From there it's a machine or user problem. I've also bee asked to snoop on work or web browsing habits. But before I do that I ask to have a written and signed request from the head of the snoopee's department. So no, I don't have time to snoop unless it's part of the job or a security risk.

NickNielsen
NickNielsen

[i]...treating your employees as worthwhile contributors and NOT expendable "items" would inherently make employees more faithful and have less tendency to breach security and such.[/i] Your workplace ethics depend on how well you are treated at work? How sad. Remind me to never accept one of your personal checks.

techrepublic
techrepublic

The problem with security is human perception. Take all of us in this forum and survey what we believe being "treated well" equates to and you'll end up with a hodge-podge of answers. One of the points in the original article brings out the fact that one part of this is a character flaw: anti-social tendency or narcissism. People with this character flaw (not always obvious, by the way) will not define "reasonable" the way others would. (No - I'm not suggesting we profile people.) While it is true that a company that treats their employees well is less likely to encounter a security problem from their employees... it's naive to think that everyone is living by the same standard. Companies should most certainly treat their employees well... but what that really means is pretty gray as it's subjective. It depends on past job experiences as well as societal norms which can change from city to city. Security is an unfortunate part of our jobs. While it is management's responsibility to treat employees well, it is in everyone's best interest to report behavior you find suspicious. That's just a fact - calling it Big Brother is just paranoia.

StealthWiFi
StealthWiFi

"Even the most trusted employee can be compromised " Yes that has been established, there is no one certain way to prevent such things. Some things help others hurt... Cheers,

NickNielsen
NickNielsen

[i]I do have contempt for authority, as all Americans should. I respect where respect is earned and I trust where trust is earned. I will not give myself over to a government or company to rule my life.[/i] No argument there. But I repeat, the impression I got from your posts was that this contempt was apparent in your workplace. [i]If you consider this a negative thing I suggest you move to a more like minded country like Russia.[/i] I was just starting to believe you were a thinking man and you posted that sentence. Had I known you couldn't accept a conflicting view without suggesting I move to another country, I wouldn't have wasted my time. end of line_

jcitron
jcitron

where I work. When the company was much bigger, there was network abuse by most of the employees including management. We had the huge bandwidth not to download and play music and videos, but for moving huge graphic images between imagesetters and servers. The video playing would impact the performance of the network, and then the corporate office would complain about a slow network. I never had the support of my immediate manager when it came to network performance issues unless it impacted his ability to view his stock ticker. When that had a problem, he'd complain and I'd have to do something. After he went on to bigger (not necessarily better) things, I implemented some security policies that made my life easier. First of all I blocked all P2P applications such as BearShare and Limewire. If anyone had downloaded these applications, they were removed from their machines and the files were deleted. I also had people remove any personal photos, movies, and music from the network shares and personal folders. Like you I was tired of backing up stuff that was wasting time and valuable tape space. Second, from a network security standpoint, I also implemented Surf Control to block certain websites from access. At first this caused somewhat of a ruckous amongst a particular group of users, but once they found out from HR that this behavior was inappropriate, they shut up. We ended up having a sexual discrimination meeting at the same time so this was very appropriate with perfect timing. From a security standpoint, I have learned that education plays a big part in its success. It doesn't matter how many firewalls. DM-Zones, or how much antivirus protection is available, the protection is no better if the end-user is not educated as well. If the end-user is treated like an adult, and is educated in what will happen with opening suspicious attachments, emails, etc. then this helps a big part in the security particularly when combined with adequate security policies. In addition I do agree on treating the employees with respect when they deserve it. Where I work now, the company mangement treats me with the same level of respect that I treat them. We all work together to keep the company going so we all can get paid in the end. There are unfortunately those employees who will take advantage of any situation no matter how good it is and end up ruining it for everyone else. These are the employees that sadly need the internet monitoring, net filters, and other extreme usage policies in place so that they do their work instead of playing.

Forum Surfer
Forum Surfer

I questio authority at times. But I do respect it as well. I will respect an officer just for the fact of him being a officer. If his or her actions prove questionable, I will question that person. Same with government officials. I have great respect for whoever our president whoever he or she may be, but that does't mean I will agree with that person. Not agreeig with the person in power in any question doesn't mean we should jump the gun and not respect them, IMO. My point is that security is my job. I can't do it without monitoring. Sure the employees should be treated with respected just as I wish to be. But the same security measures can be viewed as necessary or a tactic of a dictator. If you work o my network, I know where you've been and what you did, even if you think you're safe on one of those thumbdrives with a "secure" browser on it. We still know what you did and when you did it should we decide to look into it. That's not a bad thing, it's part of security.

