Employee monitoring solutions give employers the means to restrict internet access, configure USB access control, track employee performance, avoid legal liabilities, mitigate data breaches as part of a data loss prevention (DLP) strategy, and increase the organization’s cybersecurity.
Organizations that wish to use employee monitoring for data loss prevention, insider threat detection, data-informed management, and increased productivity must do so with the well-being of their workforce in mind. If the implementation is too invasive, not appropriately transparent, or misused the employees may feel that their privacy and ability to self-manage are not respected.
This guide will advise organizations on how to create a productive employee monitoring strategy that respects employee privacy and keeps the organization’s data secure.
What is Employee Monitoring?
At its core, employee monitoring is the practice of using supervisory tools and practices to understand how employees are operating within their place of work.
The tools used to track employee behavior and usage of the organization’s resources are leveraged to proactively prevent unacceptable behavior and to provide evidence of misconduct for further action.
Organizations track their employees to measure and improve productivity, protect sensitive data accessed through endpoints such as computers, and improve overall business intelligence through the data collected.
Examples of Tools:
- Security cameras used to record the actions that occur within the workplace.
- Software for reporting and analyzing employee computer applications and internet use.
- Internet filtering solutions that prevent access to websites based on URL or category.
- GPS for tracking the whereabouts of company vehicles or workers in high-risk environments (special forces, first responders, etc).
The Benefits of Employee Internet Monitoring and Web Filtering
Internet monitoring and web filtering software offer a suite of benefits for employers that would like to make data-driven decisions and regulate the internet usage of their workforce. The key benefits come in the form of increased productivity, identifying inappropriate web browsing habits, and preventing access to websites that may contain malware.
When deciding whether or not employee monitoring software is the best choice for your business, consider the pros and cons of employee monitoring.
1) Increased Employee Productivity
These software tools often include options for tracking time spent on individual tasks, applications and/or websites. The purpose behind using software for tracking productivity is clear – organizations cannot improve what they do not measure.
Make Data-Driven Productivity Management Decisions
One of the key benefits of implementing software-based employee monitoring is that managers can collect the data needed to make informed decisions when managing their employees, giving them another avenue for staying in touch with trends in their workforce during moments where they cannot always be there in person.
Employee internet usage reports can act as an important tool in conjunction with other metrics when addressing employee productivity during coaching or performance reviews. When there is a noticeable decline in an employee’s engagement or productivity, managers can review browsing data to identify trends in how the employee’s internet browsing habits have changed. If there is a noticeable decrease in engagement from the employee, they can have an open discussion regarding workplace satisfaction, productivity blocks, and job expectations.
Identify Bottlenecks and Balance Employee Workloads
If the software allows for reports based on user or device groups, the internet and application usage data captured can be compared to that of other teams/departments to determine if workloads need to be adjusted. If a given department is frequently an outlier for excessive non-work internet usage, it may be an indication that the department is either blocked in their tasks or they are underworked in comparison to other teams/departments.
Recognize Engaged Workers & Address Shirkers
Every team is bound to have their top-performers and those that perform just well enough to be under the radar, or at the very least make it seem like they are performing well enough.
Employees that are genuinely engaged and work effectively are prone to suffer from resentment and burnout should the “shirkers” among them go unaddressed. Shirkers are employees that attempt to avoid engaging in their work by excessively delegating, taking significantly longer than necessary to complete their tasks, and generally attempting to appear fully engaged in an effort to trick their immediate managers.
Employees can readily identify who is engaged and who is shirking, though managers with larger teams may have a more difficult time doing so. Employee monitoring software empowers managers to make informed determinations of who their top performers truly are so they can be properly recognized for their efforts. As for the shirkers, the data collected will shed much-needed light on their practices so that managers can provide the actionable steps needed for those employees to improve their performance.
Identify Unproductive Internet Browsing Habits
According to research by IDC, the average productivity loss of non-work related internet surfing by employees is 40% each year.
Employee web browsing and application usage reports can provide employees with the ability to analyze their own browsing habits, enabling them with the opportunity to self-manage the reallocation of their misspent time. Employee internet usage reports provide valuable data-driven benchmarks to manage employee productivity by measuring project progress and employee output alongside trends in their internet browsing habits.
Employee monitoring software improves productivity by providing a wide array of reports that can be used to indicate productivity levels based on employee internet browsing habits. These productivity-focused features allow supervisors and managers to focus their energy and time on higher-value contributions rather than concerning themselves with directly supervising employee computer application and internet browsing habits.
Many CurrentWare customers have integrated the review of employee monitoring data captured with BrowseReporter into their management routines through either manual review of configured email alerts based on the parameters that matter to them most (excessive non-work browsing, accessing NSFW websites, etc).
When particular websites are identified as being a persistent problem, CurrentWare customers will often combine their internet usage tracking with the web filtering features of BrowseControl to proactively prevent access to unproductive websites that are used excessively.
BrowseControl’s web filter can be configured to prevent access to unproductive websites such as Facebook during work hours and later allow access during the employee’s designated break time.
2) Identify Bandwidth Abuse
As an organization continues to grow, they are going to place a greater strain on their existing bandwidth and they will either need to pay for costly upgrades to the current infrastructure or they will need to ensure that their current infrastructure is used more efficiently.
When employees use an organization’s network for non-work-related file transfers and video streaming, it can put an unnecessary strain on the existing bandwidth. When an organization’s bandwidth is strained it can cause serious damage to workplace productivity due to drastically slow internet speeds (latency), resulting in disrupted video conferences, difficulty accessing internet-based resources, and even disruptions in your access to cloud-based software.
