||Add To My Personal Library
May 9, 2008
Vol.30 Issue 19|
Page(s) 27 in print issue
Playing IT Big Brother
When Is Employee Monitoring Warranted?
Instant messaging, YouTube videos, personal email accounts, and social networking sites represent an ever-burgeoning number of attention-grabbers that can prevent users from getting their work done. On a business level, time-wasting Internet use represents lost productivity and, ultimately, money lost.
Of more concern is the possibility that a user will use enterprise property to download viruses, transmit sensitive company information, or use enterprise property to break the law. A recent worst-case scenario involved Societe Generale, one of the largest banks in Europe, and its now-famous French rogue trader who, left virtually unchecked, allegedly lost the bank $7.1 billion.
What is an admin to do? The immediate reaction for many admins might be to invest in increasingly smarter employee monitoring technologies that facilitate tight surveillance and control to make sure employees are not using the enterprises machines and network to do things they shouldnt. But how far should monitoring of small to midsized enterprises go? When does it cross the line between employee and company rights?
There are no black-and-white answers to these questions. The solution you adopt should take into account your enterprises particular needs, user education, and ultimately a common-sense approach when it comes to employee monitoring.
Enterprises Jump On The Bandwagon
Whether it is in response to employees using online outlets such as instant messaging and consumer Web sites or just a more paranoid business climate, the use of employee monitoring is rapidly increasing. The technologies are also increasingly cheaper to implement.
Surveillance is now routine business practice among American employers both large and small as the cost and ease of introducing [surveillance products] have dropped, says Jeremy Gruber, legal director for The National Workrights Institute.
Adam Schran, chief executive and founder of Ascentive (www.ascentive.com), which offers Internet monitoring software, says employee monitoring as well as blocking and filtering product sales have become a $300 million-a-year market. There are more distractions out there, he says. A few years ago, [potential customers] said it was like Big Brother. Now they are saying, Here is my credit card number.
Enterprises in the United States today also have much leeway when it comes to monitoring what their employees do at the workplace. There are few mandates or court decisions that prohibit enterprises from tracking employees activities.
Employees have few if any rights when it comes to electronic surveillance in the workplace, Gruber says. Only two states, Connecticut and Delaware, even require that employers give notice of monitoring, let alone actually regulate the monitoring itself.
But just because tight surveillance is not illegal does not necessarily make it ethical—or something that IT will necessarily want to put into place, Gruber says. While there are some legitimate threats that form the basis for surveillance, they are often exaggerated, and rarely is the surveillance tailored to meet the specific objective or balanced with employee privacy concerns, he notes. Employees are working longer hours than they ever have before. It should be acceptable to allow for reasonable personal and private use of computers and other forms of electronic communication, but only a minority of employers allows for reasonable-use policies, and even then the surveillance continues uninterrupted.
On a practical level, the advantages of catching people who are not doing their work or are doing what they shouldnt might not outweigh the disadvantages of employees who resent being watched.
You can lock down their systems and monitor them to the point that they cannot do anything except use company software, says Ira Herman, co-CEO of Logic IT Consulting (www.logicitc.com). But a lot of times, employees will ask Why are you being mean and locking us down?
In situations where professionals are paid for results, some employees think that it is none of managements business if they take a break and use their work Internet connection for personal reasons, provided they get their work done. For users of this mindset, heavy-handed surveillance is especially prone to backfire for employees who work in creative fields, Schran says. If you work for a company that is too strict and you are a creative type, why would you want to stick around? he asks.
One solution is to allow for employees to have a certain amount of privacy time when their Internet and computer use remain private.
Some software can turn on private time features and turn off the monitoring so the employee can go on YouTube and email their kids and spouses, Schran says. You can use it for an hour or 90 minutes a day. But it is the folks that are spending four to six hours a day on YouTube who are going to get caught anyway.
The degree to which employees computer and Internet use needs to be monitored varies from enterprise to enterprise. Strict surveillance of financial services industry personnel is often legally required, for example. But an administrator of a 700-user network for an airline components firm will not have the same concerns.
Indeed, network activity and PC usage need to be monitored to a certain extent for any enterprise. If employees are spending an inordinate amount of time watching streaming video content, for example, the networks bandwidth can suffer. In this case, using monitoring technology to determine whose personal use of the network is causing problems is warranted.
The cost implications are things that come into my mind as what you have to watch for, notes Andras Cser, an analyst for Forrester Research. You look at where your bandwidth goes to. If you start seeing activities that really are out of the normal and ordinary, then you start interfering.
One approach for SMEs might be to adopt a policy prohibiting downloads or installation of any kind of third-party software and access to certain kinds of Web sites. The guidelines might also allow for reasonable personal use of the network and computer equipment, such as for communicating with spouses or even taking a break from work to read an online newspaper. But employees should also be aware that usage might be watched to prevent problems from arising, such as when the monitoring system alerts you that someone is slowing down the network by regularly downloading large video files.
There are two extremes when it comes to employee monitoring, and the answer is somewhere in between, Cser says.
Ultimately, your monitoring policy will have to take into account the specific needs of your enterprise and should evolve as the networks infrastructure, users, and applications change over time. The right approach is less about gaining control than it is about striking a balance between your users privacy concerns and how to prevent employees from disrupting the network. Cser says, As far as I am concerned, this is more about common sense and saving costs.
by Bruce Gain
Monitoring Tips |
It is relatively easy to monitor and track practically everything users do on their machines and the network, but creating a working policy that addresses both employees privacy concerns and the security needs of the enterprise requires some finesse. Following certain guidelines can help achieve the right balance between locking down users PCs and giving them free rein to do whatever they want. Here are some things to keep in mind:
It is crucial to educate users about what activity is prohibited and that any electronic communication they make with the enterprises equipment is subject to monitoring.
The degree to which your enterprises employees need to be actively monitored varies depending on each users position and business activity.
Your legal department will likely tell you that most electronic surveillance is allowed, but that does not necessarily mean any and all means of monitoring is ethical (or good for employee morale).