It's getting easier to keep an eye on employees and customers, both in terms of video surveillance, with ever smaller and cheaper digital cameras, and data monitoring, with powerful tools for examining emails, web activity, and network packets. Done correctly, these surveillance activities can help deter or catch theft and fraud. Done poorly, however, surveillance can be expensive and ineffective, and can create legal risks and morale problems. Here are pointers on creating and communicating your policy, determining return on investment, and other video surveillance basics.
Why is the policy so important, and what should my corporate policy include?
Policy is important because mismanaged security surveillance is expensive and wasteful and can create legal and employee morale problems.
Four simple rules to follow:
1. Create a written policy that's fair and clear. This is the smartest step toward intelligent workplace surveillance, so it's a little surprising that so many organizations fail to do it. A video surveillance policy might state where cameras can be placed, as well as the fact that employees have no right to privacy in the general working areas of a facility. An electronic monitoring policy might state what forms of communication the company monitors; a very broad policy might include use a phrase such as "all electronic communication media including, but not limited to, e-mail, instant messaging, and web browsing". Some companies choose not to monitor so extensively. In any case, policies should also make clear the disciplinary consequences that can result from unprofessional employee actions caught on video or over the network.
2. Put the policy in your employee handbook and require an employee signature.
3. Periodically remind people being monitored of what the policy says. This helps with legal liability (so that, for example, an employee fired for breaking the policy can't file an effective 'wrongful termination' lawsuit using the "I wasn't notified of the policy" excuse). Also, simply communicating the fact that a company has a policy can act as a deterrent to potential wrongdoers.
4. Enforce the policy consistently and fairly. Otherwise, you send a confusing message to your employees and risk creating the appearance of favoritism. (This also means the policy needs genuine buy-in from upper management.)
I am concerned about employee morale if we institute a strict policy.
A key strategy is to communicate not only your policies and practices, but also the reasoning behind them. Here's a great example. In 1993, software company SAS built what's known as Building R on its Cary, N.C., campus. A security control center was located in the subbasement to monitor the new CCTV cameras that were being installed around the campus in lobbies, entry points and the campus day care. (Before 1993, SAS use of CCTV was minor.) However, SAS failed to anticipate the displeasure that spread its way through the employee ranks. Soon rumors started floating around that there were covert cameras. Questions arose: Why are they putting in cameras? What are they watching? Why do we need so much surveillance? "I had done my best to develop a relationship with the employees," says Miles Bielec, head of security at SAS. When the cameras came on the scene, he worried that he was about to take a giant step backwards.
Then Bielec had an inspiration. Because two sides of the control center were glass, he decided to turn the monitor banks around, so that the monitor screens faced outward. With this change, any SAS employee walking by the control center can see exactly what the cameras are being used to observe. "I told employees, come on down, you can see what we're looking at. We can show you how [the system] works; we'll let you play with the joysticks," he says. "That alone allayed the monitoring fears."
What Bielec came up against was a very open, creative corporate environment, not unlike that found on a college campus. To many employees, the installation of cameras screamed of Big Brother syndrome. Bielec assured employees that the system was more about customer service (such as letting employees back in the building if they accidentally got locked out during a smoking break), to give employees peace of mind and to keep an eye on more places than was otherwise humanly possible (data centers, for example).
If your policy is strict, but the reasoning and motivation is clearly explained, and if you also demonstrate a certain level of reasonableness in the way you handle surveillance and monitoring matters, it's likely that employees will understand.
On the technology side, the choices between CCTV and newer digital systems is difficult. How about some guidance?
Experts say video surveillance technology adoption is progressing over three phases:
Phase 1: Standalone CCTV systems. These are regarded as relative dinosaurs, but sturdy and simple. They will fade as surely as typewriters did.
Phase 2: Hybrid digital-analog systems. Sometimes networked, they use black-box digital video recorders (DVRs, essentially TiVo boxes). This represents the transition between old and new—such as those word processors that came after typewriters, but before PC programs.
Phase 3: Fully digital, networked IP-based surveillance. Here, video surveillance is just another node on the IT network. Cameras have IP addresses, controlled centrally with any number of software applications on top of the raw visual data.