StealthWiFi
StealthWiFi

I?m not saying things like community watch are bad at all and I also said many times that monitoring tools are necessary for a multitude of reasons. My point is that with most things of power there is a slippery slope involved. The main post was very focused on monitoring and watching users (like in 1984) as the end all be all for security. I counter that with the idea that training, trust, and a good work environment can make just as big if not bigger difference. Pointing out that perhaps sever monitoring can actually cause incidents. I so very agree with you on your gun points, my S&W ? M&P 9mm with 2 mags (totaling 52 rounds of protection) never leaves my side. I also agree with your concerns as to congress passing retarded gun control laws that are based on hype and skewed data and agendas rather that facts and are used to hurt the people rather than help them. Much like some security software company?s will convince a CEO that his employees are all out to get him and he might as well just give them all his bank accounts unless he wants to subscribe to their flavor of security software. It seems there are already plans in the works to make the Clinton AWB permanent and curb the ability of states to issue CCW permits. My opinion (and it?s just that) is the masses of people rushing out to buy weapons while they still can shows that people are willing to protect themselves and prefer not to be controlled by an entity. In the same way I don?t want the government taking my rights I do not want my company to stop trusting me to be a good employee. An old saying goes along the lines of, A little trust goes a long ways. This does not mean security measures are not necessary it just means to say as a little trust may go far, a little mistrust can go even farther. The Government doesn?t trust you with your guns, next they may not trust you to your speech and other liberties we hold dear. I have been told here I don't respect authority (and other places in my life) I take that as a compliment. ?So that this nation may long endure, I urge you to follow in the hallowed footsteps of the great disobedience of history that freed exiles, founded religions, defeated tyrants, and yes, in the hands of an aroused rabble in arms and a few great men,? ? Charlton Heston

Forum Surfer
Forum Surfer

That was an entirely different ballgame. The pd's job is to protect us, and that involves preventing crime. You don't prevent crime by arresting potential suspects for things they have not done. They monitor suspicious activities and take preventative measures. For example groups like GangNet, organizing community watches, placing more police presence where it is needed and other such measures. To take away the right for police to take preventative measures, or take away the ability for a network admin to do his job and monitor traffic based on fears of abuse is a very slippery and dangerous slope we don't want to go down. Suppose we apply that logic to your CCW permit. Many, many liberals want to do away with your right to carry based on irrational fears of criminals carrying concealed weapons. Sound like a good idea now? I too have a concealed carry permit and I have a custom 45 1911 waiting in the parking lot with a very nice, concealable custom holster along with two spare mags. I don't want anyone taking my gun rights based on irrational fears of guns in the wrong hands. Given the background check I had to endure to get my ccw, you will not see career felons running around with permits. But I fear with our current democratically controlled congress/senate we'll see a lot of anti gun lobbyists taking away our rights by preying on people's irrational fears. I foresee a lot of fear mongering tactics just like the outgoing administration used, the difference being that it will come from the other side of the fence and a new set of rights will be the target, my gun rights being one of them. I'm all for gun control and more of it (such as applying current handgun restrictions to long arms), but I fear people will not try to exercise more common sense, instead they'll prey on the masses' fears and use that to take away my rights.

