Surveillance: an important facet of KM
The knowledge dilemma

Employees possess information that others know about. A sales manager may summarize a competitor’s prices at a weekly business strategy meeting. Other information may emerge from employee actions.

Tacit Software, acquired by Oracle in 2008, for example, was one of the first companies to make it possible to identify an employee with particular expertise. The tipoff was the number of e-mails about a particular topic the individual was receiving. The logic was that an organizational chart might identify Ms. X as an expert in a particular subject. E-mail analysis, however, might indicate that Ms. Y was the go-to person for that subject.

Traditional knowledge management does not focus on the implicit or emergent information that employees possess. With the economic pressures of today, many organizations want to tap into information that will provide a competitive advantage. Not surprisingly, vendors provide systems that can capture a wide range of information that may not be directly available in a PowerPoint deck or a memorandum.

Organizations find themselves on the horns of a knowledge management dilemma. Capturing emergent information may make some senior managers uncomfortable. Failing to tap into a potentially significant stream of data may disadvantage the enterprise. In The Blank Book, Lemony Snicket observes: “The key to good eavesdropping is not getting caught.”

How do some organizations obtain information about employees in the 21st century?

In 2008, PC Magazine published “Employee Monitoring: It’s Not Paranoia—You Really Are Being Watched” (See pcmag.com/article2/?0,2817,2308363,00.asp). Brittany Petersen wrote: “It’s possible that someone has been reading your e-mails, listening to your phone calls and tracking your Internet use. No, it’s not a foreign spy. It’s not even your ex—it’s your employer. And she doesn’t even need to tell you she’s doing it. Employers can legally monitor their workers however they want. They can log and review all computer activity as long as they own the machines.”

Monitoring methods

Today’s organizational environment involves cloud services, BYOD (bring your own device) policies and virtual workplaces. The metadata about employee activities, including social media activity, e-mail and content creation are part of the organization’s information fabric. That metadata can provide the same density of information about employees as old-school traditional methods of information collection.

Consider SpectorSoft, which creates monitoring software. The company says: “Monitor or investigate an individual, a group or companywide computer, Internet and mobile activity. Increase productivity, improve security and reduce risk while protecting employee privacy.”

The company offers a number of different products. They include a basic employee monitoring software for the enterprise. A more robust solution is Spector CNE Investigator. The shrink-wrapped software costs $400 for a license. Investigator can perform relatively trivial functions such as screen playback, capture websites the employee visits, and record both sides of instant messaging and chat activities. The software’s more interesting functions make it possible to “watch for files being printed, edited on a network drive or copied to a USB key.”

Investigator also records “every Internet connection a computer or application makes.” The information recorded includes the target Internet protocol address, the port used for the connection and the amount of bandwidth consumed for a session. The idea is that videos and software downloads are typically larger than text files, an important signal if the employee monitored is suspected of non-work related activity.

Most surveillance products focus on data loss prevention, Web monitoring and interacting with devices linked to the organization’s network. The gap in SpectorSoft-type products is activity that takes place outside of an enterprise network connection.

Mobile tracking

Is it possible to monitor an employee’s actions if the activity takes place on a mobile phone or tablet used outside of the workplace and not connected to the organization’s network?

MobileGuard (formerly TextGuard) offers a mobile communication solution that may help an organization gain insight into that facet of the organization’s knowledge. Founded in 2007, MobileGuard offers compliance monitoring, archiving and analytics services.

The company’s MessageGuard solution: “is a comprehensive text message monitoring solution designed to monitor, store and easily access SMS, MMS, Blackberry Messenger and Blackberry PIN-to-PIN messages. Our solution is intended for the corporate market, enabling companies to keep track of messages on employee smart phones. MessageGuard, a feature-rich and user-friendly system, archives messages in a format that is easy to access, which simplifies the creation and implementation of effective internal mobile compliance policies, as well as compliance with applicable external governing regulatory bodies. MessageGuard has a multiplatform support that includes Android, Blackberry and iOS devices.”

Features of the monitoring solution include proactive SMS monitoring with custom alerts. The employee who uses a specific word or phrase can be blocked from sending or receiving.MobileGuard has developed a robust anti-uninstall measure. An employee wanting to avoid monitoring will have difficulty evading the MessageGuard envelope.

BYOD risks

Like SpectorSoft, MobileGuard does not make public functionality that can intercept mobile voice calls or traffic sent across a commercial telephony firm’s network. However, companies do provide solutions to perform what is called lawful intercept. Within the United States, most commercial enterprises will not have direct access to monitoring solutions that can recognize, intercept, track and analyze what most employees would consider private communications.

MobileGuard’s Web log addressed the risks to organizations of the BYOD approach to personal computing devices such as personal laptops, mobile phones and tablets. It points out: “As with any technology, there are risks associated with implementing a BYOD program. There are legal risks, such as the ability to access information responsive to a document request for preservation or production. There are regulatory risks associated with information on those devices that may be subject to regulatory retention and supervision requirements. There are information security risks associated with lost or stolen devices, as well as many different devices having access to the organization’s networks, and there are data privacy risks associated with the mix of personal information with business information on one device.”