Bandwidth tracking allows organizations to identify the websites, users, and departments that are causing bandwidth bottlenecks in the network. With the data collected, organizations can determine if their bandwidth issues are caused by a specific user’s excessive video streaming usage or if the organization genuinely needs to consider a bandwidth upgrade to support their needs.
3) Mitigate Unethical or Illegal Internet Activities
Organizations may find themselves in serious legal trouble should their employees abuse their network for nefarious purposes. Even if the organization claims to be unaware of the activities, they are likely to be liable for the impact caused by their employees and the organization may face fines or lawsuits depending on the severity of the offense.
4) Data Loss Prevention: Added Protection from Data Breaches
Employee monitoring solutions offer organizations greater data loss prevention (DLP) solutions thanks to features that alert managers and IT departments to suspicious activities within the network.
The Verizon 2019 Data Breach Investigations report states that 34% of data breaches in 2018 were caused by insider threats. Endpoint security software can disable USB ports to prevent the transfer of sensitive files to USB drives, internet access control software can prevent access to websites that contain malware, and both solutions can alert administrators when employees engage in suspicious or risky behaviors.
Endpoint security and management tools can be configured to block or allow specific USB devices, alert administrators to suspicious file operations (files copied/created/renamed), and prevent the use of unauthorized peripherals that may make the organization’s network vulnerable.
How Monitoring and Filtering Tools Help With DLP:
- Endpoint Security: With endpoint security tools such as AccessPatrol, USB device use can be blocked altogether or configured to only allow authorized devices. File operations alerts can be configured to alert administrators when files are copied, created, deleted, renamed or saved to external devices.
- Block Personal Cloud Storage Use: Internet filtering software can be used to proactively prevent access to personal cloud storage accounts. Personal cloud storage accounts not only lack the enterprise-grade features that are required to keep data safe, they can also be a vector for data breaches by allowing employees to transfer sensitive files to their cloud storage account.
- Ransomware Protection: Ransomware attacks can be executed by infecting systems through websites that stealthily install the files needed to breach the organization’s systems. Internet filtering software will act as a barrier to prevent employees from inadvertently accessing the websites or files in the first place.
5) Satisfying Compliance Requirements
Organizations that process or store sensitive data have a duty to ensure their protection at all times. The industry standard for protecting sensitive data such as Personally Identifiable Information (PII) is to combine standard cybersecurity best-practices with the implementation of user/device monitoring and endpoint protection tools to mitigate the risk of data breaches from both insider threats and external attacks.
Get Insights Into
WFH Productivity Trends
Promote flexibility without sacrificing accountability with insights into how location flexibility affects employee engagement and productivity.
How to Choose an Employee Monitoring Solution
Deciding on which employee monitoring software solution is the best fit for an organization can be a daunting process as individual requirements will change depending on the organization’s current infrastructure, the types of monitoring they would like to conduct, their legislation and regulatory compliance requirements, as well as several other factors.
Technology Considerations for Monitoring
This section will outline the most important technological considerations an organization will have when deciding on an employee monitoring software vendor. With the right mix of forethought and technology, an organization can fulfill the goals and requirements of its employee monitoring and productivity strategy.
- Features: Will the software provide all of the features the organization needs? What are the “must-haves” and what are the “nice to haves”? How well are those needs met by the features provided?
- Software Management: Will the organization need an agent-based or agentless solution?
- Storage: Should sensitive data be stored with a third-party cloud storage provider or on-premises?
- Compatibility: How well will the software work with the organization’s existing infrastructure?
1) Features to Consider
Employee monitoring software can be quite expansive in the features that they can offer. While not all of these features will be necessary for every organization, it is important to acknowledge the features that are generally offered to be aware of what is available and to consider if those features will be beneficial to the organization’s strategy.
1a) Website Tracking
Website tracking is the practice of collecting and analyzing the data of websites visited by users, departments, or individual devices. This data is often gathered into reports for review by business owners, human resources, and management to address bandwidth usage, employee productivity, and inappropriate workplace internet usage.
1b) Application Tracking
Tracking the computer applications used by employees can provide the means for detecting software license utilization rates, identifying excessive use of unproductive software, and detecting unauthorized programs.
Application tracking is just as important as internet monitoring as the majority of successful web-based software companies provide desktop application versions of their product. Whether its new team chat applications like Slack or Microsoft Teams, cloud-based storage products such as Dropbox or Google Drive, and even ubiquitous programs such as Windows Media Player & Quicktime, data collected from application tracking can provide valuable insights on employee computer usage in the workplace.
1c) Active Time vs Total Time Tracking
Time tracking of applications and websites used by employees can provide incredibly valuable insights, but only if the data is truly relevant.
Solutions that track active time will track how long applications and websites are actively used by the users, whereas solutions that only track total time report a list of applications and websites that were open on the computer without properly contextualizing whether the employee was actually using them or if the applications were simply opened and left running.
The best employee monitoring solutions have the ability to report what employees are truly doing. The reporting of active time allows IT administrators & managers to trust and understand the reports generated, giving them the opportunity to generate actionable outcomes from the data.
1d) Custom Data Retention Settings for eDiscovery, Audits, and Legislation Compliance
Organizations that have a legal requirement to monitor the internet, network, and computer usage will likely need to ensure that the collected data is accessible for review. These organizations will need the ability to modify data retention settings to configure the length of time for data storage before the data is purged.
Configurable data retention settings will make auditing, compliance, and data storage less of a hassle for the organizations that are implementing a large-scale deployment. The ideal solution will allow the organization to store the data indefinitely to ensure that records are maintained as long as needed for the organization’s needs.
