I’m a small company looking for a keylogger for employee’s at work.
I would just block sites but I’ve had an instance recently where an employee has made “inappropriate comments” via e-mail to a client who fortunately was very understanding when we took appropriate action and decided not to pursue it any further.
Before anybody jumps on the ethical / moral high ground, their employment contract already states that any form of internet usage / digital communication will be monitored … BUT … I’d also go a step further and prior to installing it on their systems would ask them to sign a separate form of consent acknowledging that monitoring software was being installed.
My aim is to use it as an absolute deterrent rather than anything else and it means I don’t have to waste time monitoring what they may be doing.
I thought I’d test it at home to see which was the easiest to install and set up using a PC and a laptop and have looked at
Refog … https://www.refog.com/free-keylogger.html
All In One Keylogger … https://www.relytec.com/
Best Free keylogger https://bestxsoftware.com/
And whilst they offer a free trial I’d go for the paid version longer term if I’m happy it does what it does what I need.
All of them so far, either Chrome blocks it as Malware or if you download it which seems easier to do via other browsers, when you get to the install stage antivirus blocks it.
I appreciate you can switch off antivirus for this step and then white list the app on the client machines but made me seriously think about whether the software is actually safe on any machine?
Whilst I appreciate most can be set not to record passwords etc. but if I can set what reports it forwards to me, there’s no guarantee that the software company isn’t have all the content sent to them including passwords which did raise a concern … or am I being paranoid and they’d cease to exist / lose their living so wouldn’t risk it.
Interested in anybody’s input and or other suggestions for alternatives.
Well.
Yes.
No.
I'd suggest that your immediate issue is gross misconduct by a single individual and the software you require here in the first instance is either a written warning or a P45.
Beyond that, you can monitor email (it's complicated but totally possible) but, do you really want to?
A keylogger though, really? You're going to go through every keypress that every employee pressed ever? Are you that badly stuck for something to do? What do you intend to achieve here?
This is a really bad idea which won't address your issue, potentially opens up a raft of company-ending / jail time legal complications, and if I worked for you and you told me you were installing a keylogger on my work laptop then I'd be resigning with immediate effect. Not least because you thought so little about your employees.
Don't do it. Trust your staff or sack them.
I would not work for you.
A sort of click bait opener there, so let me dig in. I empathise that you’ve just been burned with a bad experience. A keylogger is very much not the solution going forward. You need to generate a culture of trust with your employees that works both ways. Bad eggs need to go. Nice Humans need to stay. Keylogger does not keep nice humans.
What you’re doing there is showing you don’t trust your staff because of one person. Manage that one person.
Also,
There's a reason that every browser plus your AV plus the OS is screaming at you to stop it.
Stop it.
I you install keyloggers then you have every users password for every service. This being the case could you make any accusations stick? I think doing this would put you in a position that I certainly would not want to be in.
I you install keyloggers then you have every users password for every service. This being the case could you make any accusations stick?
This is the bit I'm most concerned about and my main reluctance for doing it.
I do get the "develop your employee's" so they're trustworthy comments ... I think I maybe took that too far and hence why it's been abused.
I still think as long as everybody that works there is absolutely 100% informed it's happening it's a massive deterrant and I won't have to check any logs at all ... the pricing of the software would be minimal to increased productivity.
I think with some of the software options you can also set times that things like social media so can only be accessed at certain times i.e. allowed over lunchtime etc. I have asbsolutely no problem with staff using their computers for personal things in their own time.
It's not a massive deterrent unless you want to reduce your risk to zero by dint of "having no staff." And jesus christ, what sort of environment are you running which requires a "massive deterrent" in the first place?
But consider this. As soon as you go down this road, you lose accountability. Someone is accused of something. "Well, it wasn't me, there's this keylogging shit on my computer, anyone could've done it!" If I were the guilty employee in your original scenario and in the middle of your proposed solution deployment I would absolutely turn it around and go "wasn't me, could've been you, could have been anyone." Who knows who has access to that data.
