Skip to main content
All CollectionsTroubleshooting and How-ToHow-To Articles
How to set up Teramind for privacy-friendly monitoring
How to set up Teramind for privacy-friendly monitoring
A
Written by Arick Disilva
Updated over 8 months ago

Introduction

Teramind is a comprehensive employee monitoring software with built-in insider threat detection and data loss prevention features. We are used by organizations to optimize employee productivity, improve engagement and prevent malicious or inadvertent risks.

The software needs to be installed on user computers (or endpoints) where it can collect data on all of the users activity on that computer. This creates the potential for this powerful employee monitoring software to be abused if used improperly or irresponsibly.

To combat this we have designed Teramind with a privacy-first approach. Our goal is to appropriately accommodate a business’s need for supervision and security without compromising employee privacy. With Teramind, you can track only what your organization requires to easily alleviate any privacy or legal concerns.

In this article, we will show you how to configure and use Teramind to track and assess the information you need without casting too broad a net.

Teramind’s Stance on Privacy

Teramind is not a ‘big brother’ solution, nor does it advocate unchecked surveillance, unethical management practices or illegal tracking of personal data. Teramind’s mission is to provide organizations with the monitoring and security tools to improve workforce productivity and protect them from insider threats and data leaks. We provide full transparency and granular configuration controls for all aspects of the software so that businesses can decide how they want to use it.

Create User and Group Profiles

You can create profiles for users, computers, and departments. For example, enable Social Media monitoring for your Marketing department but disable it for other departments. If you are an On-Premise/Private Cloud customer and use Active Directory, you can import your existing users, computers, groups, and attributes. You can then set up special Active Directory Groups and Organizational Units to monitor users, PCs or disable monitoring for certain groups; filter monitoring reports by attributes, etc.

Only Monitor the Channels You Need

mceclip1.png

From the Monitoring Settings, disable monitoring for channels you do not need to monitor. For example, if you are not sure about keystrokes logging regulations in your jurisdiction, you can turn it off completely.

On request, Teramind can also supply you with a custom version of the Monitoring Agent with certain monitoring functionalities disabled at the system level so even an administrator cannot enable them.

Use the Scheduled Monitoring Option

mceclip2.png

Each monitored object in Teramind can be configured to use a schedule for recording purposes. This way you can, for example, record employees only during their work hours and not when they are off-shift. This minimizes the data you capture to satisfy GDPR policies. For example, random/throttled data sampling using the built-in scheduler instead of continuous monitoring. You can also reduce the cost of bandwidth and storage by capturing only the work hours.

Useful Resources:

Configure Monitoring Options for Specific Apps/Websites

mceclip3.png

Monitor Specific Apps/Website

On the Applications: Edit settings window, enter the websites or a list of websites for which you want to record the screen and keystrokes using the MONITOR ONLY THESE WEBSITES field. If you use this field, all other websites will be blacked-out in the screen recordings.

Auto-Suspend Monitoring of Select Apps

On the Applications: Edit settings window, enter the application names in the SUSPEND MONITORING WHEN THESE APPLICATIONS ARE USED field. Teramind will disable all activity tracking and screen recording for these applications:

Auto-Suspend Keystroke Logging of Select Apps

On the Applications: Edit settings window, enter the application names in the SUSPEND KEYSTROKE MONITORING WHEN THESE APPLICATIONS ARE USED field. Teramind will disable only keystroke logging for these applications (all other activity will still be tracked, and screen recordings will still take place).

Auto-Turn Off Screen Recording and Keystrokes Logging of Select Websites

On the Websites: Edit settings window, in the DON’T MONITOR WEB TRAFFIC FOR THESE WEBSITES field, enter the websites for which you want to suspend screen recording and keystrokes logging.

Auto-Turn Off Content Parsing of Select Websites

On the Websites: Edit settings window, in the MONITORING WHEN THESE WEBSITES ARE VISITED field, enter the websites or web pages for which you want to suspend content parsing. Screen recording and keystrokes logging will still be enabled for these sites/pages. You can use this setting, for example, to record the activity when the user is in Gmail, while not capturing the actual email content or any attachments.