Automated data purging at configurable intervals reduces the time and resources needed to manage the data collected, saving organizations considerable costs on storage and administration as they will not need to manually purge the data, purchase new storage hardware, or upgrade to a greater storage volume with their cloud storage provider.
To monitor out-of-office employees, the software must support one of the following:
- Local monitoring data caching to allow for the temporary local collection of employee monitoring data until they are re-connected to the company’s internal network
- Port forwarding to allow for live monitoring of out-of-office workers
1f) Tracking of Both Users & Devices
Device monitoring will track all activity on a specific device whereas user monitoring will track the individual user regardless of the device they use.
Device monitoring is often used by internet cafes, schools, and libraries to oversee the use of devices that regularly change users without necessarily requiring unique login credentials. In a workplace setting where the employer wishes to understand the browsing habits of individual employees, device-level insights may not provide sufficient details as their employees may not have a designated workstation (in the case of hot desking) or they may share devices with their coworkers.
When selecting a provider, organizations should ensure that both device-level and user-level monitoring is available to provide them with the best flexibility for their needs. Having access to both features is excellent for tailoring the insights reported based on the unique needs of managers, human resources, and IT administrators.
1g) Administrative Permissions & Groupings
User grouping features such as Organizational Units (OUs) within Active Directory allow administrators to efficiently implement and adjust bespoke settings based on department, location, user, the types of data handled, and other important considerations.
Bespoke settings ensure that the solution does not cause a bottleneck in productivity. A solution that does not provide flexibility for configurations will cause less at-risk users to have the same policy restrictions as users that perform tasks with sensitive data such as personal health information (PHI).
For large enterprises and other expanding organizations, the ability to group users and devices based on location, department or role is crucial to limit the time investment required in managing the monitoring solution. Best-in-class solutions allow for granular control of the product’s features including who can run reports, who has access to a given group’s data, and who will receive automated email reports based on the activity of the designated groups.
1h) Real-Time Alerts & Notifications
Real-time alerts and other notifications are a critical component of data loss prevention as they can be configured to alert administrators to insider threats engaging in suspicious or risky behavior.
These alerts can also notify human resources and managers when derogatory, sexist, or inappropriate behaviors are detected. The exact mechanism for alerting will vary by the software provider – they could be sent to the central console, to a designated email address, or sent via SMS to a cell phone.
2) Software: Agent-based vs Agentless Solutions
When searching for an ideal solution, the discussion of agent-based vs agentless monitoring is certain to arise. The decision of whether or not to use a solution that provides a dedicated software agent will depend on the level of detail and control that is required by the organization.
What is the Difference Between Agent-based and Agentless Monitoring?
Agent-based monitoring provides far greater customization and data collection than its agentless counterpart. Agent-based solutions require that a proprietary software program be installed on each device that the organization would like to oversee.
Depending on the data the organization needs to collect and the level of customization desired, the convenience of an agentless solution may not be worth its limitations.
With an agent-based solution, the software agents that are installed on the employee’s devices (the ‘client’ machines) will automatically send the data it captures to another computer that has the software vendor’s console program installed on it (the ‘host’ machine). The host machine functions as the centralized console for the management of the data captured from the client machines and users. For convenience, the host machine is often the computer of a manager or administrator as they are typically the ones that will need to access the data.
Despite what the name suggests, agentless monitoring solutions actually do use a software agent to collect data. The difference is that agentless solutions use software that already exists on the user’s computer as the agent for collecting data rather than leveraging proprietary software that is supplied by the software vendor. As with agent-based solutions, the agentless solution uses a centralized console to receive and interpret the data from the client machines and users.
What are the Advantages and Disadvantages of Agent-based vs Agentless Solutions?
The key advantage of using a dedicated software agent is that they provide far more features and configuration options than an agentless solution. An agent-based solution such as CurrentWare allows for added customization and control on the device level, whereas agentless solutions such as firewalls perform their functions on the network level.
Agentless solutions such as firewalls are convenient as they do not require a dedicated software program on the user’s devices. Firewalls are great for providing added protection to the security of the network, however, they are typically not the ideal solution for employee monitoring as their lack of granular configurability makes them a less-than-ideal solution for organizations that need greater control and insights of how their employees use technology within the workplace.
Evaluate the Software Before Purchasing
When deciding between different software providers, organizations should ensure that the providers offer fully-featured free trials of their products to allow the organization the opportunity to properly evaluate the software on all of the devices they would like to monitor.
3) Storage: Cloud vs Local (On-Premises)
It is important to be aware that there are inherent risks and benefits of both cloud and local storage. The option that is chosen will be heavily influenced by budget, data privacy priorities, and the quantity of data captured.
How Much Storage Space Do I Need For Employee Monitoring Data?
The average CurrentWare customer generates 1.5mb of data per day for each user they monitor; with this in mind, it will take a little under two years for one employee to generate so much as 1GB of data. This amount of storage space is more than manageable for small teams, however, for larger organizations, the data will either need to be culled periodically to make space for new data or the local storage will need to be upgraded to continue storing data.
The key advantage of local storage is that the organization has far greater control over how their data is stored, secured, and accessed.
Hardware Requirements for Local Storage
Local storage hardware is a necessary investment when opting for a solution that offers local storage options. Larger organizations may want to configure their own dedicated servers to provide greater capabilities for storage, backups, and processing power as the number of users they monitor grows. Small-to-medium organizations will often do well with simply using an existing computer to store their data.