StealthWiFi
StealthWiFi

I have nothing against cops that do their jobs and do them well. I have a very close friend who is in Academy right now and he is going for the right reasons. Police do help with crime, crime would be insane without police but any sort of Pre-Crime (Minority Report) is way over the line for me. When seconds count, the police are minutes away. I have a Concealed Weapons license in my state and take care of myself and my loved ones, I do not feel it is the Police's job to protect me from a crime, it's my job as an American. The court system has ruled on this many, many times and has proven the police have no duty to protect you (I would cite court cases but they are very graphic in nature), yes it's their job and yes some go way above and beyond and I consider those to be true Heroes. As for your other part of the post it is disgusting to see a criminal sue a police officer who has done nothing wrong, I can only comment on how much I dislike the average lawyer for taking on frivolous cases and wasting tax payer time money, and corrupting the system. No it's not all their fault but without lawyers and everyone suing each other over hot coffee and what not this country would start to look like the free place it once did. An example, if an admin puts in web monitoring for the purpose of securing his systems from malware and the likes and does so in good faith and a good heart and only uses it as needed, no problem. The next admin might be a power hungry egotistic (a few people who posted on this topic come to mind) who would use it to rule over their employees. The San Francisco fiasco comes to mind. It?s a very slippery slope when you can?t trust your employees and yes there will always be a bad seed and yes espionage happens but if any of you are admins and therefore hold the proverbial keys to the kingdom you are being trusted with that, you have the ability to abuse that trust and some do. Do you want a person from HR or management or whatever standing over your shoulder watching your every single move to ensure you are the one who does no harm? No, I presume you expect them to trust you and treat you fairly. If they show mistrust how does that make you feel about them, if they show trust and loyalty how does that change your opinion. Looking at the last part, showing someone kindness and a helping hand will always get you farther than watching their every move. NickNielsen, this is my last piece to you. I do have contempt for authority, as all Americans should. I respect where respect is earned and I trust where trust is earned. I will not give myself over to a government or company to rule my life. If you consider this a negative thing I suggest you move to a more like minded country like Russia. And try reading the post?s people were talking about Monitoring, firewalls, and the likes. Cheers,

Forum Surfer
Forum Surfer

I typically place a courtesy phone call to anyone abusing minor things, like a couple of gigs of music on a network drive. But if you're storing your significant other's naked pics, storing 30 gigs worth of DVD's or using the FTP site to upload your bachelor party pics you deserve to be reported. If nothing else I'm looking at serious trouble for myself if I look the other way. Yes, I've seen all of these things. I'm sure the accountant up the hall didn't approve of the saving and sharing of her camera phone pictures in the nude. Admittedly I had dated her previously and knew who the pic was even without her face being in the pic, but I kept that little tidbit to myself. One picture I might not have said anything about, but the guy had a medium sized porn collection. :)

Forum Surfer
Forum Surfer

I assumed your position was against network monitoring. If I was wrong about that I'm sorry. It's one of those you're either onboard or not situations. Any network/web monitoring tools will give you the ability to track usage down to the end user. It's there for security, not big brother monitoring. But I still disagree about cops being there for cleanup. I have many friends and family members in law enforcement and that is certainly not the case. They are constantly trying to make their presence in the street more available in areas that need them as a deterrent. Organizations like GangNet and the like only prove that. http://www.sra.com/gangnet/ Good cops help prevent crimes. They protect and serve. A lot of law enforcement these days is fed up with being hampered by fears of law suits and abuse of our legal system. A good friend of mine, now retired law enforcement is facing a law suit from a gentleman that was evading arrest. After being tazered, handcuffed and leg shackled he came too as he was being put in the car. The guy attempted to run not realizing he was shackled and fell flat on his face on a curb, resulting in a shattered cheek bone. His case against the city was thrown out, but he is still able to sue the officer as an individual. This is one of many such cases, especially in officer involved shootings. After being exposed to the legal system I see far more people sticking up for felons than people helping out the people who are helping us day in and day out for chump change. To sum it up, cops do stop crime as part of their job. It's disrespectful to assume they are there for cleanup since they do what they do out of love of service and most definitely not for their meager salaries.

NickNielsen
NickNielsen

The initial point of the article was that it pays to pay attention in the workplace because your co-workers' actions can have a direct effect on your employer's ability to keep you employed. By titling your first post 1984, you made clear your personal feelings on any kind of workplace monitoring and surveillance. Since then, the wording in your posts has indicated that you hold not only management, but any kind of authority, in contempt and consider it all to be Big Brother. Yes, you have conceded that network monitoring and firewalls are needed, but nobody was arguing that point. You have harped on employers treating their employees with respect; nobody was arguing that point. To close, I would like to thank you on behalf of the radicals: myself, Forum Surfer, Locrian_Lyric, Timbo Zimbabwe, Dr_Dij, and even ProperName. It's not often so many are insulted so little by even less. edit: spelling

