Telecommuting | Incidents related to “mouse moving” software at Hydro

Hydro-Quebec has identified a number of incidents related to the installation of mouse movement software by employees working from home The press. The state-owned company says it takes this situation “very seriously” and may take disciplinary action.

Posted at 5:00 am

Maxim Bergeron

Maxim Bergeron
The press

This software has seen an explosion in popularity since the start of the COVID-19 pandemic. They allow employees working from home to simulate their presence in front of their computers while pursuing other activities, thereby evading potential surveillance from their bosses.

In an email to staff, received from The press, Hydro points out that downloading such programs “violates two cybersecurity rules.” The state body prohibits its employees from installing unauthorized software to limit the risk of virus intrusion or cyberattacks, a policy adopted by many companies.

In addition, the use of presence simulators, such as B. a mouse movement tool, without the obligation to act professionally at all times and to work towards the expected work performance.

Hydro-Québec’s IT Services division

Philippe Archambault, head of media and government affairs, confirms the use of this software by certain Hydro-Québec employees, but adds that “no cybersecurity issue or malicious code” has been identified.

The state-owned company, half of whose 22,000 employees still work from home, is still investigating this file. “If this is done in bad faith there will be disciplinary action,” Mr Archambault said.

$10 for a mouse “stirrer”

On the Internet there are many devices aimed at simulating his presence on the keyboard. They fall into two categories: downloadable software – like the one recognized by Hydro – and physical devices that let you move the mouse manually.

These two methods have been used for several years by video game enthusiasts or computer enthusiasts who want to keep their screen on while downloading large files, for example. But the COVID-19 pandemic has created a gargantuan new market: remote workers trying to trick their employers.

In a video posted on YouTube in September 2020, a young computer scientist explains his programming method, which “lazy” employees can use to simulate their presence behind their screen. The sole purpose of the exercise: to thwart “boring” employers who want “you to be on the computer all day,” he says bluntly.

Une recherche rapide sur le web a permis de dénicher plusieurs logiciels gratuits ou très abordables. On trouve aussi près de 200 machines différentes sur le site Amazon, des gadgets souvent vendus pour moins de 10 $. Plusieurs se vantent d’être « indétectables ».

Certains internautes ont également trouvé des moyens artisanaux — et parfois loufoques — pour simuler le mouvement. Par exemple en accrochant la souris à une ficelle… reliée à un ventilateur au plafond !

Risques bien réels

Au-delà des enjeux éthiques liés au vol de temps, l’utilisation de logiciels de simulation présente des risques de cybersécurité bien réels pour les entreprises, font valoir plusieurs experts.

C’est très, très commun pour des logiciels malveillants, ou des rançongiciels, d’être cryptés dans des logiciels en apparence légitimes.

Brett Callow, analyste des cybermenaces pour la firme d’antivirus Emsisoft

Le téléchargement de tout logiciel non autorisé peut créer différentes brèches de sécurité, comme la pénétration d’un virus ou l’extraction illégale de données, dit pour sa part Guillaume Caron, président de VARS, la division de cybersécurité de Raymond Chabot Grant Thornton.

« Il y a des droits d’administrateur qui doivent être donnés à certaines personnes dans l’entreprise, qui peuvent installer des logiciels, indique-t-il. L’employé ne devrait même pas avoir la capacité technique d’installer un logiciel sur son poste. »

Il est tout à fait normal, voire essentiel, que les sociétés de toutes les tailles monitorent en continu leurs réseaux informatiques, ajoute M. Caron. Cette surveillance est encore plus importante depuis l’adoption de la Loi modernisant des dispositions législatives en matière de protection des renseignements personnels par Québec en 2021, ajoute-t-il.

Cette loi obligera les sociétés d’État et les entreprises privées à déployer encore plus d’efforts pour protéger les renseignements personnels de leurs clients au sein de leurs réseaux informatiques, sous peine d’amendes salées.

Un logiciel approuvé

Chez Hydro-Québec, le porte-parole souligne qu’un logiciel de mouvement de souris est déjà préapprouvé par les services de cybersécurité du groupe. Il permet d’éviter que l’écran se mette en veille dans certaines situations très précises, par exemple lors de formations.

Les experts en cybersécurité d’Hydro-Québec ont cependant détecté « l’utilisation de logiciels qui ne figurent pas dans [son] Catalog of Approved Software” on a “limited” number of devices, he adds.

Our employees are not monitored, but our computer network. For example, we are always on the lookout for phishing attempts.

Philip Archambault

According to a spokesman for the Department of Cybersecurity and Digital, no other incident related to this software has been reported to the Quebec government. “Furthermore, in the context of hybrid working, the performance evaluation of employees is not based solely on their presence behind the screen. Managers need to follow up on their employees regularly to ensure they are delivering what they expect according to the agreed deadlines. »

Surveillance, “taboo subject”

Sometimes there is a fine line between monitoring employees’ computer activities and open espionage, says Philippe Chevalier, president and co-founder of the private investigation agency SARX, which specializes in cybercrime. He explains that he has been hired by various companies to investigate cases of alleged time theft since the pandemic began. “Spying is a criminal activity: the employee has a reasonable right to occasionally check his or her personal email and personal social media and is entitled to reasonable breaks. When the employee is informed that a performance assessment device (a more neutral term than spyware) is on the Laptop Professional, which he uses at home, then there is no abuse. It’s all in the word “reasonable.” Several software programs such as B., enable employers to remotely monitor the performance of their employees, points out Mr. Chevalier.

Leave a Comment