Joseph Freeman's market research shows that CSOs are certain that they want to move off standalone closed circuit TV, but unsure that they're ready to move on to what they're being told is the more powerful, more dynamic future of video surveillance—fully digital systems. So they network their DVRs to get a few benefits of the new technology without a real commitment. They add some digital systems, while keeping CCTV with DVR. They're milking their old investments.
New digital technologies can pack some punch. One example: Pedro Ramos, director of loss prevention for Pathmark Stores, identified a problem universal to grocery stores. Most inventory shrink—shoplifting, employee theft and damaged goods—occurs at the point of sale. So he installed digital video that links to the cash registers at all of his stores. "I can look at the [the digital archive of the] register tape, pick out any item on that tape and be taken to the archived video of that moment in that transaction." This allows quicker response to incidents and deters theft. Recurring problems (such as a cashier who repeatedly mishandles egg cartons during scanning) can be identified and ameliorated quickly. "Almost immediately," says Ramos, "we've seen a significant decline in shrink."
Here are four considerations in support of newer technology.
1. Better visual data. Optics have vastly improved with the new generation of cameras, which, are more widely available. Dave Kent, CSO of Genzyme, says, "You can now buy equipment online that you used to have to go to some custom shop in an alley in New York to get. Good lenses. Low light. Thermal imaging. This stuff is smoking." Director of Corporate Security Sheila Bramlitt's bank, First Horizon National, helped solve a case involving kidnapping and homicide by using pictures captured from a camera at one of its ATM machines. "It looked like the person was posing for a portrait," she says. "We've come a long way from the blue-gray fuzzy blurs." With better resolution, one camera can cover a wider area, or digitally zoom for fine detail. Casinos love this.
2. Standard IT infrastructure. Historically, "You were tied to your supplier," says Joe Freeman, a security industry consultant and president and CEO of J.P. Freeman. IP-based video will allow CSOs to use the same servers and bandwidth as the rest of the company. What's more, cameras running IP over ethernet can have both data and power go through the same ethernet cable, with backup power on the same supply as the IT systems backup power supply. Prisons and areas vulnerable to wide-scale natural disasters love this.
3. Efficiency through centralized monitoring and automation. Simple math: When you have 30 sites worldwide, feeding video into a single control room instead of having 30 control rooms creates efficiency. Automated alarming further reduces the need to keep eyeballs fixed to screens everywhere. Digital archives are easier to access ("Tape," says one integrator, "basically requires a full-time employee.") Global companies with small sites love this.
4. New applications. It is software that will finally revolutionize video surveillance. Vendors are promising seemingly limitless applications to make video smart: Motion triggers, which can tell cameras to jump into high-resolution mode and track objects; software which can discriminate between a human form and, say, a skunk (thus reducing false alarms); applications which link video surveillance to access systems and safety systems, so that the surveillance system could call the fire department or help turn on sprinklers. Insurance companies love this.
Four caveats on digital IP video:
1. Digital IP surveillance requires a higher capital investment. The vendors will promise that despite this, they'll also provide higher returns faster. Make them prove it, like Pedro Ramos, director of loss prevention at Pathmark Stores, did. The cost of the cameras is actually negligible compared to application costs, storage costs, bandwidth costs, training costs, and, critically, security costs of using the Web to transmit image data and other security data. "They're making money in this industry, believe me," Genzyme CSO Dave Kent says.
2. New skill sets are needed. While CCTV was largely a monitoring game, the whole point of digital video surveillance is to reduce the need for eyeballs plastered to screens. It's a rules-based game. What triggers an alarm? A moving object? What kind? How is it moving? And when does it trigger? Only after hours or all day? It will require intense review and possibly modification of business processes. "What we're looking for is actionable intelligence," says Sandra Jones, a security industry consultant for Sandra Jones and Co. "That means we have to filter, filter, filter." IT expertise will also be required.
3. Information overload is a real threat. Sheila Bramlitt, director of corporate security at First Horizon National, says she could put surveillance everywhere, but that's just asking for trouble. A company would drown in visual data and false alarms. "That's where we go to risk analysis," she says. "We use our own case intelligence, public crime stats, lots of sources. We form this picture of where we need it most and start there. It's easy to use video surveillance. Using it efficiently is the challenge."
