Security

Why you should use monitoring technology and how to implement it

In the digital age, companies are under a lot of risk for harm. This is why some employee monitoring is necessary.

Employers and employees have a mutual interest in the success of their business. Salary cuts, layoffs, and bankruptcies hit everyone involved hard. So you would expect employees to sit up and take notice when they learn that one third of all U.S. corporate bankruptcies are directly caused by employee theft, while in 2008, the cost of employee fraud rose to nearly $1 trillion.

Yet, for many reasons, employees are often surprised to learn that their employer is monitoring the use of computers and networks in an attempt to prevent abuse or, at the very least, to mitigate its effects. This is why it's important to clearly communicate to employees the why's and how's of the monitoring technology deployment.

Expectations of privacy

Privacy issues arise for a variety of reasons. The Internet has, arguably, been the dominant force in the erosion of a boundary between work and personal life. Many people are never out of reach of cell phone calls, text messages, or e-mails and are on call for work at all hours, wherever they are.

The other side of the coin is that people are able to use those same tools to conduct aspects of their personal lives from work and feel justified in doing so. Some employees may fear (or are even told) that use of their employer's computers for personal business may be held against them. But in fact, it's arguably often in the employer's own interests to allow an employee to take care of such business — in appropriate measure — online, rather than taking the time away from the office to run errands in person.

Another issue is concern on the part of employees that they may be accused of goofing off. In truth, there are few employers who would begrudge a conscientious employee a few minutes to take a breath during the course of the day. And if the employee's preferred way of doing that is to indulge in some harmless online pursuit for a few minutes (Farmville, anyone?), then few would consider it an inappropriate use of time. In truth, unless an employee is guilty of some very serious goofing off, it's rarely worth the effort on the part of the employer to detect and prevent every instance of such behavior.

Finally, even in the course of legitimate business communication, an employee may include comments that she does not want anyone to see, apart from the original recipient. These may be essential commentary such as "Paul really botched this — can you please redo it?" or some less essential editorializing, perhaps about some task the employee's manager has assigned, such as "Sorry to waste your time with this, but my boss seems to think we have nothing better to do this week." Many employees have a natural anxiety that comments like this will surface to haunt them if a monitoring system is deployed, especially if they feel there's any possibility of it being applied retrospectively to unguarded comments made in the past.

Some of the expectations around privacy stem from what we call privacy nostalgia — the notion that a former sense of privacy has been lost. But, in reality, before the advent of the personal computer and the cell phone, there were few illusions about privacy in the office. Employees knew that coworkers could overhear their conversations, office mail circulated in envelopes secured with no more than a loosely tied piece of string, and carbon paper retained physical imprints of written communications.

Today most white-collar employees spend the bulk of their time at their desks, communicating via e-mail, text, instant messaging, and an assortment of social media tools. And, perhaps because of the resultant physical isolation, they often have an expectation that what they do out of the sight or earshot of others should be accorded total privacy. One big difference is that anything committed to the electronic record can live to haunt the creator — and her employer — for years to come.

Company liability for employee actions

Companies have a duty to ensure that employees are not creating liability. There are some big examples of employee-created liability (see below) as well as smaller, less widely heralded, versions of the same story that are acted out every day.

Examples of major liability:
  • Nick Leeson, Chief Trader with Barings Bank in Singapore, practiced fraudulent activities that resulted, in 1995, in a $1.4-billion loss and the failure of the 233-year-old bank.
  • In 2009, Bear Stearns hedge fund managers Ralph Cioffi and Matthew Tannin were acquitted of charges that they lied to investors when they made optimistic noises externally about their funds, while privately exchanging e-mails that spoke of the market as being "ugly" and "toast," for example. The prosecution's case was, of course, based on the trail of electronic footprints left by the pair.
  • Also in 2009, Swiss Bank UBS was required to pledge $35 million when a court found "probable cause" in a fraud case brought against it. In an notably worded statement, the judge ruled that "The court takes UBS employees at their word when they referenced their notes, these purported investment grade securities which they sold, as ‘crap' and ‘vomit,' for UBS alone possessed the knowledge of what their product was truly worth." Again, those pesky e-mails!

