Many U.S. Workers Favor E-Mail Monitoring, Research Shows

Some American workers feel that their employers should be allowed to scan their electronic communications to protect against data leaks, according to a research report conducted by Iowa State University and Palisade Systems.

Despite the implied submission of personal privacy, most workers at U.S.-based companies believe that their employers should be allowed to monitor electronic communications to help protect against misuse of sensitive data.

According to a report published by researchers from Iowa State University and network security software maker Palisade Systems, 100 percent of the workers the group surveyed at U.S.-based corporations said it was appropriate for companies to scan their employees e-mail, instant messaging and other communications systems to ensure that people were not inappropriately sharing information with outsiders.

The study specifically asked if companies should be allowed to scan electronic communications for proprietary business data such as customers personally identifiable information, including Social Security numbers, bank account data or credit card numbers.

By comparison, the study, which is based on interviews conducted with people working in 171 organizations in the government, university and commercial sectors, found that only 11 percent of survey respondents working for government agencies and 31 percent of people working for universities felt that employee communications should be monitored.

Researchers involved in the study said that the disparity in opinions is largely based on the realization among workers at U.S. companies that so-called insider threats represent one of the greatest dangers to data security, and that workers understand that businesses must keep a closer eye on their employees to prevent costly information leaks.

"What weve seen over the last 18 months is a rapidly growing acceptance in corporate America of monitoring behavior not only among executives who want to watch their employees, but also among employees in terms of understanding that anything they do using company resources can and should be watched," said Kurt Shedenhelm, chief executive of Palisade, which is based in West Des Moines, Iowa.

"In some cases such as the financial services industry, we obviously see the government requiring this type of activity via Sarbanes-Oxley and other compliance regulations.

While U.S. workers have increasingly accepted that their bosses might be reading their e-mails to ensure that critical data isnt being distributed without approval, the picture remains far less clear internationally, where some countries including Germany still bar companies from monitoring almost any employee communications, Shedenhelm said.

Among the changing trends within the context of scanning workers electronic communications is a growing desire on the part of businesses to monitor instant messaging systems in addition to e-mail, according to Palisade, which markets software specifically designed to help companies perform such security tasks.

"Whereas 12 months ago everyone was scared about e-mail, there is now a move within more companies to monitor IM and other messaging systems as some experts contend that IM is becoming an even more broadly used business tool than e-mail," said Shedenhelm.

/zimages/3/28571.gifRead more here about objections to employee monitoring.

"Clearly people are accepting the fact that when you are operating within the walls or network of any company, anything that you do can be watched, and that regulations requiring companies to do so are only likely to become more stringent."

Among the other findings of the study, which was conducted by Dr. Doug Jacobson, a professor in the department of Electrical and Computer Engineering at Iowa State, was that 78 percent of the organizations surveyed stored, sent or accessed consumers personally identifiable information or proprietary data on their computer systems.

Some 84 percent of the companies involved in the research said that they were already required by law or industry regulations to protect client records and information.

In addition, of all the organizations that said they handle and store private information, 83 percent said they maintain files that include customers addresses and phone numbers, with 67 percent reporting that they still harbor peoples Social Security numbers.

An additional 36 percent of those interviewed said they use customers bank account information, and 30 percent said they store and handle customers credit card data.

Of the organizations that maintain such databases of sensitive information, 64 percent indicated they have technology in place to monitor the data, but not to prevent mishandling of the files.

Some 30 percent of those firms said they can monitor content traveling out of the network by e-mail, but did not have tools in place to prevent such behavior.

An additional 16 percent of respondents said they can monitor specific content flowing out of their networks via instant messaging, but said they could not block such communications.

Only 13 percent of those surveyed said they could scan for information leaving the network by Web mail, with no ability to stop the practice.

Palisade Systems was founded in 1996 by Doug Jacobson, an Iowa State University professor of computer engineering.

/zimages/3/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.