Auto-Turn Off Monitoring of Select Websites on Detection of Private Content

On the Websites: Edit settings window, in the SUSPEND MONITORING WHEN WEBSITE CONTAINS CONTENT field, enter the websites or web pages for which you want to suspend activity tracking, screen recording, and keystroke logging based on the detected text(s) on the site's URL or HTML contents. This field can contain keywords or a list of keywords. A common use for this option is to determine intranet or proxy-generated websites.

Auto-Suspend Keystrokes Logging of Select Websites

On the Websites: Edit settings window, in the SUSPEND KEYSTROKE MONITORING WHEN THESE WEBSITES ARE VISITED field, enter the websites or web pages to disable keystroke logging for those site/pages. All other activities will still be tracked, and screen recordings will still take place.

Auto-Suspend Keystroke Logging in Password Fields

On the Websites: Edit settings window, you can turn off the MONITOR KEYSTROKES FOR PASSWORD FIELDS option to suspend capturing of keystrokes in password fields (for example on a login page).

Configure Session Recordings

mceclip4.png

Record Screen Only During Rule Violation Incidents

Teramind allows you to setup session recording limited to a time when a rule violation occurs. By using this method, you can capture any evidence leading up to a malicious activity without collecting unnecessary privacy data. It is also designed to support some key principles of GDPR Article 7: fairness and transparency, purpose limitation, and data minimization.

To use this feature, enable the RECORD ONLY WHEN BEHAVIOR RULE WAS VIOLATED option on the Screen: Edit settings window. Then, use the RECORD VIDEO option on the Actions tab of a rule. Set the ‘MINUTES BEFORE VIOLATION’ and the ‘MINUTES AFTER VIOLATION’ to the required values.

Configure Remote Control options

Disable the ALLOW REMOTE CONTROL option on the Screen: Edit settings window. Or, you can show the user a message using the MESSAGE DURING REMOTE CONTROL option. This way, the user will know their computer is being accessed.

Use the Dynamic Blackout Feature

mceclip5.png

When you use any of the SUSPEND MONITORING… settings under the Websites or Apps monitoring settings, Teramind will automatically blackout the relevant app/website windows in the video recording or during the live view mode of the session player. The blackout feature works on both single monitor and multi-monitor setups.

Disable or Limit Offline Recording

From the Monitoring Settings, you can control the offline recording options. The offline recording buffer specifies how long the Teramind Agent will continue to record and report on user actions while the user is disconnected from the internet or Teramind servers. By default, the buffer is set to 24 hours, but you can increase or decrease the time as needed or simply disable it presuming, you would consider that as a user’s private time (especially for remote employees) and forego the default offline tracking and recording capability. Note that, Teramind Agent encrypts the offline data to prevent from viewing or tampering.

Other Monitoring Settings to Consider

mceclip7.png

Teramind has dedicated monitoring settings for 12+ system objects. While most of the time app, web, and screen recording activities might be the main concerns of privacy advocates, Teramind allows fine-grain controls for these other monitored objects too. How you configure these objects will depend on your organizational needs and then balancing the privacy concerns. For example, you might want to implement a more stringent email monitoring policy vs. audio monitoring might not be as important to you. In any case, it’s best to use the “data minimization” principle:

  • adequate – to properly fulfill your stated purpose;

  • relevant –that purpose which has a rational link; and

  • limited – to what is necessary; you do not hold more than you need for that purpose.

Here are a few examples of how to configure the other monitoring settings for privacy:

  • File Transfers: Track only specific types of files e.g. documents in a corporate network drive and not local files.

  • Network: Track only remote connections or sensitive network zones such as IP ranges in your intranet only.

  • Emails: Track only official emails, e.g. monitor Outlook emails but not others like Gmail. Do not save INCOMING ATTACHMENTS. Do not capture email contents etc.

  • Social Media & IM: Enable social media monitoring for the marketing department but disable it for other departments.

  • Audio: Disable audio recording unless you have strong legitimate reasons. For example, a call center might have a legitimate reason to record audio, but it is almost guaranteed to fail the GDPR litmus test for other businesses.

  • Printed Docs: Track only networked printer, do not capture printed doc or exclude printers you do not need to monitor by using the new EXCLUDED PRINTER NAME (REGEXP) option.