What you don't know can hurt you

Clearly, in the face of such examples and statistics, it's not a responsible approach to run an organization on the basis of blind faith that every single employee can be trusted not to cause this kind of damage. Implicit trust is a recipe for disaster, and it's not surprising that many corporate executives deploy some kind of transaction-monitoring system to mitigate some of the consequences that ill-judged or malicious employee actions can visit upon the welfare of their organization.

Some organizations are extending the scope of their monitoring. According to one survey, for example:

  • 66% of employers monitor employees' Internet usage
  • 43% monitor e-mail
  • 45% track content, keystrokes, and time spent at the keyboard
  • 40% of employers that monitor e-mail do so by assigning an individual to read others' e-mail

Another survey of 800 compliance and ethics professionals found that 24% of respondents' companies had disciplined an employee for activities on a social networking website. At the same time, only 34% of companies had a general policy governing employee activity, and just 10% had a policy that specifically addressed use of social networking sites.

Modern communications leave a broad trail of electronic footprints, and employers are wise to bear in mind the maxim  "What you don't know can hurt you." Unless the employer pays particular attention to the issue, it's very easy to overlook the existence — and the implications — of potentially harmful data. But the fact that it's out of sight does not mean it's any less of a ticking time bomb.

The damage that can result when the bomb goes off can be the result of employee misbehavior, such as discrimination or harassment. When an investigation or lawsuit ensues, all that electronic data is fair game for the "other side" to review. Not only is it an expensive and time-consuming process to retrieve and hand over all the relevant data, but also the more there is, the more likely it is to contain something that is, at the very least, embarrassing. In the worst event, it could be damning to your case.

Advanced monitoring and employee privacy

While there are many emotional arguments that make the case against the perceived invasion of privacy entailed in electronic monitoring, the reality is that employers in the U.S. have the legal right to monitor nearly every aspect of employees' workplace communications. If the activity takes place on company equipment on its network, employees lose any entitlement to privacy.

Organizations have a duty to ensure that their systems are not being abused. Since most communications are now digital, so must be the monitoring that is essential to avoid problems that have the potential to cripple the organization. Simply put, different times call for different measures.

Solutions

You should cast the net widely to cover not just core transaction systems, but all the communication channels that are used in your organization. If there is one place that danger is more likely to lurk than anywhere else, it's in the unexamined corners of the system.

The solution you choose should, in essence, be smarter than the people being monitored. For that, it's not enough to have a set of simple "thou shalt not" rules. These just provide a simple obstacle course for the would-be transgressor to navigate. A more viable approach is holistic compliance, which monitors the overall behavior patterns of an organization and the individuals in it, looking for anomalies that might be indicators of trouble.

The holistic approach is more effective than one based on static rules. It can be set up to look for significant anomalies rather than trivial infractions. This ensures that monitoring resources are focused on important issues, rather than wasted on trivia.

It's nevertheless important to acknowledge that monitoring systems can scoop up private information that the employer does not really need to know. This is a risk the employee takes when she entrusts personal information to a system that is owned and run by someone else. But the employer can ensure that any sensitive information — whether it belongs to the employer or to an employee — is appropriately handled. You should closely protect the results of monitoring. Only authorized personnel should have access to it, and the use to which it is put should be monitored at least as carefully as the original data.

Finally, however good the technology, it's never the complete solution. Be sure to create and enforce policies that make it clear to employees what their duties are, what the employer's obligations are, and how they each affect the other. Not the least of these is to be very open about what monitoring is being deployed and why. A little education can go a very long way to overcoming the distrust that arises when employers try a stealth approach to this very sensitive issue.

Elizabeth Charnock is the CEO of Cataphora, a leading provider of software and services for the analysis of organizational behavior in Redwood City, CA.

Editor's Picks