StealthWiFi
StealthWiFi

Wow ProperName your really grasping at straws there. No people don't need to re-learn everything, chances are no one has taken the time to sit down with them and explain it in the first place. No re-learning involved. "Next you're going to tell us that the employee with the sob-story about not having a computer at home, needs to send pics to family..." No this is not acceptable behavior at work, WTF... I did read the article, why do you think I made the first post. If you can't understand what the Golden Rule means it's you that needs the reeducation. Just because you are treated poorly does not mean you act in kind, it means you still treat them how you would WANT to be treated, and seriously do you have the IQ of a house plant or what... I don't know can you say narcissistic, sure doesn't seem like you can comprehend rational thought. As for me leaving my position, I never stated that I am not happy at my job anywhere, no idea what you?re getting at I am actually very happy at my current position. "Since when is it a company responsibility to train employees to be ethical" Since they started bit(*&ng about data breaches and buying into the throw money at it solutions. Also schools that would rather not tell little Jimmy he got a D and instead give everyone C's to "even" out the scores and not hurt little Jimmy's self esteem (no this is not a real example, it is an exaggeration to make a point) I see you gentleman are the radicals in this area, I have conceded and agreed that some monitoring is necessary even if only to watch for bottlenecks in the lines and such, yet you still make fain attempts to misinterpret my post's to make me look like some sort of hippy or something, yet you continually fail. I have said my piece and you yours, I have attempted to plainly show you my side yet you continue bare a closed mind and attempt to lead this in the direction or radicalism. I believe I have said all I can without wasting my time on deaf ears. I sincerely hope one day you will grow to a level of adult maturity where you can discuss such matters rationally without resorting to radicalism. Good day to you and good luck, with your attitudes you will certainly need it.

ProperName
ProperName

Treat them like kids in grade school. "Explain to them that you have limited space and bandwidth and how that negatively effects clients and the company." Aren't you just kind of saying that these people need to re-learn everything from the ground up? Next you're going to tell us that the employee with the sob-story about not having a computer at home, needs to send pics to family, friends,and whomever else and should be allowed to do so. Don't you think that they do? Since when is it a company responsibility to train employees to be ethical. Hell my ethics came with me while I grew up through childhood, into teen years and they are still with me today. Like Nick said above, if you aren't happy, leave...., but why take down the company with you? Besides, the article (if you read it all) gives that very argument. Create a policy and system to allow employees to share information about what their colleagues behaviour has become. Allow them to do so anonymously. Who's to say that it won't be senior management being observed. Keep in mind that everyone from the CEO down is just an employee. Yes, micromanagement is bad. So is breaching security cause you are pissed at the company. And this means what? "**** will always happen, that?s life. Grow up, treat people nicely and remember the Gold Rule from kindergarten: Treat others how you would like to be treated." What are you saying? When you leave the company, breach security, cause the company treated you like shit, so you responded accordingly? Wow!!! Your rule only applies to everyone else....., can we say narcissistic?

StealthWiFi
StealthWiFi

Thank you for proving my point Cheers,

NickNielsen
NickNielsen

You concede the need for security, but refer to that need as Orwellian? If that wasn't so scary, it would be hilarious.

StealthWiFi
StealthWiFi

Ok Forum Surfer, NickNielsen and Timbo Zimbabwe this is getting ridiculous. I stated the Police can not arrest you for not doing a crime, not that they can't investigate or any other such blather. You can over analyze anything you want to draw out your own meaning and it only shows your immaturity to back up your case with facts and sound logic. As for the SIS types being a necessary evil, I consider no evil necessary. I have worked in good and bad company's the diffrence is mainly the enviroment. Even with summoning it up you still don't get it. I did not say stop monitoring or using security equipment I merely stated treating the employee well and helping them understand security concerns and how it will effect everyone along with other things will get farther than an Orwellian outlook that you seem to stick too. I am open to monitoring tools and do consider some of them necessary. What does your job status have to do with your personality? You make no sense. You would all do well in politics, unable to comprehend rational thinking and trust and twisting it into a need for more spending. Wow, good luck gentleman. Cheers,

Timbo Zimbabwe
Timbo Zimbabwe

"If you look like you are about to commit a crime they can not arrest you" No, but they can detain you, question you, and check your story. They don't *need* to arrest you to investigate potentially criminal activity. To say that because you weren't *caught* breaking the law they can't do anything about it is ludicrous at best. As employees, we don't *need* to actually catch you stealing company secrets to investigate whether you are/did or not. Checking out what files you've downloaded, network shares you've visited, times that you have logged into the network, etc, can be done without any reason at all and will be done if you exhibit "questionable" behavior. that is a fact of life so get over it.

