Page 1 of 4
By Mel Duvall
Wal-Mart is used to finding its name on the front page of The New York Times and The Wall Street Journal, but in March of 2007 it found itself making news under very different circumstances.
Wal-Mart officially apologized to the Times and retail reporter Michael Barbaro after a member of its internal security organization was found to have secretly taped conversations between Wal-Mart employees and the Times reporter. Not only did Wal-Mart apologize to the reporter, chief executive H. Lee Scott phoned the chief executive of The New York Times to personally offer an explanation and convey the information that the technician involved, who had 19-years with the company, as well as a supervisor, had been fired.
But the matter did not end there. Weeks later, the fired technician, Bruce Gabbard, went public, telling The Wall Street Journal he was part of a larger, sophisticated surveillance operation at Wal-Mart. Gabbard said the retailer employs a variety of means, including software that can monitor every key stroke on the retailer's network, to keep tabs not only on employees but also on its board of directors, stockholders, critics of the company, and in at least one instance, on a consultant, McKinsey & Co.
Wal-Mart later denied some of Gabbard’s allegations, in particular statements made that Wal-Mart had spied on its own directors as well as shareholders, but the incident cast a spotlight on the retailer’s normally secretive security organization. McKinsey & Co. was contacted by CIOZone to confirm Gabbard’s statement that Wal-Mart spied on its consultants, but spokesman Mark Garrett said because of the confidential nature of McKinsey's work with clients, the firm declined to comment.
Kenneth Senser, a former top official at the C.I.A., heads the company's global security operations. His lieutenants include a number of former government and defense department security specialists. David Harrison, a former member of U.S. Army Special Operations Command, heads the company's analytic research center, which has a mandate to identify threats from suspect individuals and groups. Joseph Lewis, a 27-year FBI veteran, heads corporate investigations. And Steve Dozier, former director of the Arkansas State Police, is a VP in charge of corporate investigative services.
It is not unusual for Fortune 500 companies to hire law enforcement or intelligence experts for their security departments, but Wal-Mart actively recruits those with military or intelligence backgrounds. Last March it posted ads on its Web site and on sites for security professionals for "global threat analysts" with backgrounds in government or military intelligence.
"Like most major corporations, it is our corporate responsibility to have systems in place, including software systems, to monitor threats to our network, intellectual property and our people," Wal-Mart spokeswoman Sarah Clark said in a statement in April. Following the Gabbard firing, Wal-Mart said it conducted a review of its monitoring activities. "There have been changes in leadership, and we have strengthened our practices and protocols in this area," Clark said.
When contacted by CIOZone, Wal-Mart spokesman John Simley restated the company monitors threats using a variety of techniques, as would any company its size. "Every company has an obligation to its shareholders and to its employees to ensure that its information isn't compromised," Simley said. Simley would not, however, provide details on the security department reorganization.
To be fair, Wal-Mart is not the only company involved in a spying controversy. Other high-profile corporate spying incidents have drawn public attention to the fact that companies are using an increasing array of methods to snoop on, or monitor as is the preferred term, the everyday activities of employees, suppliers and customers on their networks.
In December a researcher in the anti-spyware unit of Computer Associates, revealed that Sears Holdings Corp. had installed spyware software in a program offered to customers via its "My SHC Community" shopping network that allowed Sears to track its members online browsing behavior.
Sears says it does disclose the tracking software in a privacy statement, but Harvard Business School assistant professor Ben Edelman has criticized the retailer, saying the disclosure is difficult to find and consumers rarely read such statements.
Boeing was the subject of a Seattle Post Intelligencer investigative story in November, which questioned its monitoring activities, including the reading of emails and videotaping of employees. Boeing spokesman Tim Neale said when employees log on to the corporate network they are fully informed that their activities are being monitored. He said only authorized personnel have the capability to monitor corporate systems and they do so only when they have reason to suspect abuse or misuse. "For example, it is against company policy for an employee to use company systems to run his or her own business," Neal said. "Of course, it is also against company policy to share proprietary information with parties outside the company, unless authorized by management to do so."
And, in probably the most publicized example, Hewlett-Packard found itself in hot water with California regulators in 2006 after it initiated an investigation of its own board of directors to discover the source of leaks to the media. The investigation included monitoring of emails and instant messages, as well as using illegal means to obtain telephone records of employees and journalists. The company was ordered to pay $14.5 million in fines and bring its internal investigations into compliance with California laws.
Most employees have now come to expect that their activities on corporate computers are being monitored to a certain degree.
But in 2008 CIOs will be increasingly drawn into discussions about who should be in charge of monitoring employees, what software tools should be deployed to protect corporate resources, and which electronic activities corporations should or shouldn't watch. "There used to be an argument over whether we should be doing this at all," says Alan Paller, director of research at the SANS Institute, an industry-sponsored research group and computer security training body. "It rarely comes up as an issue any more."
David Zweig, an associate professor of organizational behavior with the Rotman School of Management at the University of Toronto who has written books on the issue of workplace monitoring, says that it is now believed close to 75% of employers have some form of electronic monitoring in the workplace.
Zweig is not against monitoring. He believes in today's environment, where companies face a wide range of internal and external threats, some levels of monitoring are necessary. However, he believes the monitoring should be in relation to the risk, and that companies need to do more to inform employees exactly how they are being monitored and why. "If you give people a rational explanation for monitoring, they will at least see why the company is doing it," he says. "But you should be open and inform them exactly how it's being done and what controls are in place.
"It's easy to monitor—it's much more difficult to develop proper controls and processes," he says.
Ira Winkler, president of Internet Security Advisors Group of Baltimore, Md., and author of books such as "Spies Among Us" and "Zen and the Art of Information Security," doesn't believe in coddling employees with lengthy disclosures and explanations for why monitoring is taking place. "Get over it. Companies need to protect themselves," says Winkler. "The fact is nobody should have any expectations of privacy when they're using the company's computers."
In fact, Winkler advocates companies apply a blanket approach to security and use of the Internet in particular. Simply tell employees or suppliers accessing a corporation's network, they are being monitored and non-approved activities will not be tolerated. End of story.
Is that fair? "I think it's totally fair," he says. "If I want to go shop on eBay or download porn on a company computer, that's my stupidity, not the company's," he says.
For many organizations the line will probably be drawn somewhere between Zweig's and Winkler's viewpoints. But what is clear is a mounting body of evidence points to the need for network monitoring against a wider definition of internal and external threats.