4. Buying now means not buying something better three months from now. Like a consumer buying a PC knowing faster, cheaper ones will be out tomorrow, CSOs have to make a leap of faith to get into digital video surveillance. This is a fact: The technology will continue to improve and come down in price. So when do you make that leap?
What are the best practices for handling and storing CCTV tapes?
According to consultant John Kingsley-Hefty: "The key is building a tape swap and storage schedule that rerecords the tapes equitably. Tapes will wear, over time, to the point of failure. Color-coding by day and/or shifts, and numbering by week works well. The key is designing your system around your required video storage retention schedule. To ensure that tapes are rerecorded according to the proper sequence and schedule, shuttling tapes per day or week to a separate secure area—or in some cases, offsite—works well."
What about using fake cameras, deactivated cameras, or hidden cameras?
All of these strategies may have a place in your overall surveillance plan. Fake or deactivated cameras are an attempt get the deterrence value of surveillance without incurring the expense of video storage and maintenance. Hidden cameras, obviously, aim not to stop illicit behavior but to catch it on tape.
However, all of these strategies create risks of different sorts. Douglas Durden, manager of safety, security and asset retention at Mallory Alexander International Logistics, thinks fake cameras can impart a false sense of security. "Let's say someone is standing in front of what appears to be a camera. If a guy pulls a gun and takes a person's wallet, you should be able to pull it up on tape [but you can't]. Then you have to tell the person it was a fake camera," he says. Lawsuit, anyone?
Walter Palmer, founder and principal of PCGsolutions, a retail loss-prevention consultancy, also advises caution. "One of the things you have to be careful of is, do you have an obligation to provide certain levels of security? If you don't have cameras and something occurs or you have dummy cameras, could you be liable for negligent security?" he asks. The short answer is yes.
All things considered, attorney Jennifer Shaw of Jackson Lewis thinks there are limited circumstances in which fake cameras are appropriate, but generally they do more harm than good.
Here's an illustration of similar risks created through covert surveillance. In November 2004, nurses at Good Samaritan Hospital in Los Angeles were in a break room when, according to accounts, they spied a thin beam of light coming from a clock. They were shocked to discover a hidden camera with a tiny lens behind the number nine. The nurses immediately spread the word to their colleagues; eventually they discovered a total of 16 hidden cameras in the clocks of break rooms, a pharmacy and a fitness center, among other locations.
In addition to the fact that the nurses hadn't been informed about the cameras, they were also upset because some of them changed their clothes in the break rooms. They felt that their right to privacy had been violated. In a press release, a California Nurses Association spokesperson said, "This is a pervasive problem throughout the hospital that is a disgraceful violation of the legal privacy rights of the RNs and reflects a deplorable attitude of the hospital administration towards its caregivers."
Hospital officials defended their actions—they claimed the cameras were installed for security reasons, that it was standard practice in hospitals, that they had planned on informing the nurses and that the cameras hadn't been turned on. They also noted (see the first tip) that the nurses' employee handbook, which all must sign, states that surveillance might be used.
Ultimately, the messy situation might have been avoided if hospital execs had informed the nurses of their plans beforehand, explained that the cameras were for their safety and made them overt instead of covert. By neglecting to inform the nurses until the cameras had been discovered, the hospital aroused suspicion and ill will. The bottom line on hidden cameras is that there may be a place for them, but CSOs need to weigh the risks and use such strategies with due caution.
How do I determine the return on investment for surveillance equipment and efforts?
It is not possible to create a generic return case for video surveillance because, while its applications overlap, they are also varied. At the Pathmark Stores grocery chain, Pedro Ramos, director of loss prevention, looks at inventory shrink and insurance fraud (customers taking pratfalls), among other issues. Sheila Bramlitt, director of corporate security at First Horizon National, must focus on cash theft and safety (armed robberies). At Genzyme, a manufacturing and R&D venture, CSO Dave Kent monitors assembly lines and corporate espionage.
Having said that, here are five ROI rules of thumb that apply to these sources and others.. Some of these rules pertain to all surveillance, while others are specifically about the differences between CCTV systems and IP-based digital ones.
*The more things a video surveillance system does, the higher the ROI. What software applications, or even business activities, exist to extend the usefulness of the surveillance infrastructure? Training? Marketing? Find those that are realistic and attach a value to them.