You've put a keylogger on my computer. You potentially know my password. You potentially know all my passwords. I didn't do this, you did, prove otherwise or STFU.
100% informed it’s happening it’s a massive deterrant and I won’t have to check any logs at all
This being the case and you aren't expecting a mass walkout, you could just tell them that there's monitoring software in place. It'd have the same net result and would be free.
… the pricing of the software would be minimal to increased productivity.
How exactly are you equating a single idiot sending an inappropriate email, with the deployment of a keylogger, with "increased productivity"? You're either out of your depth or you're being economical with the truth as to what you're trying to achieve here.
Why on earth would you think this was a good idea? Not sure why you think this would lead to increased productivity? Maybe for the person who runs your exit interviews?
I'm not really clear on what issue you are trying to fix here.
Are you trying to prevent this single employee from sending inappropriate emails to clients? Because a Keylogger won't do that - it will just let you read the email after it's been sent (which you can do anyway), and the offence has been caused. If you want to review this persons emails to the client before they are sent, then just tell them that they all emails to the client have to come through you first.
If you are trying to deter people from writing inappropriate emails to clients - then the best way to handle that is mandatory training, and disciplinary action if it happens afterwards. As has been said above, depending on just how inappropriate the offending email was.... might even be gross misconduct anyway, so you can just move ahead with a disciplinary.
Also we have a little program that scan's emails before we send them to external addresses. It flags if any recipients might have been included by accident (ie: from a different client completely), scans the email body and attachments for trigger words. In our case, it's mostly used to stop people from accidentally sending stuff intended for client A to client B by mistake..... but I'm sure you can use it as some sort of offensive language scan too. It's called SafeSend.
Safe Send is pretty good. Not too expensive either, and would generally not be seen negatively by your employees. Unlike the keylogger thing.
There's monitoring, and then there's recording every keypress.
One's ok, the other, not so much.
I would suggest that installing a keylogger is carte blanche for your malicious employee to deliberately do all sorts of nasty stuff (close some important client accounts, say, as a polite starter for ten) and then have the very bestymost of plausible deniabilities.
increased productivity
Hahahaha. No. It'll just mean employees spend more time on their phones. Unless you're planning on installing CCTV over every workstation.
You are currently sounding like a bloody awful boss.
SafeSend or the equivalent is a good solution. I work for a bank so all external emails are scanned for things like card numbers. Anything that's flagged needs to be manually reviewed - generally it can be released if the employee's line manager approved. It even picks up "clever" solutions such as changing the font colour to white in an Excel file of card numbers (not me, I've still got a job!).
It wouldn't pick up inappropriate comments in an email - correct solution for that is as
written warning or a P45
There's no point in having a password policy at your company if a keylogger is forwarding them to you by email etc.
If your company handles credit card info or similar then your bank will have a coronary.
I've previously worked on a contract that had deployed keystroke loggers for a specific use case (that I can't disclose but wasn't just to catch a rogue employee sending dodgy emails), I wasn't involved in the project myself so not sure of the specifics but it was a product from https://www.veriato.com/ no idea of the cost but I imagine it was pretty expensive.
For the reasons given by the OP I'd agree with other responses that keystroke logging isn't the answer. Depending on what the email contained was the person fired or given a final written warning? Keystroke logging is only likely to help with a post-event investigation, if you've got dodgy employees that are jeopardising the business you need to train them, ensure policies are in place that make it clear what's not acceptable and if they still don't abide by policies then get rid of them
[...] written warning or a P45
You are currently sounding like a bloody awful boss.
I would not work for you.
Stop it.
Sound like a good way of getting yourself in to a serious mess, you want to install something that removes most of your system security? What could possibly go wrong?!
Train your staff to adopt safe working practices.
Now I'm no IT expert but Keyloggers on web enabled pc,s could be sending data anywhere even if it's paid for.
I'm surprised gdpr is not a concern if you have customers.