Added Security with LAN-Based Implementations
The need for data security is not exclusive to employee monitoring data – any organization that uses technology should already have a cybersecurity system in place to protect their data and systems. The organization must ensure the data captured is treated the same way as they would treat any other form of sensitive data.
Organizations can further reduce the chances of the data being breached by keeping it separated from the internet entirely if they wish to do so. The process of separating sensitive data from systems that are more vulnerable is a standard network security measure known as “air gapping”. Air gapping provides a significant layer of boosted security by removing the potential for the data to be breached due to a security threat that enters the network via the internet.
Software that uses cloud storage will send its data to a third-party server for storage and processing. This provides added convenience as the organization is given the option to pay a subscription fee to have an external company assist with the logistics and costs associated with data storage.
The conveniences that come with cloud storage make it a worthwhile consideration, however, the data security and legislation compliance implications of providing a third-party with access to sensitive employee monitoring data must be well thought through. When choosing a software vendor that uses cloud-storage technology, the organization should ensure they choose credible cloud storage provided and that they understand how their data will be protected.
Safety And Compliance Considerations For Cloud-based Storage:
- Public vs Private Cloud Storage: Is the data segregated from other users of the cloud storage provider or shared in a database?
- Data Privacy: How will the cloud-based software vendor you are using secure and handle the data? Is the data being mined in any way? Can the data be viewed by anyone else?
- Data Residency: Which country is your data being stored in and how does that comply with the organization’s compliance requirements?
- Data Longevity: How long is the data being stored? Will the cloud-based software vendor retain copies of the data after the organization requests deletion?
An organization may also opt for a hybrid model where they use an on-premises solution to collect and process data locally and then use their existing cloud storage provider for data redundancy rather than pursuing a software vendor that only supports their proprietary cloud storage solution.
Cloud vs Local Storage
|Local Storage (On-Premises)||Cloud Storage|
|Cost||– Cost of storage hardware (hard drives, servers, etc)||– Ongoing monthly or annual subscription fees|
|Data Security||– Greater control over security measures implemented|
– Can use a LAN-based setup; less likely to be infected by malware from the internet
– Data could be lost in the event of a natural disaster or hardware failure if regular off-site backups are not maintained
– Data can be stored and processed locally and backed up to an existing cloud storage account rather than incurring expenses for storing data with the software vendor
|– Third-party has control over potentially sensitive data. Depending on the infrastructure of the provider the data could be accessed by insider threats.|
– Government orders could force the cloud provider to leak your data without your knowledge
– Cloud company dedicates its resources to security software, hardware, and best practices to mitigate data loss and breaches
– Remote access to data increases the risk of a breach following a leak of user credentials
– using the cloud is permissible, but this does not take away your responsibility to safeguard your data
|Convenience||– The organization is directly responsible for managing its data storage and protection|
– Data backups will require more effort if storage is exclusively non-cloud
|– Cloud company manages the data security |
– Available storage scales on-demand to meet the organization’s needs
|Compliance||– Easier to meet data residency requirements||– Data residency stipulations may require that data be stored within the same country as the organization. If the cloud-based software vendor does not have servers in the organization’s country they will not be legally usable.|
– The organization is often legally responsible for the actions taken by their cloud storage provider, such as in the event of data misuse or a data breach.
4) Compatibility: What Devices Are Being Monitored?
Some users and devices are more difficult to monitor than others – cell phones, remote workers, and in-office employees all have their own set of unique needs and each software vendor will all have their own unique set of solutions.
It is important that the organization establishes the devices they truly need to track and control as well as the types of data they would like to collect as this will help them to prioritize solution providers based on their capabilities.
- What operating systems (OSs) and OS versions will the software be installed on? (Windows, Linux-based, MacOS, etc)
- What OSs are supported by the software vendor? (This is a consideration for both the host and client machines)
- Are configurations available to accommodate hybrid and remote workers?
- What devices need to be monitored and will those devices always be connected to the organization’s network or will they be mobile? (Mobile devices have unique needs)
Request a Free Trial to Test Compatibility
When evaluating a software vendor, it is important that the vendor offers a free trial of their software to provide the purchaser the opportunity to test the compatibility and suitability of the software solution within the organization’s existing infrastructure.
Having a legitimate proof-of-concept for the software is integral as it allows the organization to see how the software interacts with their existing environment before they invest considerable time, effort, and finances in fully implementing a given solution.
The software evaluation period is an ideal time to build a relationship with the software provider and judge whether or not they have the knowledge and skills to support the full-scale deployment of their software throughout the organization after purchasing. If the software provider proves to be dismissive, uncommunicative, or unhelpful during the evaluation period, this is a sure sign that they do not prioritize the needs and success of their customers.
The ethical and logistical difficulties of tracking cell phone internet traffic often make it a lesser priority than the monitoring of workstations, however, if employees are using cell phones to accomplish work tasks those devices may need to be monitored as well.
Considerations For Tracking Cell Phone Internet Use:
- Are the cell phones provided by the organization or are employees using their own devices as part of a bring-your-own-device (BYOD) policy?
- Is the software vendor’s solution compatible with cell phones? Will the software collect the data the organization desires to collect or are there limitations?
- Will employees have privacy concerns with having their personal cell phone traffic tracked during their breaks? Can the software be configured to cease monitoring during specified break periods?
The most practical approach to track cell phone internet traffic in the workplace would be to use an agentless solution designed for managing multi-platform devices. An agentless solution allows for tracking of mobile devices connected to the organization’s wireless network without requiring the installation of dedicated software on each device.
