7 questions to ask about employee monitoring programs

In the new world of work, how do you balance security with privacy?

As the workforce becomes more mobile and bring-your-own-device (BYOD) programs grow, the threat of data security breaches increases — almost exponentially. One way to tighten your security infrastructure is to monitor what employees are doing with their laptops and smartphones. However, there are significant downsides to a poorly implemented employee monitoring program.

Let’s look at how you weigh the advantages and drawbacks of employee monitoring programs and policies, including how to get started.

What are your initial goals with employee monitoring?

Are you looking to stop insider threats? Prevent fraudulent activities or eliminate inadvertent data leaks? Is top management breathing down your neck, wanting to “do something” based on some well-publicized breach? Or are you in an industry where the loss of sensitive data can compromise your organization and become a major financial or legal liability? Know what you want before you start on any employee monitoring program.

What kind of staffing representation should you have?

Consider selecting employees from a variety of departments, not just the IT staff. A cross-section of employees from across the enterprise can help people feel like they have a voice in the process. Get representation from HR, admin and the individual lines of business.

Have you beefed up your insider threat security tools?

Threats aren’t always external. Care must be taken to strengthen your insider security posture.

Should you be proactive before a breach occurs?

Not all monitoring programs are alike. Some go further than others. There are many technologies that record internet surfing habits, social network usage — even when employees are actively working and when they aren’t. However, utilizing these technologies can create an adversarial relationship between workers and management. If you choose this option, you’ll have to decide what to monitor and what kinds of datastreams to retain, such as web and file access and email traffic. You’ll also need to understand the difference between active and passive monitoring tools and how they differ: The former provides immediate information that can be acted on, while the latter collects information for later review.

Do you currently have an acceptable use policy?

Or, do you have one that’s collecting dust? A quality acceptable use policy is useful for several reasons. First, it makes it clear which kinds of online behavior are tolerated and which are not. It also discloses to your employees that you have the right to monitor employee communications, which is required by many states, such as Connecticut, Delaware, Colorado and Tennessee. Check your local state statutes to determine if this is required. Finally, an acceptable use policy creates the basis of a relationship with your employees, where both sides understand and acknowledge the rules that everybody is playing under.

If you don’t have a policy, now is the time to get one. If you’re not sure where to start, we’re here to help.

What about the privacy expectations of workers?

Striking the right balance of safety and privacy with your employee monitoring program will likely be the biggest point of contention: You don’t want to give the impression that your employees are working for a police state. A good example of this balance would be to ignore or delete records with data from employees’ online banking activities or other such personal information accessed from work computers. And to be upfront about that policy with your employees from the get-go.

What happens when you find a violator?

How you handle escalation and the consequences of any violations of your policy will likely be your greatest challenge in developing an employee monitoring program. Who is responsible for dealing with alerts and reviewing reports from your monitoring tools? What happens next? How do you determine if an actual breach has occurred? Who can initiate an investigation into a potential rogue employee? Who oversees this investigation — and what happens once the investigation has been concluded? These policies need to be set early and applied consistently — no special treatment for high-ranking employees.

Employee monitoring presents a number of challenges for the enterprise, but the internal data security threats it’s designed to catch are among the most difficult to prepare for. Before you get started, have a set goal, develop a clear acceptable usage policy that governs any monitoring program, and make sure that all aspects of the business are represented in administering the program. It can be a delicate balancing act, but it’s a tightrope that almost every company in today’s business landscape is being forced to walk.