I know of one use case for a key logger - logging actions of privileged accounts e.g. SUPER.SUPER or root
It's there to provide forensic data after an insider attack. The logged data is not available to anyone unless there's been an attack and is then only provided to the investigators with full chain of custody as it's likely to be used for any prosecution.
Wow.
How to build develop and maintain trust....
I'd suggest looking at your hiring process if you have a full team of people you dont trust....
I think with some of the software options you can also set times that things like social media so can only be accessed at certain times i.e. allowed over lunchtime etc. I have asbsolutely no problem with staff using their computers for personal things in their own time.
My previous workplace used Cisco Umbrella to stop access to social media and the like. The thing is they inadvertently blocked a lot of business specific websites as well so it lasted about 5 minutes until they eventually managed to get it setup properly. Even then our IT company would still get bombarded with requests for sites to be whitelisted which stupidly our MD had decided only he could sign off on so it would take weeks for a request to be actioned.
But basically as everyone else says above, it's a matter of trust. If they had put a keylogger in place as well as the above I would have been out the door.
You came on to a forum where most of the users are probably reading while at work to suggest a keylogger in the work place? I can see how that didn't end well.
You are the CEO of Ikea France and I claim my £100
We deployed this many this years ago for some users
https://www.softactivity.com/get/activity-monitor
Funnily enough I can't even view the site as Webroot has detected it as keylogging/monitoring. It required basically a full time employee to monitor the employees. It helped in a few instances with employees that turned out to be difficult and troublesome but the admin time required with it along with deciding to actually trust the employees more in the first place meant we ditched it. We instead put more attention into performance monitoring of their work output for them to see as well as the management which improved things a lot.
increased productivity
Switching windows between each keystroke and typing some garbage to defeat the keylogger would really not help my productivity.
I know of one use case for a key logger – logging actions of privileged accounts e.g. SUPER.SUPER or root
Yep used in Telco networks were you could shut down a whole countries mobile cellular network with the wrong command etc. All accounts log everything as when it goes wrong you really want to know who and why so you can learn from the mistake and stop it happening again.
We had to fire an employee who deployed a key logger on another employee's PC at work (they were in a very toxic relationship and he was parniod about her emailing old flames etc). Had the Police involved as well. In the end he found a new job, new wife and is much better off all round now. Did feel quite sorry for the guy at the time.
is this a rare instance where singletrackworld agrees?
I assume you already have access to these users emails (if not, getting that sorted is reasonable) - in which case, what more will keylogging give you?
If your company handles credit card info or similar then your bank will have a coronary.
If your company handles credit card info or similar then you're going to jail.
And if that information leaks for whatever reason, you're going to get ICO shitting on you for the GDPR fine. What is that, 10% annual turnover? I'm not sure that I would want the job of securing that part of the infrastructure or making it compliant with ISO27k1.
Seriously though, please don't. There are better ways to accomplish this goal, pretty much all of which people have already brought up.
Before I retired I worked at a security software (antivirus, firewall etc) company and one of our products did web control (so you could block gambling sites, smut, etc) and another data control (which to an extent helped stop people emailing lists of customer credit cards out of the company etc etc).
Sounds like that's what you want.
And a code of conduct that says stuff like, work email is for work, we can look at it any time. Set up a non-work wifi access point for people to connect their phones to.
Then it's down to the managers to "have a quiet word" if Chris from accounts is spending too much time on FB or worse...
OP, if you have not already got one, I would strongly urge you to consider implementing an Acceptable Use Policy for access to your network and devices. Frameworks for this exist on the Internet and they provide you with basis by which you define what is, and is not, acceptable to do on or with a corporate device, or during company time. Employees should sign this before they have access to equipment and the network, proving that they have read and understood what is expected of them when using company resources.
On blocking, most decent corporate firewalls (Palo Alto, Cisco, osv) have the ability to classify traffic and [alert or block] depending on the traffic and the desired outcome. I have, in the past, steered away from doing this for types of websites that require a moral judgement (illegal is different). I'm not the moral police, I care about the security of organisations and how user activity can affect that security. An AUP can help define what the company feels will bring it into disrepute, but I've always had a legal department to help me make the correct call.
You can go further down the rabbit hole here, setting up separate networks for Work, BYOD and private devices, with Conditional Access policies for managed or unmanaged devices, but this boils down to people either not understanding the limits or taking the piss. If your staff have a clear understanding of "acceptable" and your definition of this is reasonable, then there should be no serious issues. That kind of configuration will come at a cost and will normally require full time maintenance.
Typewriters, replace all PC’s with typewriters.
Seriously though you sound like a joy Ti work for. Maybe go for administering beatings, a ducking stool?
Then it’s down to the managers to “have a quiet word” if Chris from accounts is spending too much time on FB or worse…
We've had a few employees hand back their laptops and then IT has found all sorts of weird stuff. Our head of customer services in RSA turned out to be on a load of far right mailing lists and one of the sales guys in Kenya had filled his HD with porn.
You'd think they'd at least delete some of it before handing their laptops back..
You are the CEO of Ikea France and I claim my £100
This didn't get the credit it deserved...
OP, sorry mate, you're doing it wrong.
Web filtering is a good idea, if nothing else it provides some security from malware etc.
With our clients, we will typically install some kind of web filter, this is primarily for security, but will block the obvious stuff. If they want to block social media or specific time stealing website we can do that. Frankly most don't care as long as their guys aren't watch grot or gambling all day (massive problem in recent years).
There are tools you can use to monitor employee e-mails for phrases and words and whilst it can't stop people sending inappropriate comments, in the same way you can't stop people using them on the phone, it will likely flag them so you can tackle it as a HR issue. I can't comment on their usefulness, most of our clients will handle issues in the same way you have, they will respond to complaints as and when they happen. Again, you have to be careful they employees don't use their work e-mail for personal stuff.
Keyloggers as you've already discovered as shady AF from a cyber security point of view, because well they obviously capture passwords, the exact thing that Cyber security tools are their to prevent, ffs don't disable it to make them work.
Ultimately, you have to trust your staff, there are many ways they can **** your day up, and you can't mitigate for all of it, better to have a good relationship.
+1 on this being the wrong solution to the problem from another computer-type person here.
Apart from what's been covered above (even if the passwords aren't being sent off to some nebulous third party server, everything your employees type - all the company's information and personal information being handled - looks like it would be). It's easy to bypass for the original problem - all an employee has to do is highlight the phrases they want to use either on a web page or in a new document in notepad built up one keypress at a time.
You want a log of emails sent - so get that in place.
Likewise, web filtering / logging is generally commonly available in small business grade network equipment. At least then you know whether an employee's actually looking at social media, or typing "our opening hours can be found on our Facebook page" or whatever.
Willard is wise. Listen to willard. Stop hobbling your security and step away from the malware.
Speaking of which,
I have, in the past, steered away from doing this for types of websites that require a moral judgement (illegal is different). I’m not the moral police, I care about the security of organisations and how user activity can affect that security.
As a cloud / managed service provider, this is a huge quandary for us right now. From a security standpoint we're trying to wrangle what we should do for paying customers - ie, are they paying us for it, we're not a charity - against what we should do to protect ourselves, with a side order of well, is this even our call to be making? Customer networks are isolated and self-contained so it's probably not our place to be the Content Police.
One of the hot topics at the moment is, we're seeing a lot of TOR traffic. This raises a vast amount of questions: why, what are they doing, what are they hiding, but the question it raises with me is, "should we care?" We have a large household-name customer you will Deffo have heard of whose policy is that they're perfectly fine with employees surfing porn on work machines during their lunch break.
We’ve had a few employees hand back their laptops and then IT has found all sorts of weird stuff.
Some people have no brains. A couple of years ago, a friend of mine received back a phone and laptop from a leaving employee. Before he had chance to reset it all the phone buzzed up a text, "hey love, we've got some new girls in that you might want to try"... (I'm paraphrasing from memory, but I have a screenshot he sent me.)