Timbo Zimbabwe
Timbo Zimbabwe

"If you constantly watch your employees and show distrust they will prove themselves to be distrustworthy." I disagree. Most people that I have discussed this issue with in the past see it as keeping the honest people honest and nothing more. I don't think anyone is suggesting spying per se, just be aware of what's going on around you. As an employee, you are just as culpable for the company's health as your boss is.

NickNielsen
NickNielsen

[i]Cops don't stop crime, that is not their job, they are there for cleanup. [/i] One of the missions of law enforcement is crime prevention, usually through visibility or community outreach. Ever see a police cruiser in your neighborhood? Remember the D.A.R.E. program? [i]...most of you appear to be on a power trip kicking and screaming about loosing your grip on the employees.[/i] Faulty logic. Just because we can see management's side doesn't mean we're management. Two of us are support techs and one is unemployed. I don't have any direct reports and I seriously doubt the unemployed peer has any either. [i]Do you want some power hungry SOB watching your every move constantly waiting to jump on any little mistake you make instead of helping teach you the proper way to do things? [/i] If you have only ever worked at companies with "some power hungry SOB watching your every move constantly waiting to jump on any little mistake you make instead of helping teach you the proper way to do things", you have really had some hard luck in your employment. On the other hand, the impression I get from your posts is that you think all managers are sitting in their offices, twirling their Dick Dastardly mustaches, just waiting for the opportunity to treat you like crap. How is that any less paranoid than the manager who treats you like crap because he doesn't trust you to do your job if he's not riding your butt? Has it occurred to you that your manager may treat you like crap because you [u]expect[/u] to be treated like crap? You want to be treated with respect, treat your manager the same way. The sword cuts both ways.

Forum Surfer
Forum Surfer

We need web and network monitoring. It's an essential tool in network security. How can you know what's going on on your network without seeing where all the traffic is going? It's one part of a well rounded tool kit. The monitoring system you choose has a primary role, see what goes where. With a large wan running a huge pipe it is nieve to trust everything to work properly and not have monitoring tools in place just based on an irrational fear that we're watching our employee's every move. Would you rather we trust all this multi million dollars worth of equipment to just work right? Network equipment fails, ports flap, a bad nic starts spewing traffic constantly and countless other day to day network problems pop up that you have no idea are happening. Left unchecked these things can cause proplems like loosing links or making spanning tree rebuild itself constantly and can bring a WAN to it's knees or completely down. Without these tools we couldn't track down these problems on a large network, it would be an impossible task without monitoring. It just so happens occasionally we catch an employee doing something stupid, which is not my fault. IMO that is harldy "lording over employees." No one is power hungry, we're just doing our job. We have a firm network policy in place that explains why you should and shouldn't do certain things and basic security tips. Everyone gets a copy and a class on it in orientation given by an IT staff member. Mosst people snooze through it and have that "why do I have to listen to this bs" look. So we do attempt to educate as they walk in the door. And you're wrong about cops not being able to prevent crime. The SIS, Special Investigation Squad in LA was started to tail violent repeat felons, mostly gang related that are suspected to commit further violent crimes. Now police organizations across the country have units modeled after SIS. In my opinon it's a neccessary evil and something that should have happened long ago.

Refurbished
Refurbished

Both sides have a point. A company that treats its employees well is more apt to retain ethical employees that will do a good job for the company. However, any company can have a rogue employee whose actions are inspired by something outside the companies control. Also, some security violations may be out of ignorance or thoughtlessness. A unofficial warning may be all that is needed to stop it.

StealthWiFi
StealthWiFi

Cops don't stop crime, that is not their job, they are there for cleanup. If you look like you are about to commit a crime they can not arrest you, only if you actually do something. Wake up and realize you need to be responsible for yourself. I did not write to do away with security, my points are that you will negate the majority of your risk by treating your employees well and making them feel as part of the team. There is still corporate espionage and accidents but most of you appear to be on a power trip kicking and screaming about loosing your grip on the employees. Grow up and drop the ego. Either that or go get a job as a mall rent-a-cop you can intimidate the hell out of all the kids you want. Any who, bottom line for those who don't get it. Instead of treating your company like a police state, inform employees and train them on why it's bad to do certain things (don't demean them). Create a team environment and show them trust and respect and you will negate much of you problems. Explain to them that you have limited space and bandwidth and how that negatively effects clients and the company. Make them feel as if what they do really matters and they have a say all be it only to voice their opinion sometimes and you will see a world of difference. Will those guidelines fix all your problems, no you my friend are the naive one to think there is one fix for such things. Shit will always happen, that?s life. Grow up, treat people nicely and remember the Gold Rule from kindergarten: Treat others how you would like to be treated. Do you want some power hungry SOB watching your every move constantly waiting to jump on any little mistake you make instead of helping teach you the proper way to do things? That's how you employees probably view you. None of this means take down your firewalls, unlock your offices and leave your wallet on the table, as I?m sure that?s how Dr Dij would want to twist it. There are still people in this world who would like to cause your company harm, pissed off employees and such but lording over employees causes more problems than it fixes. Cheers,

