We did extensive field testing of a USB monitoring process during an announced layoff period - and it was for naught.
Unless USB usage was forbidden, then there is no way to differentiate between naughty versus nice USB copying. Copying a whole bunch of files? Sure, perhaps it's for business continuity. Copying one file? Sure, could be for malicious intent to steal but falls way beneath our threshold.
Even with active desktop monitoring (e.g. spector cne), it requires a team of individuals to step through the screenshots, attributing context to the employee's actions.
In the end Legal said, we trusted them before we announced them layoffs, we have to trust them afterwards.
↧