The Wall Street Journal recently published an article on how IT departments are coping these days with the biggest threat to data security -- namely, employees in the IT department. That the "enemy within" is the biggest threat to an enterprise is nothing new, but buried in the article was something that struck me as, well, Orwellian. The WSJ reports that some organizations "are even using new technology to look at the language of their IT staff's emails to determine whether their behavior or mind-set has changed."
"If you start to feel differently about the company you work for and the people you work with, you'd be surprised how your language changes," says Ed Stroz, co-president at digital-risk-management firm Stroz Friedberg LLC, New York. The company, like other consulting firms such as Ernst & Young, makes technology to examine linguistics.Common red flags include a dramatic change in the length of a person's emails. For example, someone may start writing emails of half a dozen words when their messages used to read like novels. Other tip-offs: a rise in the number of anger-related phrases, greater use of the word "me," and signs of more-polarized thinking, like the words "never" and "always."
I understand the need to be aware of the attitudes of workers with high-level access to data and networks, but this strikes me as creepy. What if an IT employee suddenly has relationship problems or family issues? Will they then be flagged by HR as potentially troublesome or even a data security risk? And all without them even knowing there's a dossier being created of them and their "suspect" behavior? I have to agree with the sole commenter to the WSJ article, who said, "If you're worried about questionable behavior, do your due diligence as a manager. Actually pay attention to your staff's activity, be aware of their behavior and moods." All of which, by the way, can be done without spying on and linguistically interpreting an IT employee's email. What's next, surreptitious mind-scans? Enterprises have a right to protect their data. That's indisputable. In that regard, software intended to detect unusual network and file-access activity makes perfect sense. Same with checks and balances on high-level network access to prevent rogue actions. But secretly reading IT workers' email to draw conclusions about their mental and emotional state? I think that's way over the line. What do readers think? Feel free to comment below.
Now read this: