There are a lot of nuances that need to be considered, from budgeting and finance to workflow, to security, to climate at the workplace, to employee morale, etc.
Successful user activity monitoring requires you to choose the best tool for your situation and integrate it into a business process in the least disruptive way possible.
With a huge number of offers available on the market right now, it can be rather hard to do. Down below we will give you some practical advice on how to best approach employee network activity monitoring, and what tools can be used to do it.
Network activity monitoring – why it is necessary
Before even starting to monitor users internet activity, you need to understand why you’re doing it. This type of monitoring can be used to solve numerous problems, but you need to know exactly what you setting up to achieve because it will determine your approach and your tools of choice.
For most companies, the need to monitor users internet activity comes down to the following:
Data theft and leakage are real problems. Sometimes they happen due to hacking attacks, where perpetrator gains control over your system. Sometimes they happen due to compromised accounts. Sometimes the culprit is a malicious insider – an employee with legitimate access. In other instances, data is leaked due to inadvertent mistake.
>See also: The impact of the Internet of Things (IoT)
In all these situations user activity monitoring can help, depending on your setup and tools used, to detect leakage, deter a perpetrator, and, what’s even more important, to gather information and evidence in order to conduct a conclusive investigation and determine what exactly happened.
So, while it’s always useful to monitor all network activity inside a company, in this situation it means that you need to take extra care in monitoring endpoints with sensitive data specifically.
While security is important, monitoring user activity due to compliance is also extremely prevalent. Many companies are more concerned about meeting regulations and protecting themselves in the long run, than about dealing with eminent threats.
This means that sometimes security measures are implemented regardless of the actual risk associated with a particular threat. Although you should always remember that any compliance is designed to facilitate security and to serve as a guiding tool in creating your own defences, it is worth noting that it is never worth sacrificing employee morale with rigorous widespread monitoring if actual risks are not that high.
The better course of action is to focus on endpoints that contain sensitive information and monitor network activity whenever it is accessed.
It is also worth noting that for security and compliance, regular network activity monitoring may not be enough. Instead, you will most likely need to use user activity monitoring software, capable of recording user actions in order to determine not only when sensitive data was accessed, but also what operations were conducted with said data.
Performance evaluation and facilitation of positive work culture
Performance evaluation is probably the most widespread reason to monitor employee network usage. It is not a secret that employee performance can be severely affected by the extensive use of the corporate internet for entertainment or to solve personal matters.
Considering that access to the internet is provided by the company specifically as a tool to do work, an employer often has the full right to monitor said access. If an employee demonstrates unsatisfactory performance due to wasting time on entertainment or personal matters, the results of such monitoring can be used to prove it.
It can be used as a leverage in order to talk to the employee and convince them to focus on the job.
>See also: Ethiopia’s internet shut down by government
Moreover, you will be able to check whether employees are accessing some inappropriate materials from work. This will help you quickly put a stop to that, protecting your company from any potential lawsuits related to hostile work environment.
However, it is worth noting that if you don’t want your employees to look at certain websites, it would be wise to prohibit access to them altogether. This, in addition to conducting monitoring and having clear written policies, can create a healthy atmosphere in the workplace, where both employees and employers know why certain measures in place and what to expect from each other.
The right approach is the key
Despite all the benefits, it’s worth noting that employee network usage monitoring done incorrectly does have its own set of drawbacks. Your employees have their own concerns about privacy and high amount of pressure, and failure to address them can result in a loss of morale and productivity, as well as high turnover rates.
The things you need to take into account include:
Privacy concerns – even if you provide the communication channel, it doesn’t necessarily mean that you can view the content of private employee emails. Laws in various countries differ on this, with US usually being more in favour of the employer. Nevertheless, a knowledge that their privacy is under threat can negatively impact employee morale, which is never a good thing.
Risk of discrimination lawsuits – if you targeting a specific employee, then you always opening yourself for a lawsuit. Make sure that your monitoring policy is universal and fully formalised.
Risk of lawsuit for punishing employee who criticises the company – under US law employee cannot be punished for criticising their employer. If network monitoring determined instances of said criticism, they alone cannot serve as a basis for taking disciplinary action.
Concerns about high pressure and employee morale – rigorous monitoring can put high pressure on employees to always watch their behavior, which often results in quick burnout and extremely high turnover rates. It is always worth minding the gap between productive monitoring and surveillance.
In order to alleviate all of these concerns, you need to conduct employee monitoring in an ethical way and take into consideration opinion and potential problems of your employees.
There are three main best practices that you should follow when conducting user action monitoring:
Create clear written policies – make sure to put all your policies regarding network monitoring in clear writing, and make sure that your employees are familiar with them.
This will help you create a set of concrete rules, and lets your employees know what you expect from them and what they should expect from you. It is also a great reference point for whenever rules are broken.
Inform your employees – trust between employee and employer is a basis for a healthy working relationship. If you don’t inform your employees that they are being monitored, then whenever it comes out, their trust in you will be ruined.
