Someone recently asked me about my thoughts on monitoring software (Blue Coat, Vontu, whatever) as it regards to protecting against disclosure of sensitive company data by social networking/Web 2.0/etc. I’m not going to get into individual situations and their legality, because privacy laws and cultural values differ. I think you’ll start seeing a lot more interest in these monitoring solutions because of the proliferation of PCI, HIPPA, and all those other fun standards that us infosec guys are begrudgingly thanking for job security. This was part of my response, and I wanted to record it for posterity.
A big issue is that a monitoring solution is usually capable of looking for more than "sensitive data" type issues and you have to be careful to not use it in a manner that is disrespectful and violates employees' rights (i.e. inspecting their online banking or pharmacy sessions, if these are allowed). A lot of the issues I've seen in this space revolve around varying privacy laws and cultural norms in various areas that tolerate or encourage certain behaviors that might not be in a company's best interests. That being said, I do agree with the theory that outright bans tend to drive usage into patterns that are more difficult to monitor. I think that the important steps would be:
develop a policy of what is allowed, what will be monitored for and what happens if it's found, with guidelines for various types of content (business sensitive, potential legal or harassment issues, inappropriate content, "time wasting" etc)communicate this policy clearly to impacted employees in conjunction with HR and management buy-inimplement tools that can be used to impartially monitor for and report on those issues. This removes a lot of the subjectivity and "witch hunt" mentality that sometimes comes with the capabilities that these tools have.explain to management that monitoring is a best effort and may not catch everything and/or produce false positives. It's a tool to find problems, not fire people, and significant issues should always be investigated to some extent before punitive action is taken.
Let me state for the record that I believe, regardless of laws that may be in place, that a company has an unequivocal right to monitor the usage of any of its resources that its employees use as long as they’ve notified the employee ahead of time. That being said, I think that a lot of companies are real jerks about how they handle it, and a lot of employees are incredibly stupid about what they do at the office. So, the problem lies with both sides of the equation. As this industry matures and provides more capabilities I think that companies are going to have to learn to be respectful and not sweat the small stuff, and users are going to have to learn some judgement and restraint. I also think that the industry players will need to step up and provide guidance in these matters to their customers, helping them understand that the tools they’ve bought are very powerful but have some social consequences that really should be considered.