Employee monitoring solutions give employers the means to restrict internet access, configure USB access control, track employee performance, avoid legal liabilities, mitigate data breaches as part of a data loss prevention (DLP) strategy, and increase the organization’s cybersecurity.
Organizations that wish to use employee monitoring for data loss prevention, insider threat detection, data-informed management, and increased productivity must do so with the well-being of their workforce in mind. If the implementation is too invasive, not appropriately transparent, or misused the employees may feel that their privacy and ability to self-manage are not respected.
This guide will advise organizations on how to create a productive employee monitoring strategy that respects employee privacy and keeps the organization’s data secure.Table of Contents
At its core, employee monitoring is the practice of using supervisory tools and practices to understand how employees are operating within their place of work.
The tools used to track employee behavior and usage of the organization’s resources are leveraged to proactively prevent unacceptable behavior and to provide evidence of misconduct for further action.
Organizations track their employees to measure and improve productivity, protect sensitive data accessed through endpoints such as computers, and improve overall business intelligence through the data collected.
Examples of Tools:
Internet monitoring and web filtering software offer a suite of benefits for employers that would like to make data-driven decisions and regulate the internet usage of their workforce. The key benefits come in the form of increased productivity, identifying inappropriate web browsing habits, and preventing access to websites that may contain malware.
These software tools often include options for tracking time spent on individual tasks, applications and/or websites. The purpose behind using software for tracking productivity is clear – organizations cannot improve what they do not measure.
One of the key benefits of implementing software-based employee monitoring is that managers can collect the data needed to make informed decisions when managing their employees, giving them another avenue for staying in touch with trends in their workforce during moments where they cannot always be there in person.
Employee internet usage reports can act as an important tool in conjunction with other metrics when addressing employee productivity during coaching or performance reviews. When there is a noticeable decline in an employee’s engagement or productivity, managers can review browsing data to identify trends in how the employee’s internet browsing habits have changed. If there is a noticeable decrease in engagement from the employee, they can have an open discussion regarding workplace satisfaction, productivity blocks, and job expectations.
If the software allows for reports based on user or device groups, the internet and application usage data captured can be compared to that of other teams/departments to determine if workloads need to be adjusted. If a given department is frequently an outlier for excessive non-work internet usage, it may be an indication that the department is either blocked in their tasks or they are underworked in comparison to other teams/departments.
Every team is bound to have their top-performers and those that perform just well enough to be under the radar, or at the very least make it seem like they are performing well enough.
Employees that are genuinely engaged and work effectively are prone to suffer from resentment and burnout should the “shirkers” among them go unaddressed. Shirkers are employees that attempt to avoid engaging in their work by excessively delegating, taking significantly longer than necessary to complete their tasks, and generally attempting to appear fully engaged in an effort to trick their immediate managers.
Employees can readily identify who is engaged and who is shirking, though managers with larger teams may have a more difficult time doing so. Employee monitoring software empowers managers to make informed determinations of who their top performers truly are so they can be properly recognized for their efforts. As for the shirkers, the data collected will shed much-needed light on their practices so that managers can provide the actionable steps needed for those employees to improve their performance.
According to research by IDC, the average productivity loss of non-work related internet surfing by employees is 40% each year.
Employee web browsing and application usage reports can provide employees with the ability to analyze their own browsing habits, enabling them with the opportunity to self-manage the reallocation of their misspent time. Employee internet usage reports provide valuable data-driven benchmarks to manage employee productivity by measuring project progress and employee output alongside trends in their internet browsing habits.
Employee monitoring software improves productivity by providing a wide array of reports that can be used to indicate productivity levels based on employee internet browsing habits. These productivity-focused features allow supervisors and managers to focus their energy and time on higher-value contributions rather than concerning themselves with directly supervising employee computer application and internet browsing habits.
Many CurrentWare customers have integrated the review of employee monitoring data captured with BrowseReporter into their management routines through either manual review of configured email alerts based on the parameters that matter to them most (excessive non-work browsing, accessing NSFW websites, etc).