*Digital video surveillance scales well. The larger your planned installation, the more remote sites you plan to monitor from a central control room, the more efficiency you can create and the faster your return will come.
*Cost calculations favor digital video over closed systems. "The economics of storage favor standard IT infrastructure," over closed systems such as DVRs, says Bob Degen, senior vice president of corporate security of First Data. "The equipment functions better with less repair. It's easier to expand on. We're in the process of building a command center. We'll put all alarms, images, sound and voice over the Web to that centralized site. That will create huge advantages."
*Integration with other systems will cost more up front but will also facilitate positive ROI. Linking video surveillance to access and safety, especially, could possibly allow you to lower insurance premiums, but also to facilitate response times to crises large and small.
*Cross-threading applications and systems allows you to share the cost burden with other departments. "We partner with safety and business continuity of course, but also, say, our real estate group," says Bramlitt. "If we can partner with them when they're building a new site, we can share the costs and benefits." It makes upgrades an easier sell, she says.
Here are two examples of companies doing detailed ROI analysis regarding system upgrades.
Pathmark's Ramos hesitates to endorse the IP-based digital video hype. His system is, in fact, a hybrid (similar to those of Bramlitt and Genzyme's Kent). Pathmark combines digital and analog, and even uses some tape storage. It's on the cusp of a phase 3 system, but not quite there. Why? "The cost to convert over fully isn't quite where we need it" [as of early 2005], Ramos says. He's not just guessing either. Ramos demanded and is getting an average of about 13.5 percent ROI from his video surveillance upgrade. And, under the right conditions, some of his stores will recoup costs in less than two years, some stores in less than one. "We need a six-month time frame for video storage, and I can't cost-justify a fully digital system with that requirement yet," Ramos says. (Ramos declined to share specific surveillance investment figures.)
Give me some examples of non-security applications for video surveillance.
The new era of video surveillance is comparatively airy and bright, where cameras give CSOs better pictures faster, in any light or weather; where the Internet allows us to log on from home and check in on any of our sites; where sleek technology focuses on business growth; and where it focuses on, say, four business problems at once. Video surveillance suddenly has street cred in marketing, HR, travel services, even customer relations.
Thus, when Dreams bed stores in Britain recently put its system in place, its primary function wasn't even security; it was marketing. The company is measuring foot traffic around the store. The secondary function was security. And the tertiary function was human resources, using the video for training. "That made it a pretty easy sell actually," says Darryl Marshall, an integrator who oversaw the project (which, by the way, he says was led by Dreams' IT project managers).
As digital video quality improves, training rapidly gains purchase as a prime application. Ramos uses his new system to train cashiers and other store-level associates. Captured images of employees doing something well are posted as a method of positive reinforcement, and captured images of common mistakes get tacked up too, as an awareness tool.
In retail industries, especially, marketing wants in on video surveillance. Consultant Jones is working with retailers to map store traffic to improve the flow of customers and increase safety. Others are using the visual data to watch inventory levels.
Companies are cutting travel expenses by using the infrastructure for meetings. Or using it for OSHA-like inspections of restaurants, allowing more inspections with less travel dollars spent. Genzyme's Kent uses video for quality control by monitoring production trains.
A public utility uses cameras to validate trespassing incidents. Police issue tickets and revenue increases. At the same time, costs incurred by the court system fall, because perpetrators don't challenge the visual evidence.
A hump yard, where train cars come off boats and trucks and are assembled into trains, repurposes its video surveillance. Now managers not only watch fence lines for trespassers and would-be thieves, but they manage the logistics of assembling the trains correctly and getting them, literally, on the right track—a job that used to involve several men in towers talking to each other and people on the ground as they looked out over their vast yards with binoculars.
A major transit authority watches its stations, measures footfall and traffic patterns, reconfigures stations to reduce congestion, adjusts train schedules based on the visual data, locates common loitering spots and makes them less loiterer-friendly. All of the following increase: safety, ridership and revenue.
If we go with digital systems, the CIO is going to have to be involved because of the network demands.