Setup a Data Retention and Deletion Policy

Data Retention

Teramind Cloud stores screen recordings for six months and other data (e.g. activity logs) until the account is canceled. If you want better control over this, use the On-Premise or Private Cloud option. This way you can configure how long the data will be kept including any backups and archived copies.

Auto-Delete Screen Recordings

mceclip1__1_.png

If you are an On-Premise/Private Cloud customer, you can use the DELETE HISTORY AFTER (DAYS) option on the Screen: Edit settings window to specify the days after which the recording will be automatically deleted. Again, this will save storage and reduce the chance of storing residual records for say an ex-employee. However, before setting the auto-delete feature, check with legal. There might be laws about how long you need to store the recording. Especially, if the session recording is considered as video surveillance in your jurisdiction.

Restrict Data Export

mceclip0__1_.png

Teramind allows you to export reports, videos, and other data so that you can manage large teams or use the data in other applications for further analysis. But imagine a manager accidentally sending a session recording to an outsider. To make sure your managers do not export Teramind data outside your company, you can restrict the domain. You can do so from the Settings > Security tab under the ‘Outgoing exported data’ section.

Delete the Monitoring Records of an Employee

Teramind Cloud keeps all the employee meta-data (e.g. activity reports, account info, etc.) until the account is canceled. While there is a ‘delete’ feature on the Employees and Computers menu, this does not actually delete the employee or computer but rather hides them from the monitoring reports and disables monitoring for that user/computer. Any deleted computer/user can be restored.

Teramind On-Premise/Private Cloud customers can delete the actual records from their server if wanted. Cloud customers can contact [email protected] to help remove records for compliance purposes.

Implement Policies and Rules to Prevent Sharing of Personal Data

mceclip2__1_.png

Using the powerful behavioral Policy and Rules Engine, you can create rules to limit exposure of PII (Personally Identifiable Information) and PHI (Protected Health Information) or PFI (Personal Financial Information) like social security numbers, NHS numbers, driver’s license, credit card numbers, etc. on a need-to-know basis. Check out the links under Useful Resources for such sample policies and rules.

Use the Revealed Agent for Explicit Consent

mceclip3__1_.png

If you want to be completely transparent about your employee monitoring policy, the best option is to use Teramind’s Revealed/Visible Agent. It lets the users decide when they are to be monitored and for which projects/tasks. Users are monitored only when they sign into the Agent and click the Start button.

This also has the added advantage of collecting direct consents useful for laws like GDPR.

Show Employees a Privacy Notice

mceclip11.png

If you are using a Hidden Agent and still want to display employees that they are being monitored, you can create a rule to do so. Check out the Useful Resources below to see how to create such a rule.

Full Disclosure - Let Employees View Their Own Data

mceclip4__1_.png

In addition to or as an alternative to using the Revealed Agent, you can also allow your employees to view their own data. There are several options on the User’s Profile > Account Info tab that allows you to do that. For example, you can allow users to log in to their own dashboards, allow self-history (session) playback, allow viewing of their activity reports, etc.

In addition to allowing for a transparent work environment, this will help your organization comply with GDPR’s “Right to be Informed” and “Right of access” (also known as subject access request or ‘SAR’) clauses. In other words, employees will know, at the time of the data collection, what data is collected and have an easy way to receive a copy of their personal data.

Use Access Control Policies to Limit Privacy Data Exposure

Teramind’s identity-based authentication and segregated, role-based access control (RBAC) features let you define what data a user or a group can access, edit or view. This enables you to protect regular employee data from privileged users, such as IT admins, allowing you to enforce data exposure on a need to know basis. There are three ways you can implement RBAC in Teramind:

Define Account Access Levels and Role Permissions

mceclip5__1_.png

Account access levels control what top-level menus and features an admin or privileged user can access. You can change the access level of a user from their profile page (click the EMPLOYEES menu, then click the EDIT PROFILE button). You can then set the ACCESS LEVEL under the ACCOUNT INFO tab. You can choose from Administrator, Operational Administrator, Infrastructure Administrator, and Employee. There is also an additional account type, ‘Department Manager’ that you can configure from the CONFIGURE > Departments menu. Check out the links under Useful Resources below for more information.