When particular websites are identified as being a persistent problem, CurrentWare customers will often combine their internet usage tracking with the web filtering features of BrowseControl to proactively prevent access to unproductive websites that are used excessively.
BrowseControl’s web filter can be configured to prevent access to unproductive websites such as Facebook during work hours and later allow access during the employee’s designated break time.
As an organization continues to grow, they are going to place a greater strain on their existing bandwidth and they will either need to pay for costly upgrades to the current infrastructure or they will need to ensure that their current infrastructure is used more efficiently.
When employees use an organization’s network for non-work-related file transfers and video streaming, it can put an unnecessary strain on the existing bandwidth. When an organization’s bandwidth is strained it can cause serious damage to workplace productivity due to drastically slow internet speeds (latency), resulting in disrupted video conferences, difficulty accessing internet-based resources, and even disruptions in your access to cloud-based software.
Bandwidth tracking allows organizations to identify the websites, users, and departments that are causing bandwidth bottlenecks in the network. With the data collected, organizations can determine if their bandwidth issues are caused by a specific user’s excessive video streaming usage or if the organization genuinely needs to consider a bandwidth upgrade to support their needs.
Organizations may find themselves in serious legal trouble should their employees abuse their network for nefarious purposes. Even if the organization claims to be unaware of the activities, they are likely to be liable for the impact caused by their employees and the organization may face fines or lawsuits depending on the severity of the offense.
Employee monitoring solutions offer organizations greater data loss prevention (DLP) solutions thanks to features that alert managers and IT departments to suspicious activities within the network.
The Verizon 2019 Data Breach Investigations report states that 34% of data breaches in 2018 were caused by insider threats. Endpoint security software can disable USB ports to prevent the transfer of sensitive files to USB drives, internet access control software can prevent access to websites that contain malware, and both solutions can alert administrators when employees engage in suspicious or risky behaviors.
Endpoint security and management tools can be configured to block or allow specific USB devices, alert administrators to suspicious file operations (files copied/created/renamed), and prevent the use of unauthorized peripherals that may make the organization’s network vulnerable.
How Monitoring and Filtering Tools Help With DLP:
Organizations that process or store sensitive data have a duty to ensure their protection at all times. The industry standard for protecting sensitive data such as Personally Identifiable Information (PII) is to combine standard cybersecurity best-practices with the implementation of user/device monitoring and endpoint protection tools to mitigate the risk of data breaches from both insider threats and external attacks.
Deciding on which employee monitoring software solution is the best fit for an organization can be a daunting process as individual requirements will change depending on the organization’s current infrastructure, the types of monitoring they would like to conduct, their legislation and regulatory compliance requirements, as well as several other factors.
This section will outline the most important technological considerations an organization will have when deciding on an employee monitoring software vendor. With the right mix of forethought and technology, an organization can fulfill the goals and requirements of its employee monitoring and productivity strategy.
Employee monitoring software can be quite expansive in the features that they can offer. While not all of these features will be necessary for every organization, it is important to acknowledge the features that are generally offered to be aware of what is available and to consider if those features will be beneficial to the organization’s strategy.
Website tracking is the practice of collecting and analyzing the data of websites visited by users, departments, or individual devices. This data is often gathered into reports for review by business owners, human resources, and management to address bandwidth usage, employee productivity, and inappropriate workplace internet usage.
Tracking the computer applications used by employees can provide the means for detecting software license utilization rates, identifying excessive use of unproductive software, and detecting unauthorized programs.
Application tracking is just as important as internet monitoring as the majority of successful web-based software companies provide desktop application versions of their product. Whether its new team chat applications like Slack or Microsoft Teams, cloud-based storage products such as Dropbox or Google Drive, and even ubiquitous programs such as Windows Media Player & Quicktime, data collected from application tracking can provide valuable insights on employee computer usage in the workplace.
Time tracking of applications and websites used by employees can provide incredibly valuable insights, but only if the data is truly relevant.