An agentless mobile device management solution is an ideal solution for organizations with BYOD policies that want to track cell phones on their network without the administrative overhead of managing agents each time an employee introduces a new mobile device.
Operational Considerations for Employee Monitoring
In addition to meeting the necessary technical requirements of the organization, the solution needs to be appropriate for the scale of the organization and how it operates.
- Scalability: How will the solution scale with the organization? Can hundreds, or thousands of users be monitored simultaneously? Are there deployment options available to install software clients at-scale
- Financial: What purchasing model is used by the vendor? Does the cost of implementing and purchasing the solution match the organization’s means and expectations for the features they need? Will the product be an operating expenditure or capital expenditure?
1) Scalability of the Software Alongside the Organization
The amount of users that will be monitored is an incredibly relevant factor when selecting a software vendor. An organization that is a lean startup or small-to-medium business (SMB) with a handful of employees will have completely different scalability considerations than a mid-market or large enterprise.
Scalability considerations will be most relevant at three key stages:
- During the initial deployment of the software host and the software agents.
- When large groups of new users need to be implemented, such as during a merger & acquisition (M&A).
- When the amount of users reaches a threshold where they become difficult to manage or become too resource-intensive for the software client to operate effectively.
Scalability Questions to Ask the Software Vendor:
- Can the centralized console support all of the users that will be monitored simultaneously?
- Will there be noticeable effects on the performance of the software as the number of users increases?
- How will the software agent be distributed to the organization’s client machines for installation? Do you support large-scale deployments through features such as Active Directory, Windows Group Policy, or remote client installations?
Features for Organizing Users
Scalability is not just about the technology having the resources necessary to make software client deployments manageable and support the number of users, it is also about the organization and management of users within the console.
User grouping features such as Organizational Units (OUs) within Active Directory allow administrators to efficiently implement and adjust bespoke settings based on department, location, user, and other important configuration considerations. User grouping features will be absolutely essential during a merger and acquisition (M&A) or other events that require a large-scale migration of users into the organization’s employee monitoring ecosystem.
2) Financial Considerations
Solutions are offered in a wide gamut of prices and pricing models, and the most expensive solution is not necessarily the best fit for the organization. Employee monitoring solutions can be a cost-efficient investment so long as the organization thoroughly plans for the features they truly need and they budget accordingly for the costs associated with those features.
Subscription vs Perpetual Pricing Models
Pricing models for software solutions are typically within two categories: subscription or perpetual pricing.
Subscription pricing provides access to the software only for so long as an ongoing monthly or annual fee is paid. With subscription-based pricing, the organization will have immediate access to the latest feature updates provided by the software vendor and the associated costs can be made into an operating expense if desired. These advantages come at the expense of requiring ongoing payments to have access to the software.
Perpetual pricing provides permanent lifetime access to the software following a one-time payment. Perpetual pricing models allow the associated costs to be made into a capital expense if desired. As for the cost of updates, many software vendors will include a fixed-term period of software updates following the initial purchase.
With perpetual pricing, the organization will have access to the version of the software they purchased without requiring ongoing payments, though new features and other major updates to the product may require additional purchases. When selecting a vendor that uses a perpetual pricing model, ask if they offer advantageous pricing to current customers that want to upgrade to the latest version of their product.
Another important consideration is volume licensing – vendors that offer either subscription or perpetual pricing models are likely to offer advantageous pricing as the number of licenses purchased increases.
Choosing the appropriate licensing model for an organization depends on their budget, accounting policies on operating expenditures vs capital expenditures and their desire for predictable pricing for the solution they choose.
The Cost of Non-Compliance
Purchasing and implementing employee monitoring solutions is a comparatively small investment compared to the impacts of non-compliance. Based on the findings from a 2017 study sponsored by GlobalScape and conducted by the Ponemon Institute, the average cost of compliance for the companies surveyed was $5.47 million and the average cost of non-compliance was $14.8 million – 2.71x greater than the cost of compliance.
In the case of GDPR non-compliance fines, organizations can face a maximum fine up to the greater of 20 million Euros or 4% of their total annual worldwide turnover in the preceding financial year. In July of 2019, British Airways faced a proposed £183m fine due to their lack of appropriate protections for sensitive customer data leading to a data breach.
Companies that invest in meeting and maintaining their compliance needs can save themselves from the significant costs that arise from non-compliance issues such as business disruption, fines, loss of productivity, and settlement costs.
Customer Success: Choosing the Right Software Vendor
When an organization chooses software for monitoring, they are also choosing the vendor that provides the software. How the software vendor engages with its customers is equally as important as their software fits for the organization’s needs and should not be overlooked.
Customer Success Considerations:
- Ease of Use: Is the software easy to install and use? Could a less tech-savvy manager navigate the features they need access to or will they need help?
- Vendor Customer Support: What levels of support will the vendor offer? Will they help with initial setup and onboarding? Are there priority support plans available?
- Vendor Product Support: Technology needs are constantly evolving; is the vendor trying to sell an outdated product? How long will the vendor be able to guarantee the support of its product? Will the vendor provide regular updates of their software for bug fixes, maintenance, and feature improvements?
1) Ease of Use of the Software
Ease of use is an incredibly broad topic and it can mean different things depending on the context. For the purposes of the guide, the focus is going to be this: Can the people that have to use the software navigate it intuitively?
SMBs that are not prioritizing having a dedicated Information Technology (IT) department rely on their existing staff to navigate the deployment, configuration, and management of the software. The staff member deploying the software may be comfortable navigating it, but what about the manager that will actually be using the software to prepare reports and manage their employees? Is the software intuitive enough that less tech-savvy staff members can be easily trained to use the software?
