Have you thought about monitoring your employees' computer and Internet usage? You should. Is this monitoring fair? I think so.
Over the past few years, the employee monitoring waters have grown very murky. There are court cases that argue both sides of the story. Some see employee monitoring as a general best practice; others see it as an invasion of employee privacy and a highly charged issue of which they want to steer clear. Regardless of anyone's stance, the studies are out there that show that companies are losing major bucks, time and resources on non-business-based computer usage.
Before the Internet era, monitoring computer usage was hardly an issue. Now, employees have such easy access to things like e-mail, instant messaging and Internet shopping that everything has changed. Management must understand that the idea of monitoring is new to most people and that their employees won't assume it is policy unless they are told so. I'm amazed that some managers are surprised when employees express their displeasure about lack of privacy in the workplace. Those are usually the same managers who didn't set employee expectations in the first place. The least management can do is to let their employees know what their acceptable usage policies are.
Don't worry. I'm not letting employees off the hook so easily. For a long time, it has been a policy at most companies that equipment such as the fax machine and copiers are not there for personal use. There should be some level of assumption on the employees' part that the same is true for company owned computers as well. They should expect that their privacy is not guaranteed when they utilize company equipment, and they most certainly shouldn't be offended when they know they are subject to being monitored. Employees are not hired to tend to personal Internet and e-mail matters -- they are hired to perform certain tasks in exchange for compensation. Can they truly blame management for having a vested interest in what they do on company time and with company equipment?
As a manager, there are human resources, legal and IT issues related to employee monitoring that you must consider. Some of these include: employee productivity; protecting employees against offensive content; protecting the business (and shareholders) from sexual harassment, defamation and illegal activity lawsuits; employee morale; policy enforcement; and network bandwidth consumption. An effective employee-monitoring system is one that employees understand and buy in to, runs quietly in the background without getting in the way of employee productivity, can be easily referred to when needed and does not place any unnecessary time or resource burdens on the IT department.
If you are a manager responsible for monitoring employees, you should remember to document what type of monitoring is being done, make your employees aware of it, and use technology to help enforce it. Unless you want to count on your gut feeling that something is wrong, you'll have to rely on certain technologies like content filtering and other monitoring applications to enforce your acceptable usage policies. All that being said, employee monitoring is not an IT issue, so don't let technology get in the way. Technology only comes into play when it's time to enforce the policies that have already been established.
Like other areas where zero tolerance is instituted, it won't work with employee monitoring, either. You have to ask yourself, if Stan in accounting or Bob in the mailroom check their e-mail or surf the Web during their lunch break or other down time -- is that really going to affect your bottom line? An employee-monitoring program has got to be realistic. It shouldn't be about power or curiosity but rather about productivity and protecting the business' best interests.
When employee monitoring comes into play, there is always employee morale to consider. I believe that you can strike a balance between employee monitoring and employee job satisfaction. Having trouble getting buy-in from your current employees? Lead by example to help influence your organization's culture. Of course, some people aren't going to be happy -- change breeds contempt. It's much easier to integrate employee monitoring as early on as possible in the life of your company because it's only human for employees to resist giving up their "privacy" once they've had it for a while. Establish trust, and let your employees do their jobs with the knowledge that if they do something that you define as unacceptable, there will be consequences. If your acceptable usage policies state "this is the way we do it here at XYZ Company," then your employees can go into this with their eyes wide open. If you're up front about it and make it clear what is being monitored and what your business reasons are for doing it, your employees will buy into it. Do they have a choice?
If acceptable usage policies and employee awareness programs are implemented properly by management, employees will know what to expect. I believe that anyone who holds privacy dear to their heart should consider separating business from pleasure. I'm a strong believer and supporter of personal freedoms, but I also think that employers should have the right to decide how their own property is used. Until the courts sort all of this out, it is up to each company to decide where to draw the line. Where does your company stand?
About the author
Kevin Beaver has authored many articles and taught numerous workshops on information security and HIPAA compliance. He is the founder of Principle Logic, LLC, an information security consulting firm based in Atlanta, GA. Kevin can be reached at kbeaver@principlelogic.com, or you can submit your questions to him via SearchSecurity's Ask the Expert feature.