New video surveillance technology makes it imperative that the security team and the information systems group work closely with each other. Here are two reasons why: One, many of the new generation of video surveillance vendors are going to them, not you, to sell this stuff. "CSOs are not always driving this purchase," says David Levine, a surveillance systems integrator. Vendors target IT because there's more familiarity with technology, and probably more receptiveness to upgrading it too.
Two, trying to make video surveillance part of the IT network will obviously require heavy participation from IT. Says Levine, "If you try to deploy digital video surveillance without the full support of IT, you're done." Pathmark's Ramos underscores that: "Get IT involved; get them to help you build an ROI model; get them to help develop the best system for your needs."
It's not surprising then that Ramos and every other CSO we spoke with who had dabbled in upgrading their video surveillance claimed to have an excellent relationship with his or her CIO. At Dallas Fort-Worth Airport, Bowens managed the video surveillance upgrade from the IT department. "When I'm asked how I ended up in security," he says, "I say it invaded my world." In the case of the New York State Unified Court System, the team in charge of the surveillance project was the CIO's, not the security officers from the Department of Public Safety (although the two groups did work closely throughout).
But the CIO smartly deferred to the security team on issues he didn't know about. First, he says, the security team determined the most vulnerable locations, determined camera positions, types of cameras—stationary versus pan-tilt-zoom, indoor versus outdoor—and then did a cost impact.
What we have here with digital video surveillance is security convergence—one of the first major security purchases that not only could benefit from but absolutely requires the cooperation of the CIO and CSO.
CSOs can't do this without IT's technological expertise. Bramlitt at First Horizon was ready to cede control of managing the IT requirements—network bandwidth demands, server capacity, storage configurations, data security—to her CIO and CISO.
"We come to mutual agreements on what's adequate," she says. "There's no in-fighting. I understand their business needs; they understand my security obligations."
They're just two different means of watching people. And it's silly to spend a lot of time and energy doing one well while doing the other in a haphazard manner.
The Massachusetts Department of Revenue has been practicing data surveillance longer than most. More than a decade ago, top managers at the state agency realized that some employees would be unable to resist the lure of the department's treasure trove of personal taxpayer information. "Sports figures seem to be the biggest draw. It's like a disease. People just can't seem to resist" peeking at athletes' private financial information, says John Moynihan, a 22-year veteran of the department who is now deputy commissioner and internal control officer.
Other people's tax data may be a draw for the curious, but resist they must, as it is against department policy for anyone, including employees, to access taxpayer data without a legitimate business reason. And it's illegal under Massachusetts law for anyone to disclose such data. So in 1992 the agency built a homegrown system that would alert the information security department every time an employee accessed a high-profile resident's income tax file. The system worked well, catching a handful of illegal browsers (some of whom immediately lost their jobs) each year, including a case where an employee accessed the income tax records of one of her husband's coworkers. Seems the husband had been passed over for a promotion (which went to the coworker), and snooping through that person's financial data made the couple feel better.
Eventually, Moynihan—and his boss, the commissioner—realized the DoR had to monitor every access of every taxpayer's personal information on the database. Integrity of the process was not only an ethical matter—a public-sector breach could lead to major political ramifications. "If at any time a confidentiality problem hit the papers and taxpayers felt the system was not protecting their information, it could impact voluntary [income tax] compliance. The consequences could be immeasurable," he says.
In 1997, the Department of Revenue spent $300,000 (out of an overall IT budget of $25 million) to custom develop its Transaction Tracking system based on a Unisys mainframe. The system captures every access of taxpayer data in Massachusetts and creates audit trails for future reference. Once auditors monitoring the database identify a potential violation of the data access policy, such as an anomaly in the audit trail, they give the employee a chance to explain. If there is no reasonable explanation for the data access, the case is referred to internal investigators for further analysis and an interview with the employee. Disciplinary actions that could follow include firing an employee for a first offense.
Today, Moynihan consults with other states and gives presentations to both public- and private-sector audiences on how to take a commonsense approach to data surveillance and privacy policies. He advises clients to create a strong data access policy, train employees on that policy and then enforce violations. Sounds simple enough, but there are many traps for the unwary.