Solutions that track active time will track how long applications and websites are actively used by the users, whereas solutions that only track total time report a list of applications and websites that were open on the computer without properly contextualizing whether the employee was actually using them or if the applications were simply opened and left running.
The best employee monitoring solutions have the ability to report what employees are truly doing. The reporting of active time allows IT administrators & managers to trust and understand the reports generated, giving them the opportunity to generate actionable outcomes from the data.
Organizations that have a legal requirement to monitor the internet, network, and computer usage will likely need to ensure that the collected data is accessible for review. These organizations will need the ability to modify data retention settings to configure the length of time for data storage before the data is purged.
Configurable data retention settings will make auditing, compliance, and data storage less of a hassle for the organizations that are implementing a large-scale deployment. The ideal solution will allow the organization to store the data indefinitely to ensure that records are maintained as long as needed for the organization’s needs.
Automated data purging at configurable intervals reduces the time and resources needed to manage the data collected, saving organizations considerable costs on storage and administration as they will not need to manually purge the data, purchase new storage hardware, or upgrade to a greater storage volume with their cloud storage provider.
To monitor out-of-office employees, the software must support one of the following:
Device monitoring will track all activity on a specific device whereas user monitoring will track the individual user regardless of the device they use.
Device monitoring is often used by internet cafes, schools, and libraries to oversee the use of devices that regularly change users without necessarily requiring unique login credentials. In a workplace setting where the employer wishes to understand the browsing habits of individual employees, device-level insights may not provide sufficient details as their employees may not have a designated workstation (in the case of hot desking) or they may share devices with their coworkers.
When selecting a provider, organizations should ensure that both device-level and user-level monitoring is available to provide them with the best flexibility for their needs. Having access to both features is excellent for tailoring the insights reported based on the unique needs of managers, human resources, and IT administrators.
User grouping features such as Organizational Units (OUs) within Active Directory allow administrators to efficiently implement and adjust bespoke settings based on department, location, user, the types of data handled, and other important considerations.
Bespoke settings ensure that the solution does not cause a bottleneck in productivity. A solution that does not provide flexibility for configurations will cause less at-risk users to have the same policy restrictions as users that perform tasks with sensitive data such as personal health information (PHI).
For large enterprises and other expanding organizations, the ability to group users and devices based on location, department or role is crucial to limit the time investment required in managing the monitoring solution. Best-in-class solutions allow for granular control of the product’s features including who can run reports, who has access to a given group’s data, and who will receive automated email reports based on the activity of the designated groups.
Real-time alerts and other notifications are a critical component of data loss prevention as they can be configured to alert administrators to insider threats engaging in suspicious or risky behavior.
These alerts can also notify human resources and managers when derogatory, sexist, or inappropriate behaviors are detected. The exact mechanism for alerting will vary by the software provider – they could be sent to the central console, to a designated email address, or sent via SMS to a cell phone.
When searching for an ideal solution, the discussion of agent-based vs agentless monitoring is certain to arise. The decision of whether or not to use a solution that provides a dedicated software agent will depend on the level of detail and control that is required by the organization.
Agent-based monitoring provides far greater customization and data collection than its agentless counterpart. Agent-based solutions require that a proprietary software program be installed on each device that the organization would like to oversee.
Depending on the data the organization needs to collect and the level of customization desired, the convenience of an agentless solution may not be worth its limitations.
With an agent-based solution, the software agents that are installed on the employee’s devices (the ‘client’ machines) will automatically send the data it captures to another computer that has the software vendor’s console program installed on it (the ‘host’ machine). The host machine functions as the centralized console for the management of the data captured from the client machines and users. For convenience, the host machine is often the computer of a manager or administrator as they are typically the ones that will need to access the data.
Despite what the name suggests, agentless monitoring solutions actually do use a software agent to collect data. The difference is that agentless solutions use software that already exists on the user’s computer as the agent for collecting data rather than leveraging proprietary software that is supplied by the software vendor. As with agent-based solutions, the agentless solution uses a centralized console to receive and interpret the data from the client machines and users.
