Keeping a close eye
Former Vodafone UK CTO Chris Burke talks about the importance of employee monitoring within mobile operators as the quantity of sensitive customer data held by the operators increases exponentially.
May 25, 2011
Connectivity between a customer’s social, work, financial and personal data via mobile technologies is increasing exponentially. Smart phones and their applications are driving telecommunications to be one of the most data-intensive customer service industries worldwide.
The quantity and quality of this information creates a number of pervasive data handling and data theft concerns for mobile operators. They now have to balance their employees ’ need to handle customer data with the need to protect this information and comply with a host of requirements covering data protection; data privacy; employee rights; employee obligations; and corporate governance and compliance. Increasingly, operators are addressing this by closely monitoring their employees’ handling of data – employee monitoring (EM).
The value of customer retention is paramount in any business which has high annual revenue per user and a high market penetration, particularly where a variety of competitive choices are available to customers. In the mobile sector specifically, knowledge of who the customers are, what their historic buying patterns have been and when a potential change event could happen (e.g. contract renewal) is extremely sensitive and valuable commercial information. Even fragments of this data such as which phone numbers have downloaded a particular application reveal a lot about a customer. Such information has significant and liquid value.
The nature of the mobile business model also lends itself to highly targeted fraud. For example,while service providers often ship phones to businesses or into channels at zero immediate cost to the business or channel, the phone has an immediate black market value. There have also been well publicised cases around the world of millions of customer records escaping from their rightful service provider owner. These issues aren’t new. They have existed since the beginning of mobile telecoms, but have become more frequent and obvious since the re-regulation of service providers.
Without the right technology to monitor the capture, movement and release of data, organisations are placing themselves and their customers in the sights of highly organised e-crime outfits who are all too happy to take advantage of careless employees and malicious insiders.
I have witnessed EM gain popularity over the last few years. Certainly, in light of WikiLeaks and Data Privacy regulations, many global companies, in engineering, finance, pharmaceuticals, and defence have now accepted this approach as a core security requirement. Implemented correctly, EM can enhance an organisation’s existing information security framework in the initial stages, shaping security culture and helping to maintain information security policies going forward. It is not an easy process to undertake, as there are many business and technical challenges to navigate. However, it is for these very reasons that, when EM is undertaken correctly, it has been proven to provide significant support across an organisation from a variety of perspectives.
Consider the following:
In the first instance, EM is needed to ensure an organisation’s existing information security framework is sound, addressing legal and regulatory requirements for the access and protection of data, corporate governance and compliance without violating employee rights.
Once EM has provided a clear understanding of the existing framework, gaps, overlaps and issues associated with internal risk and audit, any eventuality of information leakage with high consequence or high probability can be covered off and any loopholes closed.
Finally, once these issues have been addressed, the organisation can then consider covering industry best practise and how to best apply pro-active monitoring to shape a culture sensitive to data protection, information protection, compliance and corporate governance.
Since the boom of online access, many casual corporate employees have become very IT savvy (let alone the IT subject matter experts employed within the company). This has resulted in countless violations. These range from misuse of company resources, like running a media sharing site within the company, to outright theft: stealing millions of customer billing records or customer data.
Taking away temptation by making monitoring clear and transparent prevents a substantial amount of infringement pro-actively, removing temptation. However, when an infringement does occur, the company will have the offending user’s activity logged on record and can therefore accurately use the audit trail as hard evidence by which to judge whether the rule was erroneous and the violation committed with intent. Naturally, not all infringements are malicious – in fact, the majority of employee infringement incidents plaguing organisations stem from unintentional breaches or suspicion-based allegations with no substance. In these cases, employee monitoring is vital for protecting well-meaning employees from being wrongly accused or even dismissed. It also tells the organisation that something is lacking in its information security culture.
If you compare the aforementioned approach to what is currently happening amongst mobile service providers, you will see that there are wide varieties of commitment to EM implementation. The best service providers understand their risk gaps and have begun to use tools to monitor and shape employee access to sensitive information and data. Whilst they are in the formative implementation phases now, these early adopters will likely set the benchmark for customer expectations and best practice across the industry in the years to come.
T-Mobile UK (now part of Everything Everywhere) is one service provider that is beginning to use EM to raise the internal security benchmark. In parallel to the sharp rise in insider security breaches in the global telecommunications industry, T-Mobile sought an internal security solution which would minimise employee risk and proactively prevent the leakage of data, without restricting the innovative work environment promoted for its employees.
EM was implemented as the chosen method as it addressed and reviewed their internal security processes and technologies at their very root, rather than simply detecting and fixing the symptoms in a band-aid type approach. The benefits of a systematic approach are just beginning to be realised by T-Mobile. Security for compliance and legal purposes is one thing, but proactive security using EM is opening up a whole realm of opportunity for the organisation, such as proactively shaping IS culture in the workplace, optimising employees’ work environments and leveraging security against the competition to attract and retain customers.
There is no doubt that the mobile industry has a unique set of data protection challenges. I believe these can be suitably addressed with data/employee monitoring technologies. Monitoring technologies help build the trusted relationship between employers and employees required to stimulate greater levels of productivity. Excessively locking down systems prevents employees from doing their job, creating a culture of backdoor security risks which are harder to locate. It is clear, especially through the experience of Everything Everywhere, that mobile companies have recognised this and are proactively seeking the right solutions. But this is just the start. The entire sector needs to follow suit to ensure protection for customers and corporate reputations.
Chris Burke is a member of the Dtex Systems Advisory Board and has held senior positions in service provider companies, including CTO of Vodafone UK, UK Managing Director of RIM (Blackberry) EMEA and CTO of Energis.
About the Author
You May Also Like