Banks like Goldman Sachs are going too far cyber-spying on their employees

In a cutthroat, hyper-regulated workplace where long hours can’t collide with posts on Facebook, Tweets, Google searches, YouTube videos or even mobile phone calls, employee monitoring has become a norm that often borders on intrusion, if not spying.

Global investment banks like Goldman Sachs say regulation is the primary reason they block social media and keep close tabs on all online activity. The Financial Industry Regulatory Authority requires firms to maintain a keep a record of any business communication on any device or website for three years. Monitoring e-mails and instant messages internally is easy, but they can’t possibly track everyone’s activity on site like Twitter or Facebook.

Related Content:

Why big bank and hedge fund bosses dodge the bullet in trading fraud

Reining in top banker pay does nothing to deter fraud down the ranks

The new threat to global banks isn’t new, and it could costs jobs

Last week New Jersey joined a growing list of U.S. states that protects job candidates and current employees by allowing them to keep private their user names and passwords for social media sites. Similar protections exist in Arkansas, California, Illinois, Maryland, New Mexico, Oregon and Washington, and FINRA has asked lawmakers in about 10 states to make changes to proposed legislation.

Securities regulators fear these laws would put investors at risk because dispensing real-time financial advice on social networks could create new channels for Ponzi schemes and other frauds. As if most over-worked banking employees are turning to these sites to offer trading tips and investment advice.

Britain has sought to opt out of a European Union initiative that would allow anyone to delete personal details from online service providers – a power known as the "right to be forgotten." The EU's current data protection laws date from 1995, and MEPs are now debating a major overhaul aimed at the general public.

In November 2011, the U.K.’s Financial Services Authority began recording mobile phone conversations of investment bankers and traders in an effort to clamp down on insider trading. The original call recording legislation was introduced in 2008 and the ruling was the first of its kind globally and has served as model for Dodd-Frank in the U.S.

A new white paper by networking gear maker Ciena debunks some myths about cyber security in financial services.

Is your employer taking protection too far?

• Restricting or banning the use of personal mobile devices protects information resources. Wrong! Not only is this impossible, finds the white paper, it can hamper productivity and hiring prospects. Banks are better off investing in centralized client computing solutions and Mobile Device Management (MDM), along with virtualization, to better manage and control access to the organization’s information resources and secure users, no matter where they are located.
• A more restrictive policy better protects a financial services company’s resources. Not true, says Ciena. Policy is just one part of a comprehensive cyber-protection strategy that should be structured to keep people honest. Financial institutions must focus on keeping dishonest or disreputable people from gaining access to networks and information resources in the first place. This needs to happen before they join a firm.
• Cloud services, especially public cloud services, can’t be trusted. Not necessarily. The ongoing evolution of cloud-based services helps to mitigate risks associated with using outside providers to deliver access to financial industry information resources. Traditional infrastructures are not inherently more secure than more modernized IT operational alternatives. Depending on the age and the level of ongoing maintenance employed, aging network infrastructures can pose unacceptable levels of risk.
• Consolidating access to websites and network resources ensures full protection against security breaches. Not so. Minimizing the “attack surface” may help reduce the number of access points to a financial institution’s networks and information, but that’s not enough to protect the industry against other forms of breaches, such as breaking into physical network media. Full protection requires determining where the damage is likely to occur if a break-in takes place, along with how best to recover from an attack. If an intruder gains access to the network, companies must establish enclaves that limit that intruder’s ability to defeat the entire network. A partial outage in a single functional area is less harmful than losing the operational functionality of the entire network.

Follow the author on Twitter @natashagural