The key advantage of using a dedicated software agent is that they provide far more features and configuration options than an agentless solution. An agent-based solution such as CurrentWare allows for added customization and control on the device level, whereas agentless solutions such as firewalls perform their functions on the network level.
Agentless solutions such as firewalls are convenient as they do not require a dedicated software program on the user’s devices. Firewalls are great for providing added protection to the security of the network, however, they are typically not the ideal solution for employee monitoring as their lack of granular configurability makes them a less-than-ideal solution for organizations that need greater control and insights of how their employees use technology within the workplace.
When deciding between different software providers, organizations should ensure that the providers offer fully-featured free trials of their products to allow the organization the opportunity to properly evaluate the software on all of the devices they would like to monitor.
It is important to be aware that there are inherent risks and benefits of both cloud and local storage. The option that is chosen will be heavily influenced by budget, data privacy priorities, and the quantity of data captured.
The average CurrentWare customer generates 1.5mb of data per day for each user they monitor; with this in mind, it will take a little under two years for one employee to generate so much as 1GB of data. This amount of storage space is more than manageable for small teams, however, for larger organizations, the data will either need to be culled periodically to make space for new data or the local storage will need to be upgraded to continue storing data.
The key advantage of local storage is that the organization has far greater control over how their data is stored, secured, and accessed.
Local storage hardware is a necessary investment when opting for a solution that offers local storage options. Larger organizations may want to configure their own dedicated servers to provide greater capabilities for storage, backups, and processing power as the number of users they monitor grows. Small-to-medium organizations will often do well with simply using an existing computer to store their data.
The need for data security is not exclusive to employee monitoring data – any organization that uses technology should already have a cybersecurity system in place to protect their data and systems. The organization must ensure the data captured is treated the same way as they would treat any other form of sensitive data.
Organizations can further reduce the chances of the data being breached by keeping it separated from the internet entirely if they wish to do so. The process of separating sensitive data from systems that are more vulnerable is a standard network security measure known as “air gapping”. Air gapping provides a significant layer of boosted security by removing the potential for the data to be breached due to a security threat that enters the network via the internet.
Software that uses cloud storage will send its data to a third-party server for storage and processing. This provides added convenience as the organization is given the option to pay a subscription fee to have an external company assist with the logistics and costs associated with data storage.
The conveniences that come with cloud storage make it a worthwhile consideration, however, the data security and legislation compliance implications of providing a third-party with access to sensitive employee monitoring data must be well thought through. When choosing a software vendor that uses cloud-storage technology, the organization should ensure they choose credible cloud storage provided and that they understand how their data will be protected.
Safety And Compliance Considerations For Cloud-based Storage:
An organization may also opt for a hybrid model where they use an on-premise solution to collect and process data locally and then use their existing cloud storage provider for data redundancy rather than pursuing a software vendor that only supports their proprietary cloud storage solution.
|Local Storage (On-Premise)||Cloud Storage|
|Cost||– Cost of storage hardware (hard drives, servers, etc)||– Ongoing monthly or annual subscription fees|
|Data Security||– Greater control over security measures implemented|
– Can use a LAN-based setup; less likely to be infected by malware from the internet
– Data could be lost in the event of a natural disaster or hardware failure if regular off-site backups are not maintained
– Data can be stored and processed locally and backed up to an existing cloud storage account rather than incurring expenses for storing data with the software vendor
|– Third-party has control over potentially sensitive data. Depending on the infrastructure of the provider the data could be accessed by insider threats.|
– Government orders could force the cloud provider to leak your data without your knowledge
– Cloud company dedicates its resources to security software, hardware, and best practices to mitigate data loss and breaches
– Remote access to data increases the risk of a breach following a leak of user credentials
– using the cloud is permissible, but this does not take away your responsibility to safeguard your data
|Convenience||– The organization is directly responsible for managing its data storage and protection|
– Data backups will require more effort if storage is exclusively non-cloud
|– Cloud company manages the data security |
– Available storage scales on-demand to meet the organization’s needs
|Compliance||– Easier to meet data residency requirements||– Data residency stipulations may require that data be stored within the same country as the organization. If the cloud-based software vendor does not have servers in the organization’s country they will not be legally usable.|
– The organization is often legally responsible for the actions taken by their cloud storage provider, such as in the event of data misuse or a data breach.