Here’s what to look out for from the software:
- Does the color palette and font choice used for the software make the text easy-to-read?
- Are features and settings grouped logically? Can they be readily found based on where they would be expected to be located or is there no apparent sense of structure?
- Are there visual indicators to help with navigation such as icons, tailored color schemes for elements that correspond to different information blocks, etc?
- Are there search functions built-in to the software to help the administrator quickly find the functions they are searching for?
2) Vendor Customer Support
The chosen software vendor needs to be one that ensures that users are adequately supported according to their level of expertise. When the organization is deciding on a software vendor they should place stronger consideration on one that caters to organizations of a similar size for the best experience.
What To Look For In Vendors:
- Does the software vendor provide the direct onboarding and customer support required to make the product integration as painless as possible? Is that level of support included with the software purchase or will an upgraded support and maintenance plan need to be purchased?
- Are the provided self-serve support resources (manuals, videos, website, etc) well-written and organized? How readily can solutions be found with the resources provided?
- How knowledgeable is the product support team of the vendor? Are they familiar with the specific needs of the organization and how they need to adapt to accommodate?
- How is the vendor’s attention to detail? Have they taken great care in crafting and maintaining their website, social media, and other marketing channels? How well they treat their publicly-facing materials is a strong indication of their attention to their product – if their website is tough to navigate, the software and customer support is likely to be as well.
Available Channels For Customer Support
Customer support can happen in a variety of ways. The support channels available, the timeliness of responses, and the scope of support are all considerations that need to be discussed with the software vendors that are being evaluated based on the needs and resources of the organization.
- Live Text Chat (social media, dedicated support chat, etc)
- Self-Serve Knowledge Base (user guides, how-to videos, FAQs, etc)
- Remote Assistance (Support member can see and/or take direct control of the computer to assist with installation/configuration)
The support channel used will depend on the nature of the support needed. Phone support and remote assistance options are often essential for resolving technically complicated questions and getting immediate support, whereas email and live text chat are better used for less urgent assistance.
Another important consideration for phone-based support is its availability – does the software vendor offer 24/7 assistance or will support calls need to be scheduled around different time zones and available support hours?
Software vendors will offer different support tiers to better accommodate the needs of their customers. While most of these support options (such as phone and email) will be included with the purchase of the software, the vendor may also offer priority support that can be purchased separately from the product. Priority support packages are generally purchased on a retainer or subscription basis to ensure the vendor can afford to provide the level of support required.
Priority Support May Include:
- Reduced wait times as requests are bumped in the vendor’s support queue
- 1-on-1 guided support via video conferencing, phone calls, or remote assistance
- A dedicated support team that is better equipped for the unique needs of priority customers (large-scale enterprises, clients with strict data security & compliance requirements, etc)
- An increase in the scope of support provided; customer support that requires a great deal of effort to maintain may come at a premium cost.
3) Vendor Product Support: Maintenance & Feature Improvements
Monitoring solutions interact with various operating systems, internet browsers & anti-virus solutions. As the ecosystem they are deployed in evolves, unexpected compatibility issues may arise. Product maintenance and feature improvements are a core function of product improvement and ensuring the solution continues to work as expected.
Feature Improvements are major enhancements to the software. Depending on the software provider and the nature of the feature improvement, software upgrades will either be included in the license or require additional payments.
The chosen software vendor should be open to feedback from customers. If the company demonstrates that it values customer feedback, that is a good sign that they care about the experience of their customers and that they will work diligently to provide the features and other enhancements their customers need.
When selecting a software vendor, ensure that they are currently active and that their product has been recently updated. To determine if the software vendor is currently active, check out their social media, contact their support team, and/or view their release notes to make note of when the last product update was provided. If new updates and maintenance fixes have not been provided for many years, it may be a sign that their software is no longer being supported and it may be near its end of engineering.
How to Create an Effective Employee Monitoring Strategy
An effective employee monitoring strategy relies on careful planning and clearly defined objectives. The software and other tools used to support the strategy will be considerably more effective if their features and capabilities are appropriately matched to the objectives of the organization.
This section will provide actionable tips for setting clear goals, monitoring ethically, and addressing common concerns. By following these tips an organization can greatly increase the effectiveness of its employee monitoring strategy.
1) Define the Organization’s Goals & Needs
The organization must have a clear understanding of the goals it has and how its employee monitoring strategy will best meet those goals.
Common Goals Include:
- Ensuring compliance with data privacy and security regulations
- Mitigating and detecting insider threats
- Prevent the inappropriate usage of internet and bandwidth
- Improving employee productivity
- Enforcing acceptable use policies for technology in the workplace
2) Monitor Everyone Fairly
If transparency is desired or required, organizations can best showcase the trustworthiness of how employee monitoring is used in the organization by installing the software on the devices used by managers and employees alike. When managers demonstrate their confidence in the benefits of monitoring, employees are more likely to buy-in to the organization’s use of the solution.
For transparency-based strategies, one of the best ways to increase employee buy-in is to treat everyone fairly. Organizations should refrain from singling out a specific employee or department unless there is a legitimate business reason to do so as employees may feel resentful towards the organization or their managers for singling them out.
That said, each department or role will have different requirements depending on what is considered normal behavior in their context and the sensitivity of the data they have access to. The marketing department will need unrestricted access to social media to perform their duties, however other departments may not have a legitimate business reason for social media during work hours. The important thing is to plan accordingly and clearly communicate the purpose of the configurations used.