Technology and tools now exist to scan and store just about anything—employee access to databases, as well as e-mails, instant messaging transcripts, Web surfing habits, keywords entered and even each individual keystroke in files. In addition, it's long been established that employees have no expectation of privacy in their use of company systems. But how do you do this well and cost-effectively? It takes an assessment of your organization—the purpose of your business, the kind of data you have, the nature of employees' work, and the culture that allows them to be successful—balanced with the need to secure the integrity of your key information assets.
Remember the insider threat
Information security has for the most part focused on the perimeter of the network. But experts and CISOs agree that the biggest threat to data security comes from insiders who have free and easy access to the data, not outsiders who manage through extraordinary means to penetrate a firewall and various authentication measures.
"I worry most about the insider threat. An unhappy employee is far and away the most difficult to track down and potentially the most dangerous," says David Mortman, CISO for Siebel Systems, a customer relationship management software maker in San Mateo, Calif.
To combat the internal menace, you've got two choices: Lock down data access (not possible or desirable for most companies) or keep watch over what employees are doing with your critical corporate data. If the most valuable intellectual property (IP) your company possesses is about to walk out the door (on a laptop, USB drive, MP3 player or CD, or sent to an FTP site), wouldn't you want to know about it? There might be a perfectly innocent reason the employee did what he did.
Many companies also need to monitor the way employees interact with data to ensure adherence to policies for compliance with Sarbanes-Oxley and other regulations. "We monitor key corporate financial systems to ensure there is no inappropriate activity," says Anne Rogers, director of information safeguards for Waste Management, a $12.5 billion publicly held trash services provider. The company also uses Web filtering software to block access to sites that contain inappropriate material.
Rogers says her job is not made easier by the fact that most of the company's 56,000 employees (such as the garbage collectors) do not use computers. She says that "while only about one-third of our employees work on the computer systems," a number of factors—network and application configurations, the number of company locations, variations in user roles and compliance requirements among them—drive the information access and protection workload.
Know which electronic resources are most valuable.
You could make a reasonable case (as the vendors do, every day) that data monitoring is a cost-justified, loss-avoidance tool that every company should employ. Surely all public companies that are subject to Sarbanes-Oxley and similar regulations should use some form of data monitoring to ensure compliance as well as safeguard data. But every company is unique in terms of the kind of data it keeps, the value of different data and its intellectual property. Figure out what you can't afford to lose, and apply the most rigorous monitoring there.
Joe Rizzo, acting CISO at multiplayer online game developer Perpetual Entertainment, acknowledges that it is a continuing struggle for organizations to find the right balance between knowing what's happening with data and maintaining employee morale. "It's touchy because our employees don't want to feel like they're being watched," he says.
Rizzo has arrived at what appears to be a reasonable compromise: Perpetual uses Tablus's Content Monitor Alarm to monitor access of its game source code, especially since it often works with third-party developers. The system makes a digital footprint of the source code. "It's our livelihood. We have to control and monitor that data. If we see our IP leaving, we will take action," he says. But he does not block any websites or curtail the use of IM.
Education is still key
Some CISOs elect not to alert employees that they are being monitored, preferring to watch the activity in its raw state. Others give explicit warnings about the monitoring and consequences of improper behavior.
Moynihan of the Massachusetts Department of Revenue says it is essential to let them know in advance. If there is no legitimate business justification for accessing the taxpayer's file, the employee (any employee) could be dismissed the first time (view copy of the department's seven-page confidentiality memo). He also believes the up-front warning has a deterrent effect.
Moynihan's agency helps workers avoid inadvertent improper behavior. He has set up a training program to educate employees on everything from what constitutes legitimate file access to what employees should do if they access the wrong file by mistake. The agency has gone so far as to show a training video that new hires see during orientation and everyone else can see via the agency's intranet. Every single employee, from the lowest to the highest, must sign the confidentiality memo once a year.
Don't forget contract workers.
Companies with poor deprovisioning processes often leave contractor access open longer than necessary. Make sure your contractors know the rules, and then pull the plug on them as soon as their work is done.
This document was compiled from articles published in CSO magazine. Contributing writers include Scott Berinato, Todd Datz, Daintry Duffy, Lauren Gibbons Paul and Sarah D. Scale
http://www.csoonline.com/article/221735/Video_Surveillance_and_Data_Monitoring_The_Basics?page=1 |