Some users and devices are more difficult to monitor than others – cell phones, remote workers, and in-office employees all have their own set of unique needs and each software vendor will all have their own unique set of solutions.
It is important that the organization establishes the devices they truly need to track and control as well as the types of data they would like to collect as this will help them to prioritize solution providers based on their capabilities.
When evaluating a software vendor, it is important that the vendor offers a free trial of their software to provide the purchaser the opportunity to test the compatibility and suitability of the software solution within the organization’s existing infrastructure.
Having a legitimate proof-of-concept for the software is integral as it allows the organization to see how the software interacts with their existing environment before they invest considerable time, effort, and finances in fully implementing a given solution.
The software evaluation period is an ideal time to build a relationship with the software provider and judge whether or not they have the knowledge and skills to support the full-scale deployment of their software throughout the organization after purchasing. If the software provider proves to be dismissive, uncommunicative, or unhelpful during the evaluation period, this is a sure sign that they do not prioritize the needs and success of their customers.
The ethical and logistical difficulties of tracking cell phone internet traffic often make it a lesser priority than the monitoring of workstations, however, if employees are using cell phones to accomplish work tasks those devices may need to be monitored as well.
Considerations For Tracking Cell Phone Internet Use:
The most practical approach to track cell phone internet traffic in the workplace would be to use an agentless solution designed for managing multi-platform devices. An agentless solution allows for tracking of mobile devices connected to the organization’s wireless network without requiring the installation of dedicated software on each device.
An agentless mobile device management solution is an ideal solution for organizations with BYOD policies that want to track cell phones on their network without the administrative overhead of managing agents each time an employee introduces a new mobile device.
In addition to meeting the necessary technical requirements of the organization, the solution needs to be appropriate for the scale of the organization and how it operates.
The amount of users that will be monitored is an incredibly relevant factor when selecting a software vendor. An organization that is a lean startup or small-to-medium business (SMB) with a handful of employees will have completely different scalability considerations than a mid-market or large enterprise.
Scalability considerations will be most relevant at three key stages:
Scalability Questions to Ask the Software Vendor:
Scalability is not just about the technology having the resources necessary to make software client deployments manageable and support the number of users, it is also about the organization and management of users within the console.
User grouping features such as Organizational Units (OUs) within Active Directory allow administrators to efficiently implement and adjust bespoke settings based on department, location, user, and other important configuration considerations. User grouping features will be absolutely essential during a merger and acquisition (M&A) or other events that require a large-scale migration of users into the organization’s employee monitoring ecosystem.
Solutions are offered in a wide gamut of prices and pricing models, and the most expensive solution is not necessarily the best fit for the organization. Employee monitoring solutions can be a cost-efficient investment so long as the organization thoroughly plans for the features they truly need and they budget accordingly for the costs associated with those features.
Pricing models for software solutions are typically within two categories: subscription or perpetual pricing.
Subscription pricing provides access to the software only for so long as an ongoing monthly or annual fee is paid. With subscription-based pricing, the organization will have immediate access to the latest feature updates provided by the software vendor and the associated costs can be made into an operating expense if desired. These advantages come at the expense of requiring ongoing payments to have access to the software.
Perpetual pricing provides permanent lifetime access to the software following a one-time payment. Perpetual pricing models allow the associated costs to be made into a capital expense if desired. As for the cost of updates, many software vendors will include a fixed-term period of software updates following the initial purchase.
With perpetual pricing, the organization will have access to the version of the software they purchased without requiring ongoing payments, though new features and other major updates to the product may require additional purchases. When selecting a vendor that uses a perpetual pricing model, ask if they offer advantageous pricing to current customers that want to upgrade to the latest version of their product.