One of the hot topics at the moment is, we’re seeing a lot of TOR traffic. This raises a vast amount of questions: why, what are they doing, what are they hiding, but the question it raises with me is, “should we care?” We have a large household-name customer you will Deffo have heard of whose policy is that they’re perfectly fine with employees surfing porn on work machines during their lunch break.
And this is where, to some extent, I am glad I am on the tail end of the chain. With me it’s AUP and education, with the network providers, it’s service agreements. It’s even worse if you’re global and stuff is legal one place, but not in another.
For me, TOR is usually an indicator that less than legal stuff is going on, but that’s from a hunting PoV. Get your legal team on it and see if there is weasel wording in the contract that can stop it or, if not, see if the terms of use protect you.
We’ve had a few employees hand back their laptops and then IT has found all sorts of weird stuff.
I had one very miffed user once who discovered some files were missing from his hard drive when I handed it back after repairs. I pointed out company policy was quite clear about local file storage, particularly videos and definitely porn.
One of the hot topics at the moment is, we’re seeing a lot of TOR traffic.
We were asked to stop Torrenting films at work (it was a super fast connection). A colleague was daft enough to leave a film seeding for ages and the compancy got a DCMA letter from the copyright holder. He was head of SW test as well, partly explains why SW test was so bad, IT illiterate and spent all their time watching films....
As per Cletus, A keylogger will get you in a whole world of hurt, when/if there is an investigation of who did what on a system. The person(s) under investigation could turn around and say oh there's a keylogger so our individual login to system xyz, anyone with access to the keylogger knows our individual usernames and passwords for it, so you can't prove it was us that did whatever.
Depending on the email system you might be able to do DLP (Data Loss Prevention)
Use a proxy to apply any filtering regards web usage, there's plenty out there that are cloud based and easy to deploy. For the email you will already have the tools, to have a email retention policy in place, along with the ability to recover deleted emails, for the who said what discussions.
Enforce role based access to any systems, individual logins and passwords. Disabling local admin on any machines so stop people installing for example chat progs etc..
But if you are set on having some sort of logging, then do what contact centres do for 'agent training purposes' screen recording. There's no logging of password issues, but you'll record the iffy content.
I've only just looked at this thread. I don't think the OP's probably innocent (in both senses of the word) question justifies the hostility aimed towards him.
Probably shock rather than hostility. It's pretty damn creepy.
As others have said, in terms of data security and privacy it is a really really bad idea.
Basically if you have any systems with password priveliges and audit trails you introduce enough grey area and deniability to make the security pointless.
Stupid idea overall
He was head of SW test as well, partly explains why SW test was so bad, IT illiterate and spent all their time watching films….
Ironing 😂
(I'll give you a starter for ten, Tor is nothing to do with torrenting)
TBH if someone had Tor on a work computer it needn't be anything more sinister than them just wanting to keep personal stuff personal. More so if working internationally. We can't even look up sites about it according to the Web policy as administered by Bluecoat, Norton or whoever it is this year.
We have a large household-name customer you will Deffo have heard of whose policy is that they’re perfectly fine with employees surfing porn on work machines during their lunch break.
Any jobs going there? asking for a friend?.....
I still think as long as everybody that works there is absolutely 100% informed it’s happening it’s a massive deterrant and I won’t have to check any logs at all … the pricing of the software would be minimal to increased productivity.
Unhappy staff aren’t very productive, you really need to think about this. Deal with the culprit not everyone.
I still think as long as everybody that works there is absolutely 100% informed it’s happening it’s a massive deterrant
Itll be a massive deterrent to working for you
We can’t even look up sites about it according to the Web policy as administered by Bluecoat, Norton or whoever it is this year.
Could be worse, I can't even access GitHub on my work PC without getting a security exception signed off by my manager and a VP (someone years ago in another country accidentally leaked source code for some of our IP onto it and then it just got blanket banned - only now even MS & VMware store stuff I need to access there).