Use Authentication and Authorization Services

mceclip6__1_.png

These controls add an additional layer of security to lock down access to the dashboard from those with unauthorized access and to protect employee data in case of stolen credentials. Teramind supports several authentication options: basic user/password authentication, 2 factor authentication (enforceable for both admins and regular employees), SSO (over SAML 2.0), Active Directory LDAP, and IP whitelist. Note that some of these options may not be available to Cloud deployments. You can access these settings from the Settings > Security tab. Check out the links under Useful Resources below for more information.

Use the Built-In Access Control Panel

mceclip7__1_.png

Access control policies allow you to control the permissions settings for non-admin privileged users such as a Department Manager. You can get to the access control screen from the CONFIGURE > Access Control menu. For each policy, you can define the Privileged Users (e.g. Department Managers), Target Users, and the Permissions (View, Edit, Play, Widgets Access, etc.). Check out the links under Useful Resources below for more information. If you are an On-Premise/Private Cloud customer, and already use Active Directory, you can import users, computers, groups, and attributes. You can then, for example, map Active Directory Organizational Units to Teramind Departments.

Apply RBAC to Any User

Role-Based Access Control (RBAC) policy allows you to assign special management permissions in addition to the view/edit permissions to a privileged user. For example, the ability to edit employee profiles, create behavior policies and rules, etc.

With the Role policies, you can create some unique user roles. For example, turn a department manager into a ‘semi-admin’ who can manage employees like an admin but only employees in his/her department (unlike an admin who has access to all employees).

Useful Resources:

Watch the Watchers with Audit Logs

mceclip8.png

You can use the System Log or Audit report to view all administrator activities. These reports will be useful for transparency purposes and can help you gather details in case of compliance audits such as DPA reporting. The System Log/Audit along with other logs available on Teramind will allow you to conform to laws such as GDPR article 30 “Records of processing activities”.

Use Automated Reports with Care

mceclip9.png

Teramind comes with powerful productivity monitoring and analytics reports. However, you should use them for guidance rather than for performance evaluation. For instance, GDPR Article 22 stipulates that employees have the right not to be subject to a decision based solely on automated processing, including profiling.

Consider On-Premise/Private Cloud Deployment

mceclip10.png

While Teramind Cloud deployment offers best in class privacy and security for your organizations and employees, if you want full control of your data, you should opt for on-premise or private cloud deployment. Especially if you are concerned about laws such as cross-border sharing or to avoid taking responsibility for a third-party data breach, avoid signing a BAA (business associate agreement), etc. If this is the case, considering a deployment option like these might be your only choice to ensure not only data privacy but also compliance with regulations.

Use End-to-End Encryption for Additional Security and Privacy

The primary objective of End-to-End Encryption (E2EE) is to enhance the data flow security, by combining envelope encryption with end-to-end encryption for all communications between the Agent and Server(s). If you want the most privacy for your data, you can consider E2EE. When E2EE is enabled, the data will be encrypted at all points from its origin to its consumption or presentation. The data will only be viewable by those with decryption keys and passphrases. In other words, E2EE prevents unintended users, including privileged users, from reading or modifying data.

Currently, E2EE is supported for screen recordings and keystrokes:

Follow the Regulations

There is some concern that employee monitoring and data loss prevention solutions may create conflict with employee and customer privacy rights. The recent surge of privacy regulations across the globe is raising confusion about such solutions for many. Does employee monitoring violate any GDPR statute? Or, does it help protect them? Is my remote employee in Brazil protected under LGPD or GDPL? How should executives and law enforcement officials effectively weigh the demands to control and protect their businesses while protecting the legitimate privacy rights of employees and others whose personal data are being threatened?

Teramind has teamed up with privacy and legal experts and created a white paper that answers questions like these. Also included are: an overview of current developments in workplace monitoring and the key privacy laws; 6 best practices for privacy conformance; detailed legal profiles for 12+ countries in NA, SA, EU, Asia, and more. Check out the links below to download the white paper.

Other Resources

Here are some op-eds, guest articles and Teramind blog posts that cover privacy-related topics:

Did this answer your question?