Another important consideration is volume licensing – vendors that offer either subscription or perpetual pricing models are likely to offer advantageous pricing as the number of licenses purchased increases.
Choosing the appropriate licensing model for an organization depends on their budget, accounting policies on operating expenditures vs capital expenditures and their desire for predictable pricing for the solution they choose.
Purchasing and implementing employee monitoring solutions is a comparatively small investment compared to the impacts of non-compliance. Based on the findings from a 2017 study sponsored by GlobalScape and conducted by the Ponemon Institute, the average cost of compliance for the companies surveyed was $5.47 million and the average cost of non-compliance was $14.8 million – 2.71x greater than the cost of compliance.
In the case of GDPR non-compliance fines, organizations can face a maximum fine up to the greater of 20 million Euros or 4% of their total annual worldwide turnover in the preceding financial year. In July of 2019, British Airways faced a proposed £183m fine due to their lack of appropriate protections for sensitive customer data leading to a data breach.
Companies that invest in meeting and maintaining their compliance needs can save themselves from the significant costs that arise from non-compliance issues such as business disruption, fines, loss of productivity, and settlement costs.
When an organization chooses software for monitoring, they are also choosing the vendor that provides the software. How the software vendor engages with its customers is equally as important as their software fits for the organization’s needs and should not be overlooked.
Customer Success Considerations:
Ease of use is an incredibly broad topic and it can mean different things depending on the context. For the purposes of the guide, the focus is going to be this: Can the people that have to use the software navigate it intuitively?
SMBs that are not prioritizing having a dedicated Information Technology (IT) department rely on their existing staff to navigate the deployment, configuration, and management of the software. The staff member deploying the software may be comfortable navigating it, but what about the manager that will actually be using the software to prepare reports and manage their employees? Is the software intuitive enough that less tech-savvy staff members can be easily trained to use the software?
Here’s what to look out for from the software:
The chosen software vendor needs to be one that ensures that users are adequately supported according to their level of expertise. When the organization is deciding on a software vendor they should place stronger consideration on one that caters to organizations of a similar size for the best experience.
What To Look For In Vendors:
Customer support can happen in a variety of ways. The support channels available, the timeliness of responses, and the scope of support are all considerations that need to be discussed with the software vendors that are being evaluated based on the needs and resources of the organization.
The support channel used will depend on the nature of the support needed. Phone support and remote assistance options are often essential for resolving technically complicated questions and getting immediate support, whereas email and live text chat are better used for less urgent assistance.
Another important consideration for phone-based support is its availability – does the software vendor offer 24/7 assistance or will support calls need to be scheduled around different time zones and available support hours?
Software vendors will offer different support tiers to better accommodate the needs of their customers. While most of these support options (such as phone and email) will be included with the purchase of the software, the vendor may also offer priority support that can be purchased separately from the product. Priority support packages are generally purchased on a retainer or subscription basis to ensure the vendor can afford to provide the level of support required.
Priority Support May Include:
Monitoring solutions interact with various operating systems, internet browsers & anti-virus solutions. As the ecosystem they are deployed in evolves, unexpected compatibility issues may arise. Product maintenance and feature improvements are a core function of product improvement and ensuring the solution continues to work as expected.
Feature Improvements are major enhancements to the software. Depending on the software provider and the nature of the feature improvement, software upgrades will either be included in the license or require additional payments.
The chosen software vendor should be open to feedback from customers. If the company demonstrates that it values customer feedback, that is a good sign that they care about the experience of their customers and that they will work diligently to provide the features and other enhancements their customers need.
When selecting a software vendor, ensure that they are currently active and that their product has been recently updated. To determine if the software vendor is currently active, check out their social media, contact their support team, and/or view their release notes to make note of when the last product update was provided. If new updates and maintenance fixes have not been provided for many years, it may be a sign that their software is no longer being supported and it may be near its end of engineering.
An effective employee monitoring strategy relies on careful planning and clearly defined objectives. The software and other tools used to support the strategy will be considerably more effective if their features and capabilities are appropriately matched to the objectives of the organization.