3) Avoid Invasive Monitoring
Methods of monitoring that capture greater detail than is realistically required to meet the organization’s goals may be considered invasive. Just as how security cameras should not be placed in dressing rooms and bathrooms, employee monitoring has contexts where its usage can be objectionable.
For your average organization, tracking keystrokes – the individual inputs an employee gives to a computer through their keyboard – is far overboard from what is necessary to effectively monitor employees and could even be illegal depending on the laws that govern the organization.
Employees that have their keystrokes tracked may have concerns that their personal information, private conversations, or login credentials may be captured and potentially leaked, causing undue anxiety and stress when using their workstations.
That said, organizations that handle highly classified information may wish to keep a much closer eye on the exact inputs made by their employees. If they have a legitimate business need for tracking the keystrokes of employees, it helps if the organization is upfront with its employees about why this practice is included in their policy and that they educate their employees on how keystroke data has been secured.
Monitoring of Personal Devices
It is quite apparent that personal devices such as cell phones are ubiquitous in our lives today. Personal smartphones have a striking portfolio of practical uses, but they can also serve as an undesirable distraction for employees. If organizations are already monitoring workstations to dissuade unproductive personal browsing, they might be tempted to oversee all devices that are used in the workplace.
While there are solutions that can track personal devices, organizations can expect that most of their employees will naturally have objections to having their personal devices monitored in a professional setting.
To mitigate excessive personal device use it is better to use traditional techniques such as an enforced Acceptable Use Policy that includes how the organization would like personal devices to be used. While organizations will likely not be able to entirely prevent the use of personal devices without more extreme measures, having a clear message for how they expect these devices to be used in the workplace can serve as a baseline for further discussions should an employee make a habit of using their phone during work times.
4) How Human Resources Helps to Improve Employee Monitoring
Human resources (HR) plays an integral role in ensuring that employee monitoring is done in a way that respects the autonomy and privacy of employees while still meeting the objectives of the organization.
4a) Documenting Evidence of Misconduct
As an organization continues to expand, it is possible that misconduct may not be as readily noticed. Both direct and indirect victims of harassment and other forms of misconduct may not feel safe or empowered to report misconduct as it happens.
The chosen software solution can be used by the organization to alert designated administrators when it detects the use of discriminatory, threatening, or demeaning language in internet searches, emails, and other forms of communication. If evidence of misconduct is discovered, it may serve as crucial evidence when addressing whether or not the behavior is creating a hostile work environment.
Ultimately, software is only a segment of employee behavior awareness, particularly in the case of identifying misconduct such as harassment. Organizations will need to implement other forms of due diligence in conjunction with software-based monitoring to ensure they maintain a safe and respectful working environment.
4b) Policy Development
Policies form the baseline of expectations for how employees are to use the technologies in their workplace. With clearly communicated policies in place, employee monitoring can serve as an added layer of enforcement to ensure that the policies are being appropriately adhered to.
Employee Monitoring Policies
To ensure that employees can truly provide informed consent, human resources should develop written policies that define the scope of employee monitoring within the organization.
A well-fabricated policy helps employees understand the solutions used in their workplace as well as why those solutions are necessary for the organization. The policies should also detail what is not being monitored so that privacy-conscious employees can fully understand the scope of the monitoring.
- Disclose your company’s intent to monitor employees in the workplace
- Set workplace privacy expectations for employees
- Meet transparency requirements for compliance with privacy laws
Get started today—Download the FREE template and customize it to fit the needs of your organization.
Acceptable Use Policies for Devices
An in-depth acceptable use policy is critical for a successful cybersecurity and workplace behavior plan. If employee monitoring software is to be used to dissuade excessive unproductive browsing habits and other undesirable behavior, organizations must first start by explicitly stating their expectations for how the internet and other resources are to be used by employees.
Common Clauses for an Acceptable Use Policy:
- Employee security responsibilities when using work devices
- Locking their workstations when not in use
- Password management practices
- Anti-phishing responsibilities
- The types of data/files employees are permitted to access and when they are permitted to access them.
- The activities that are to be explicitly disallowed (illegal/unethical behavior) when using the organization’s resources.
- Whether or not employees can use workplace equipment for personal projects.
5) Common Objections to Employee Monitoring and How to Address Them
FREE WHITE PAPER
Best Practices for Monitoring Employees
In today's privacy-conscious world employers need to monitor employees in a way that is transparent, minimally invasive, and respectful of employee privacy
Read this white paper to learn the best practices for monitoring employees in the workplace.
The world of employee monitoring is a bit of a double-edged sword. Organizations want to keep their data and systems secure and use the data they collect to allow their managers to better manage their workforce, but for some employees, the feeling of having an all-seeing eye watching over them might cause privacy concerns or the feeling that they are not trusted to manage their own work.
When developing an employee monitoring policy, it helps to get feedback from the employees and truly show them the benefits of the developed strategy. By giving employees an element of input during the process they will feel less like the solution is being forced on them and more like they had an opportunity to contribute to the development of a policy that is fair for both parties.
5a) Privacy Concerns
Privacy concerns related to the data collected can be a significant source of friction between employees and the organization. To mitigate privacy concerns, organizations should consider the level of transparency they provide regarding their solution, how they will protect the data captured, and how they will manage the unique needs of remote employees.
1. Informed Consent
Depending on the legislation that governs the organization, informed consent may be mandatory. For example, Europe’s General Data Protection Regulation (GDPR) requires employers to explicitly disclose to employees the fact that they are being monitored and the methods used to do so (security cameras, internet usage tracking software, etc).
