Stephanie Asher: On work equipment, there is no such thing as a private conversation
August 16, 2017 12:00am
If I’m in a job that provides me with a phone or pays my phone bills, do I own my conversations or do they belong to the employer?
The answer was abundantly clear last week when political conversations ended up on the front page of the newspaper.
I won’t stray into details about the allegations, but a headline that affords the opportunity to use the words mobster and lobster proved irresistible to Melbourne’s metro media.
It was a clear and dramatic example of the “front page test” that we often used to raise awareness about information security when I was working in the IT department at GE Money a decade ago.
Most people shudder quietly at the thought of some of their phone calls being transcribed and publicised.
I know my first thought is always, “There, but for the grace of God, go I.”
Mum always used to say, “If you can’t say anything nice don’t say anything at all.” And while I definitely struggle to keep my opinions to myself at times — and I don’t believe we have to be “nice” if it means compromising our values — the gist is a good one.
When we use the computer or email system provided by an employer the reality is that employer owns the content.
It also means the employer can examine the usage and information on that equipment. And study the behaviour of the user.
So, yes, they can read your emails and listen to your phone calls. That’s part of the package we subscribe to when signing an employment contract.
If you wish your activities to remain unscrutinised it means using your own phone, your own machine and paying your own bills.
The lobster link provided the perfect opener last week when my consultancy hosted a boardroom lunch with special guests Secmon1.
The topic was information security and data analytics, with the intent to share the latest techniques and some case study examples with the HR and IT heads of local organisations.
Our presenters were both former detectives with Victoria Police who had moved into the corporate world to focus on electronic crime.
Having worked with one of the co-founders at GE, I knew they had interesting stories to share. Catching baddies always makes for fun discussions.
But people working in financial services or health, or in the education sector, or our government organisations, don’t fit the stereotype for cybercrime baddies.
And, in fact, it’s most likely Joan in the legal department or John in the call centre that will cause some trouble for business.
People can reach a tipping point through something as simple as a failed promotion.
The Secmon1 team describes such escalating behaviour as the “kill chain”, where an employee may start with removing the odd file or straying into areas of the system that are not relevant to their role, but can end with major fraud activity.
The goal is early detection and early prevention — getting in at the start of the kill chain.
It turns out humans are quite predictable. Perhaps a major divestment is announced or a redundancy program — sorry, I mean an organisational restructure.
At this point, people tend to start moving files to places they probably shouldn’t.
Similarly, if there is valuable or sensitive information to convey, people may use their phone rather than putting it in writing, forgetting that conversations don’t disappear. They can turn up in the newspaper as a transcription.
When an organisation calls on Secmon1, the first step is to monitor activity. This could mean monitoring new employees or those deemed high risk of posing an “insider threat”.
The team aims to disrupt any unwelcome activity, whether that relates to particular people or the movement of high value data.
If they find anomalies, timeliness is critical. Action taken early in the kill chain is most likely a conversation between employee and the HR department.
Perhaps Bob from accounts may have found his way into the secure HR data and snooped around the salary information.
The boss or HR representative can simply say to Bob the next day that his behaviour has been noticed and that he is required to follow the organisation’s classification protocols. Or whatever it is HR people say. Bob would typically not repeat that behaviour, upon realising that his covert activity on the company systems is not invisible from his workstation behind the pot plant.
On work equipment, there is no such thing as a private conversation.
— Stephanie Asher is a management consultant, professional writer and speaker. Twitter @stephanieasher1