This section will provide actionable tips for setting clear goals, monitoring ethically, and addressing common concerns. By following these tips an organization can greatly increase the effectiveness of its employee monitoring strategy.
The organization must have a clear understanding of the goals it has and how its employee monitoring strategy will best meet those goals.
Common Goals Include:
If transparency is desired or required, organizations can best showcase the trustworthiness of how employee monitoring is used in the organization by installing the software on the devices used by managers and employees alike. When managers demonstrate their confidence in the benefits of monitoring, employees are more likely to buy-in to the organization’s use of the solution.
For transparency-based strategies, one of the best ways to increase employee buy-in is to treat everyone fairly. Organizations should refrain from singling out a specific employee or department unless there is a legitimate business reason to do so as employees may feel resentful towards the organization or their managers for singling them out.
That said, each department or role will have different requirements depending on what is considered normal behavior in their context and the sensitivity of the data they have access to. The marketing department will need unrestricted access to social media to perform their duties, however other departments may not have a legitimate business reason for social media during work hours. The important thing is to plan accordingly and clearly communicate the purpose of the configurations used.
Methods of monitoring that capture greater detail than is realistically required to meet the organization’s goals may be considered invasive. Just as how security cameras should not be placed in dressing rooms and bathrooms, employee monitoring has contexts where its usage can be objectionable.
For your average organization, tracking keystrokes – the individual inputs an employee gives to a computer through their keyboard – is far overboard from what is necessary to effectively monitor employees and could even be illegal depending on the laws that govern the organization.
Employees that have their keystrokes tracked may have concerns that their personal information, private conversations, or login credentials may be captured and potentially leaked, causing undue anxiety and stress when using their workstations.
That said, organizations that handle highly classified information may wish to keep a much closer eye on the exact inputs made by their employees. If they have a legitimate business need for tracking the keystrokes of employees, it helps if the organization is upfront with its employees about why this practice is included in their policy and that they educate their employees on how keystroke data has been secured.
It is quite apparent that personal devices such as cell phones are ubiquitous in our lives today. Personal smartphones have a striking portfolio of practical uses, but they can also serve as an undesirable distraction for employees. If organizations are already monitoring workstations to dissuade unproductive personal browsing, they might be tempted to oversee all devices that are used in the workplace.
While there are solutions that can track personal devices, organizations can expect that most of their employees will naturally have objections to having their personal devices monitored in a professional setting.
To mitigate excessive personal device use it is better to use traditional techniques such as an enforced Acceptable Use Policy that includes how the organization would like personal devices to be used. While organizations will likely not be able to entirely prevent the use of personal devices without more extreme measures, having a clear message for how they expect these devices to be used in the workplace can serve as a baseline for further discussions should an employee make a habit of using their phone during work times.
Free Sample Template:
Employee Internet Usage Policy
Download this FREE acceptable use policy, customize it,
and distribute it to your employees to set a precedent for the acceptable use of the internet in the workplace.
Human resources (HR) plays an integral role in ensuring that employee monitoring is done in a way that respects the autonomy and privacy of employees while still meeting the objectives of the organization.
As an organization continues to expand, it is possible that misconduct may not be as readily noticed. Both direct and indirect victims of harassment and other forms of misconduct may not feel safe or empowered to report misconduct as it happens.
The chosen software solution can be used by the organization to alert designated administrators when it detects the use of discriminatory, threatening, or demeaning language in internet searches, emails, and other forms of communication. If evidence of misconduct is discovered, it may serve as crucial evidence when addressing whether or not the behavior is creating a hostile work environment.
Ultimately, software is only a segment of employee behavior awareness, particularly in the case of identifying misconduct such as harassment. Organizations will need to implement other forms of due diligence in conjunction with software-based monitoring to ensure they maintain a safe and respectful working environment.
Policies form the baseline of expectations for how employees are to use the technologies in their workplace. With clearly communicated policies in place, employee monitoring can serve as an added layer of enforcement to ensure that the policies are being appropriately adhered to.
