Employee Monitoring: They're Watching You…
September 02, 2008
More companies are monitoring their employees' computer usage. But these surveillance techniques,
including software that can record everything from screen captures to keystrokes, are only as powerful as
the quality—and transparency—of
the policies and training that support them.
By Sarah Boehle
Ever harbored a sneaking suspicion that you're being watched? If you work in the U.S. and have a company computer with a network connection, chances are your spider-sense is alerting you to a real phenomenon.
According to The 2007 Electronic Monitoring & Surveillance Survey, an annual study co-sponsored by the American Management Association in New York, NY, and The ePolicy Institute in Columbus, OH, workplace monitoring is on the rise. Fully 65 percent of companies say they use software to block connections to inappropriate Websites. Forty-five percent track content, keystrokes, and time spent at the keyboard. And 43 percent store and review computer files and monitor e-mail.
While such spying may seem like an unnecessary intrusion to employees, it's not difficult to understand why so many companies feel compelled to do it. Few organizations monitor workers out of a desire to snoop, says Keith Crosby, director of market development at Proofpoint Inc., a data loss and e-mail security software provider based in Sunnyvale, CA. They do so, he says, for valid business reasons. "We see time and time again that employee computer activity poses real legal, financial, and regulatory risks to businesses."
Crosby points, for example, to the results of Proofpoint's fifth annual study of outbound e-mail and content security issues, which was conducted in conjunction with Forrester Consulting. They reveal that in the 12 months preceding the study, 44 percent of large U.S. enterprises investigated an e-mail-based leak of confidential information; 26 percent terminated an employee for violating e-mail policies; 23 percent said their business was impacted by the exposure of sensitive or embarrassing information; and 34 percent reported that employee e-mail was subpoenaed.
Going All the Way
Thanks to advances in monitoring technology—most notably the advent of customizable dashboards that allow companies to create and view "at-a-glance" monitoring statistics from across the enterprise—tracking employee computer activity is now easier and less time-intensive than ever.
But something's still missing. According to both software vendors and policy experts, too few companies do an effective job of supporting their software with transparent policies and comprehensive employee communication and training. "Most companies tend to put software and a policy in place and think they are protected," says Kevin Milewski, a product marketing manager at SpectorSoft Corporation, a monitoring software vendor based in Vero Beach, FL, "but when they don't provide adequate training to educate the workforce and to help enforce their policy, they really aren't."
Milewski classifies companies that employ monitoring technology into three categories: "The first type is the 'do nothing.' These companies usually don't act unless there is an incident. The second type, which comprises the vast majority of companies, is the 'one-warning wonder.' These companies use monitoring software and create an acceptable use policy, but don't really detail what is and isn't acceptable. They make employees sign the policy, but typically, that's the last anyone hears about monitoring."
The final and most effective type, says Milewski, is the enforcer. "These companies create a solid acceptable use policy, ensure their employees sign it, periodically update the policy and remind employees they are being monitored on a regular basis. Most important, they provide everyone with comprehensive training to ensure employees fully understand what is and is not acceptable." Unfortunately, best-practice companies such as these, says Milewski, "are the rare exceptions."
The ePolicy Institute's executive director, Nancy Flynn, who is the author of several books on the subject of electronic monitoring in the workplace, including "The E-Policy Handbook: Designing and Implementing Effective E-Mail, Internet, and Software Policies" (AMACOM, 2001 and 2008), can't agree more. "We have [repeatedly found] that the means by which the majority of employers notify employees that monitoring is taking place is ineffective." She points to research, for example, indicating that a full 70 percent of companies that monitor rely solely on an employee handbook to alert employees to the fact that computer monitoring is taking place. "Only 27 percent of employers address monitoring policies and practices as part of formal, on-site employee training designed to show employees Internet-related risks, rules, and procedures," says Flynn, "which is the recommended way to maximize compliance."
Building Better Rollouts
Organizations need to do a better job of training and communicating these policies to their workforce for several reasons, experts say. First, far too many monitoring policies are laced with legalistic jargon that is difficult for workers to understand. The majority of monitoring policies also are far too generic: They fail to explain the reasons for monitoring and the company's goals, and they lack essential detail, such as when, how, why and by whom monitoring will take place; what will be done with the data; and what the repercussions will be should an employee fail to comply with company policy (see sidebar on p. 27 for tips on designing an effective monitoring policy).
Second, companies that rely solely on a policy document to discourage inappropriate behavior are apt to become caught up in an endless game of "gotcha"—perhaps even disciplining and firing employees who violated the policy unwittingly due to lack of understanding or misinterpretation. "You cannot trust employees on their own to access the company intranet system or retrieve a copy of the employee handbook in order to educate themselves about monitoring or other electronic rules and policies," Flynn says.
Third, companies that draft generic policies that include little more than blanket statements about the organization "reserving the right to monitor" run the risk of damaging morale and perpetuating a culture of fear and paranoia.
Briefing the Troops
To mitigate these and other risks, Flynn says a strong policy and formal employee training that gives workers the opportunity to ask questions and more thoroughly understand the company's electronic rules, policies, and procedures are both critical. "If workers don't know what the right behavior is, they can't help you enforce your policies. If they know what the rules are, it makes it easier for everyone to behave in a compliant fashion and make the right choices."
Approaching a rollout in this way sometimes requires an attitude shift for companies that aren't proud of the fact that they monitor, or that fear an employee backlash, says Milewski. But "by being 100 percent honest and transparent about what you are doing"—even going so far, he recommends, as to show employees detailed examples of what your software is capable of monitoring—"you can do a lot to minimize the impact."
That's what the Florida Commission on Human Relations did when it implemented SpectorSoft monitoring software in 2003. The state agency turned to monitoring at a time when it was under significant budgetary scrutiny, says Communications Director Leah Barber-Heinz, and was concerned that employee abuse of its computers and Internet connections was affecting productivity.
Immediately after implementing the software, MIS Manager Frederick Smith conducted mandatory training for all employees, during which he explained the agency's policy in detail; told workers when, how, and by whom monitoring would take place; and showed them what the technology could do. "Using a laptop and projector connected to the network, we pulled up Spector 360 and went through each module in the system, explaining how it worked," he says.
The agency also explained the goals of monitoring during employee training, and detailed the types of behavior it most wanted employees to avoid. "We told them we were on the lookout for two Es," says Smith, which included excessive personal use (e.g., surfing the Web for non-business-related reasons on agency time) and explicit use (such as accessing pornographic Websites or sending inappropriate e-mails). Finally, Smith and his team made the case for why monitoring was necessary, explaining that as a state agency, the organization is required to justify every taxpayer dollar it spends.
This last step is essential for organizations that want their employees to buy in to monitoring, notes ProofPoint's Crosby. "The No. 1 mistake we see companies make is not being clear about what their goals are. You have to explain the reasons for your policies and be able to express to employees why a technology- based monitoring approach is best. Whether you are trying to protect customer information, comply with regulatory requirements, or are concerned about productivity," he says, "you should always tell them why."
For the Florida Commission on Human Relations, this approach went a long way toward helping the agency to achieve its goals. While the SpectorSoft technology initially confirmed the agency's fears that far too many employees were wasting hours each day surfing the Internet and chatting online, Smith says productivity increased markedly after training took place. "The training allowed us to clear up misperceptions, address people's concerns, and make employees more conscious of their activity." The result? Employees now spend "more time working than playing," according to Smith, and "compliance has become easier for everyone."
Sidebar: Quick Tips: Designing an Effective Monitoring Policy
Sidebar: Quick Tips: Designing Effective Monitoring Training
|
RSS