Locrian_Lyric
Locrian_Lyric

I would advise all to keep a good ethical standard. If your company treats you like scum, find one that doesn't. By the same token, if you are an employer, do not treat your employees like scum. The good ones will leave, some of the rest will just crank out the bare minimum and some will seek revenge.

Locrian_Lyric
Locrian_Lyric

It is no coincidence that companies that treat their employees as criminals wind up with criminal employees. It's not right but people do live up to, or down to, the standards you set for them. If you treat your employees like scum, they will act like scum. If you treat your employees like gold, you get gold.

Dr Dij
Dr Dij

is how that sounds. You sound like the kind of person who would say "we don't need anti-virus software as we'll just ask the employees not to click on anything bad" or "we don't need web use monitoring as we can trust them not to visit porn sites filled with malware" I think we should do away with police as they irritate people to commit crimes because they are being watched. Just think how many crimes would not be committed if we followed your policy and did away with police and security guards! I'm sure everyone would just glow in the new age paradise / 1000 years of peace / sharia that would instantly evolve! I'm sure it would not become a 'mohawks and sand' madmax economy. Wow, you're brilliant

NickNielsen
NickNielsen

Employers should treat their employees with respect. But regardless of how they are treated, employees should always remain ethical. From your OP, I got the impression you feel that anything remotely resembling workplace vigilance is equivalent to ratting out a co-worker in the gulag. Then cyberdragon came along to essentially say that employers reap what they sow, giving me the impression he feels it's OK to retaliate if your employer is treating you like sh|t. Neither of you may actually feel that way, but that was the impression I got from your posts. Nope. Never was a hall monitor. But I have a defined moral code and strong personal ethics. No matter how poor my morale in any of my jobs, I never considered doing anything to harm my employer. edit: grammar

Forum Surfer
Forum Surfer

I monitor and restrict web traffic and bandwidth. I monitor network traffic. I do this first and foremost to keep security up and watch for network utilization integrity. I can't tell you how many times this has proven helpful from a security standpoint. A by-product is the ability to do big brother style monitoring, which alot of people view as overly invasive. I have caught several people uploading their itunes libraries or mp3 collections to my servers. This causes a problem with incremental backups and storage. That is a terrible waste of someone else's time and money. I typically notify these people personally as a favor. If they're stuff is gone within a couple of days, fine...if not I notify their supervisor. But now if you're housing 20 gigs of illegal movies you won't get a complimentary warning! If someone is burning up the bandwidth all day, every day watching webcasts I highly doubt he or she is being efficient at their job. I'm constantly runing across people abusing our generous ftp connection sending wedding/party/birthday pics and movies to their cousin's uncle's mother on the opposite coast. Is it hurting anyone? Yes, as a matter of fact it is. We are sometimes transferring ridiculously large GIS files back and forth between customers, so everyone needs to quit using my pipe for their own personal, non work related business! I understand the mistrust of management brought on by micro management, but some big brother type operations are neccessary for everyone's security and benefit.

StealthWiFi
StealthWiFi

You sign on to the mindless raggle your employer throws at you and fall in line with them. I would even go so far to say that you were the Hall Monitor in school. Just kidding. What I meant in my post is not that your should jsut turn a blind eye but that if employers valued and treated their employees much better and less like cattle locked in cubes then this whole thing wouldn't even be a problum. I don't know where you got your basis from but all I'm saying is that if you treat each employee well and they have high moral they will not sell secrets or other such things to the company since they would have a vested intrest and don't feel mistursted. If you constantly watch your employees and show distrust they will prove themselves to be distrustworthy. If you are honest and provide a friendly nice working enviroment with the least amount of politics and reward good results and work through the bad they may just suprise you. Keep moral high and make everyone feel as part of the team. Fear and war mongering from management do nothing but build mistrust and rot your company from the inside. Cheers,

Editor's Picks