Even if there are no laws that specifically require that the organization discloses to employees that they are being monitored, they may wish to do so anyway in the interest of transparency. How transparent the organization is regarding its strategy is highly dependent on its discretion and unique needs.
2. Give Employees Access to Their Data
It’s one thing to tell employees what data is collected from them, and it’s an entirely different thing to truly show them what is being collected. If the chosen software allows managers to share reports with specific users, they may wish to give employees the option to request a report of their data so they can truly understand what is being collected.
If managers choose to go this route, it is critical that they ensure that employees cannot see the data of their coworkers. Only a manageable group of members with legitimate business needs for the data should be allowed to access it. Depending on the size, structure, and needs of the organization they will likely appoint department managers that can only access the data of the department they manage, or they may give human resources and similar personnel access to the data on an as-needed basis.
3. Secure Sensitive Data
Employee monitoring data can potentially be highly sensitive depending on its nature. Organizations are responsible for securing any sensitive data they possess, including the data they capture regarding their employee’s computer and internet use.
Examples Of Sensitive Data:
- Internet search history (medical condition research, adult websites, search terms)
- Phone calls and emails that are personal in nature
- Personally identifiable information (names, addresses, phone numbers, etc)
- Personal characteristics (religion, race, sexual orientation, etc)
Data security is a complex subject and should be discussed with dedicated IT and cybersecurity professionals. If the data is required to be stored for future reference due to regulatory requirements or internal policies, the organization should ensure that the data is properly secured and that only trusted members are given access to that data.
4. Anonymization of Data
If the intention of employee monitoring is focused on understanding the organization at the department or team-level rather than the specifics of a single user, organizations can reduce how personal this data is by using a technique called pseudonymization. With pseudonymization, the personally identifiable information collected can be removed entirely or replaced with anonymous identifiers, allowing managers to leverage the insights contained in the data without singling out an individual employee.
5. Privacy Considerations For Remote Employees
Remote employees are a unique challenge, particularly if the organization allows them to work from home using personal workstations. If the organization utilizes Bring Your Own Device (BYOD) practices and they would still like to install remote employee monitoring software on these devices, they can schedule the software to only collect data during expected work hours.
If remote employees are not comfortable with installing the software on their personal devices, the next best step would be for the organization to provide a dedicated device for them to use to complete work tasks. This ensures that remote employees can maintain a reasonable level of privacy on their personal devices while still being monitored in a similar manner to their in-house colleagues.
5b) Employees Not Feeling Trusted
Employees that consider themselves to be productive and ethical professionals that are capable of managing their own workloads and behaving appropriately may feel that employee monitoring is a sign that their employer does not trust them to self-manage. This feeling of a lack of trust can cause even the best employees to begin to feel resentful, resulting in – ironically – a decrease in their productivity!
To help reduce the feeling that employees are not trusted, it helps to start by acknowledging the positive impacts of their efforts and ensure that their managers are there to truly listen to their concerns and make them feel understood. Employees need to understand that the solutions used are not a reflection of personal feelings towards a specific individual and are instead a tool for the organization to meet its objectives.
Legal Considerations for Employee Monitoring
When it comes to employee monitoring, there are some legislative requirements that organizations should be aware of. The exact legislation that applies to the organization will depend entirely on where the organization operates, and legislation is bound to change over time.
CurrentWare has customers in over 50 countries, each with its own unique legal considerations. Legislation concerning employee privacy, data security, and other compliance needs will vary greatly depending on the relevant jurisdiction. As legislation is often incredibly complex and subject to change over time, the best practice is to consult directly with lawyers that specialize in the organization’s industry.
Aside from specific legislative needs that must be determined through the appropriate channels, there are some best practices that can be considered in the early stages of planning outlined below.
1) Is Employee Monitoring Legal?
The legality of employee monitoring depends entirely on regulations and other legislation that are specific to the organization and its industry. It is important to ensure that the methods used by the organization are legally just according to their specific context and the governing bodies associated with them.
The recommended best practice is to have employees read and sign technology in the workplace policy that ensures they are aware that their activity is being monitored to ensure that employees have provided informed consent. An example of mandated employee consent can be seen in Europe’s General Data Protection Regulation (GDPR), which requires that employers inform employees that they are being monitored in the workplace and the methods that will be used (security cameras, internet usage tracking software, etc).
2) Can I Track the Internet Usage of Employees?
Tracking the internet usage of employees is typically no issue so long as the organization has informed consent from the employees, the monitoring is being done in the context of their work (e.g. not their private lives), and the methods used are not excessively invasive (e.g. keystroke logging).
3) Monitoring and Internet Filtering for Compliance
Depending on the nature of a given organization, tools such as internet filtering, user activity tracking, and endpoint security software may be more than legal – it could very well be mandatory.
For example, healthcare organizations that are subject to HIPAA are required to implement suitably robust technical safeguards to adequately protect the data they collect and store in order to meet their compliance requirements.
With the best practices presented in this article, organizations can implement an employee monitoring strategy that respects the privacy and autonomy of employees while allowing the organization and its members to make the most out of the data collected.
Are you ready to take charge of your organization’s employee productivity and endpoint security? Do you need to monitor and restrict internet access to ensure compliance? CurrentWare is here to help.
CurrentWare provides a suite of software solutions to help organizations improve employee productivity, meet regulatory compliance, and bolster their data loss prevention capabilities with robust endpoint management features.
Visit our download page to sign up for a 14-day free trial for up to ten computers and see first-hand how CurrentWare’s employee monitoring software solutions can transform your workplace!
Editors: Sai Kit Chu, Jaimin Lakhani, Andy Phan, & Neel Lukka