The case for employee monitoring
One element of the phone hacking scandal that will cause discomfort to mobile operators is the high likelihood that their own staff, either knowingly or not, may have been involved in handing over sensitive information to investigators. This could have been the much-talked about extraction of voicemail PINs through subterfuge and bluff, but could also extend to the leaking of call records. (as The Guardian’s Marina Hyde alludes to here)
The risk to mobile operators of their own employees seeking additional income is already understood, following T-Mobile’s revelation in 2009 that the illegal sale of contract information to third parties was “an industry-wide problem”. So, uncomfortable as it may be to consider, is there a case for greater employee monitoring within mobile operators?
Chris Burke is a former CIO for Vodafone, and currently is a member of the Dtex Systems advisory board. Burke takes the view that mobile service providers need to adopt a more proactive stance on monitoring what data their employees access and how they use it. By doing so they would create a transparent environment for both employer and employee, reducing temptation.
He says that only through a clear view of how data is moving within, into and out of the business can operators and service providers accurately identify the insider threat and neutralise it effectively.
Last month, he wrote an article for Mobile Europe on the responsibility mobile operators and service providers have to monitor the way data is managed within their businesses. Describing a “sharp rise in insider security breaches in the global telecommunications industry”, he advocates the use of employee monitoring technologies. These keep systems open and available, so that people can do their job and access sensitive data as they need to, but are tracked and monitored as they do so.
I reproduce it here, as I think it makes some interesting points in the light of the current scandal, but also in drawing attention to the increased opportunities for data leaks that go far beyond accessing voicemails and call records. Bear in mind, of course, that Dtex Systems, the company whose advisory board Burke is a member of, is a provider of employee montoring software. So there is a commercial point to Burke’s article. However, that doesn’t mean that his points about the risk to operators of data theft and fraud are any less valid.
Burke’s piece begins below:
Smart phones and their applications are driving telecommunications to be one of the most data-intensive customer service industries worldwide.
The quantity and quality of this information creates a number of pervasive data handling and data theft concerns for mobile operators. They now have to balance their employees’ need to handle customer data with the need to protect this information and comply with a host of requirements covering data protection; privacy; employee rights; and corporate compliance. Increasingly, operators are addressing this by closely monitoring their employees’ handling of data – employee monitoring (EM).
The value of customer retention is paramount in any business with high annual revenue per user and market penetration, particularly where customers have a variety of competitive choices. In the mobile sector, knowing who the customers are, their historic buying patterns, and when a potential change event could happen (e.g. contract renewal) is sensitive and valuable information with significant value.
The mobile business model also lends itself to targeted fraud. There have been well-publicised cases of millions of customer records escaping from their rightful service provider owner. This issue isn’t new but it has become more frequent since the re-regulation of service providers.
I have witnessed EM gain popularity over the last few years. In light of WikiLeaks and data privacy regulations, many global companies, in engineering, finance, pharmaceuticals, and defence have accepted this approach as a security requirement. It is not an easy process to undertake. There are many business and technical challenges to navigate, however it is for these reasons that when EM is undertaken correctly, it provides significant support across an organisation.
Since the boom of online access, many casual corporate employees have become very IT savvy resulting in countless violations. These range from misuse of company resources, like running a media sharing site within the company, to outright theft: stealing millions of customer billing records.
Taking away temptation by making monitoring clear and transparent removes the temptation to break the rules. However when an infringement does occur, the company will have the offending user’s activity logged and can therefore accurately judge whether the rule was erroneous or the violation committed with intent.
Today, there are wide varieties of commitment to EM implementation. The best service providers understand their risk and have begun to use tools to monitor and shape employee access to sensitive information and data. Whilst they are in the formative implementation phases now, these early adopters will likely set the benchmark for customer expectations and best practice across the industry in the years to come.
T-Mobile (now Everything Everywhere) is one service provider beginning to use EM to raise the internal security benchmark. In parallel to the sharp rise in insider security breaches in the global telecommunications industry, T-Mobile sought an internal security solution which would minimise employee risk and proactively prevent the leakage of data, without restricting the innovative work environment promoted for its employees. EM was implemented as the chosen method as it addressed and reviewed their internal security processes and technologies at their very root, rather than simply detecting and fixing the symptoms in a band-aid type approach. The benefits are just beginning to be realised.
There is no doubt that the mobile industry has a unique set of data protection challenges. I believe these can be suitably addressed with data/employee monitoring technologies. Monitoring technologies help build the trusted relationship between employers and employees required to stimulate greater levels of productivity. Excessively locking down systems prevents employees from doing their job, creating a culture of backdoor security risks which are harder to locate. It is clearthat mobile companies have recognised this and are proactively seeking the right solutions. But this is just the start. The entire sector needs to follow suit to ensure protection for customers and corporate reputations.