Effective data security starts with assessing what information you have and identifying who has access to it. Understanding how personal information moves into, through, and out of your business and who has — or could have — access to it is essential to assessing security vulnerabilities. Whether you’re a industry giant or a lean-and-mean one-person shop, here are some tips on conducting your own “CSI” investigation:

Thanks to the FTC for granting permission to reprint this article.

How would you like to see a video of the web sites you visited, emails you sent and received, chats and instant messages, keystrokes typed, documents printed etc? There are tools available now that promise to “detail what an employee is doing every step of the way”. These tools are so advanced and detailed that they can answer questions like:

• Which employees are spending the most time surfing web sites?
• Who is spending time on shopping sites, sports sites or adult sites?
• Which employees chat or use anonymous email services like Hotmail and Gmail?
• Who is sending the most emails with attachments?
• Which employees may be leaking company confidential information via removable media like flash drives, CDs and DVDs?
• Which employees are printing sensitive documents?
• Who is arriving to work late and leaving early? Who takes long lunch breaks?
• What are my employees searching for on Google, Yahoo and MSN?

Now the question is, how does this affect employee morale and sense of privacy? I am not sure I would be comfortable working in an environment that actively monitors my every single move throughout a work day. For those working in a high security position, or in environments that mandate strong security compliance (like the federal government’s requirement for keeping records of transactions and communications), there may some justification for this kind of paranoid Big Brother activity. If the end result, however, is to minimize internet abuse, there are moderate software and hardware solutions that do a decent job of keeping time-wasting web sites of your network. I mean, when is it really necessary to know:

• What web sites are being visited most frequently and who is spending the most time browsing the web? Are these web sites work-related?
• Which employees are engaging in chat or instant messaging? Is it work-related?
• Who is using Hotmail, AOL mail, Gmail or Yahoo mail to communicate sensitive documents?
• What are employees searching for on Google, Yahoo, MSN and AOL?
• Who is sending the most email with attachments and where is it going? What is contained in those attachments? Is the employee authorized to send out this information?
• What are the top programs being run and are any of them non-work-related?
• Which employees are playing games like Solitaire at work? How much time are they spending playing games?
• Who is transferring the most files and what exactly are they sending out and to whom are they sending these files?
• Who is saving confidential information to removable media like flash drives or CDs or DVDs?
• Who is printing company sensitive files?
• Who are the top violators of those keywords that indicate abuse (e.g.: sex, guns, gambling)
• Which employees type the most?  Which type the least?
• Which employees use the most network bandwidth and why?
• Who is arriving at work late and leaving to go home early?
• Who takes the most breaks throughout the day?

Internal espionage in corporate environments is nothing new. Many companies put systems in place to help prevent or uncover data loss by tracking users sending sensitive files as attachments or copying them to removable storage devices such as USB keys, iPods, or CDs. So if you work in a major corporation that can afford killer internal employee monitoring software, you may want to be careful about those “business” emails to your massage therapist.