Monitor only when it is necessary – this is another point regarding the difference between monitoring and surveillance. You need to employ monitoring only when it is necessary to achieve your goals. Meaning, that it is often best to focus on endpoints with sensitive information in order to achieve security or compliance. And even in that case, you may want to limit monitoring to only when said data is accessed.
Of course, if your goal is to evaluate employee performance or protect yourself from insider threats, then it is often the best to monitor every endpoint. However, you need to make sure to not be overzealous with enforcing rules and to give your employees some private corner that they can retreat to.
Tools for network monitoring and how to use them
Once the goals have been established and approach have been decided, all that is left is to select the best tools for the job.
There is no shortage of software and hardware on the market that can solve this problem, and your choice will always depend on the exact situation you’re in. As an example, we will give you a rundown of 5 different options you may want to consider.
Native router capabilities
The majority of routers do not allow any detailed traffic analysis. Some model, tough, have packet accounting that is broken down by IP. There are models that even allow assigning permanent IPs to all devices inside the network, making easy to analyse internet usage.
However, traffic usage data is very barebones and does not provide enough information for effective security or performance evaluation. Unusual spikes may allow you to determine when users are trying to copy sensitive data to the cloud without authorisation, or when they corporate network for streaming or torrenting instead of working. But this is by no means reliable and, ideally, should not be used as your only source of evidence.
All and all, while it can be an OK solution for very small startups, native router capabilities should not be used as your sole means of monitoring network usage. You would be better off looking into specialised software solutions that will give you much more data.
OpenDNS is an extended DNS server that allows corporate clients to not only monitor and analyse network usage but also to filter content and protect themselves from certain types of phishing and malware.
This service tracks DNS requests and sorts them based on the active directory names. This allows monitoring network usage based on individual accounts, knowing who accessed websites and when.
However, such service has its own set of limitations. It can’t distinguish between users of shared accounts, such as system administrators, which can be critical for security.
>See also: The Internet of the Seas sets sail
It also can’t determine how much time a user spends on the page. Whether the page was opened and left in the background, or it was actively used, can make a huge difference for performance evaluation.
All and all, OpenDNS is a great server for content filtering and passive security. It may save you some problems without the need to engage in rigorous monitoring, but it will hardly provide sufficient evidence to use in performance evaluations and data leakage investigation, not to mention the service inability to detect said leakage.
LibreNMS is a network monitoring solution that supports auto-discovery. The system is open source and thus available for free. However, this can be a double-edged sword, as open source software is usually more vulnerable to attacks and prone to errors and also often slower to update.
Despite all that, LibreNMS is a comprehensive network monitoring package that is easy to set up and use. Network discovery and distributed polling are great for large networks that keep getting bigger. Alerting allows you to easily make sense of what is going on in your network, quickly detecting unusual activity.
Overall, LibreNMS is similar in its capabilities to OpenDNS and has similar limitations. It can’t distinguish between users of shared accounts and doesn’t know what exactly user does with the data they access.
>See also: A super, super fast internet offering
However, while OpenDNS is more focused on security and content filtering, LibreNMS is much more oriented on network monitoring. Overall, it is a great free solution for anyone who wants to make sure that their network is used appropriately.
PRTG is a network monitoring tool created and distributed by Paessler. It is a commercial tool with free demo and freeware version available. This system monitors not only network status and usage, but also various other parameters within your domain, including hardware performance and usage, databases, and certain server applications.
Overall, PRTG is designed to give you all necessary information about the state of your network. Rather than performance evaluation and security, this tool is aimed more to help system administrators in designing and maintaining your network infrastructure.
Nevertheless, it can be used to get full internet activity data, that can be useful for performance evaluation and security purposes.
A purely network monitoring software is a big step above the regular built-in capabilities of certain router models, but in many cases it does not provide enough data to fully evaluate user activity on the network. What if several users are sharing the same account? How long they spend on a particular website and what they did there? What if they used a single page application that doesn’t send any additional DNS requests?
In these situations, an agent-based user actions monitoring solution, such as Ekran System, can provide all the missing data. Ekran System doesn’t monitor network activity by itself, but rather monitors all actions that users conduct on the endpoint.
It can distinguish between users of shared accounts due to additional authentication feature, and it can record what websites have been opened, and for how long, what user have done there and whether the window was in focus or not.
A plethora of filters for video recording allows determining what exactly record and when, allowing you to conduct monitoring sparingly, respecting the privacy of your employees. At the same time, Ekran System also features robust alerting functionality, allowing to effectively detect insider threats and data leakage.
Ekran System is fairly affordable with the licensing based on the size of deployment. The one drawback of the solutions is that it does not monitor network traffic in and of itself. In this regard, Ekran System may be better used in tandem with network monitoring systems, such as LibreNMS.
As already mentioned above, the choice of your tool heavily depends on what you set out to achieve. Regardless, for all its complexity, the usefulness of network activity monitoring is hard to overstate.
And by taking the right approach and choosing the right tools you will be able to alleviate any negatives and concerns, strengthening your security and getting better performance out of your employees instead.
Sourced from Marcell Gogan at EkranSystem