To ensure that employees can truly provide informed consent, human resources should develop written policies that clearly define the scope of employee monitoring within the organization.
A well-fabricated policy helps employees understand the solutions used in their workplace as well as why those solutions are necessary for the organization. The policies should also detail what is not being monitored so that privacy-conscious employees can fully understand the scope of the monitoring.
An in-depth acceptable use policy is critical for a successful cybersecurity and workplace behavior plan. If employee monitoring software is to be used to dissuade excessive unproductive browsing habits and other undesirable behavior, organizations must first start by explicitly stating their expectations for how the internet and other resources are to be used by employees.
Common Clauses for an Acceptable Use Policy:
Free White Paper
Employee Monitoring: Best Practices for Balancing Productivity, Security, and Privacy
In today's privacy-conscious world employers need to monitor employees in a way that is transparent, minimally invasive, and respectful of employee privacy. Read this white paper to learn the best practices for monitoring employees in the workplace.
The world of employee monitoring is a bit of a double-edged sword. Organizations want to keep their data and systems secure and use the data they collect to allow their managers to better manage their workforce, but for some employees, the feeling of having an all-seeing eye watching over them might cause privacy concerns or the feeling that they are not trusted to manage their own work.
When developing an employee monitoring policy, it helps to get feedback from the employees and truly show them the benefits of the developed strategy. By giving employees an element of input during the process they will feel less like the solution is being forced on them and more like they had an opportunity to contribute to the development of a policy that is fair for both parties.
Privacy concerns related to the data collected can be a significant source of friction between employees and the organization. To mitigate privacy concerns, organizations should consider the level of transparency they provide regarding their solution, how they will protect the data captured, and how they will manage the unique needs of remote employees.
Depending on the legislation that governs the organization, informed consent may be mandatory. For example, Europe’s General Data Protection Regulation (GDPR) requires employers to explicitly disclose to employees the fact that they are being monitored and the methods used to do so (security cameras, internet usage tracking software, etc).
Even if there are no laws that specifically require that the organization discloses to employees that they are being monitored, they may wish to do so anyway in the interest of transparency. How transparent the organization is regarding its strategy is highly dependent on its discretion and unique needs.
It’s one thing to tell employees what data is collected from them, and it’s an entirely different thing to truly show them what is being collected. If the chosen software allows managers to share reports with specific users, they may wish to give employees the option to request a report of their data so they can truly understand what is being collected.
If managers choose to go this route, it is critical that they ensure that employees cannot see the data of their coworkers. Only a manageable group of members with legitimate business needs for the data should be allowed to access it. Depending on the size, structure, and needs of the organization they will likely appoint department managers that can only access the data of the department they manage, or they may give human resources and similar personnel access to the data on an as-needed basis.
Employee monitoring data can potentially be highly sensitive depending on its nature. Organizations are responsible for securing any sensitive data they possess, including the data they capture regarding their employee’s computer and internet use.
Examples Of Sensitive Data:
Data security is a complex subject and should be discussed with dedicated IT and cybersecurity professionals. If the data is required to be stored for future reference due to regulatory requirements or internal policies, the organization should ensure that the data is properly secured and that only trusted members are given access to that data.
If the intention of employee monitoring is focused on understanding the organization at the department or team-level rather than the specifics of a single user, organizations can reduce how personal this data is by using a technique called pseudonymization. With pseudonymization, the personally identifiable information collected can be removed entirely or replaced with anonymous identifiers, allowing managers to leverage the insights contained in the data without singling out an individual employee.
Remote employees are a unique challenge, particularly if the organization allows them to work from home using personal workstations. If the organization utilizes Bring Your Own Device (BYOD) practices and they would still like to install remote employee monitoring software on these devices, they can schedule the software to only collect data during expected work hours.
If remote employees are not comfortable with installing the software on their personal devices, the next best step would be for the organization to provide a dedicated device for them to use to complete work tasks. This ensures that remote employees can maintain a reasonable level of privacy on their personal devices while still being monitored in a similar manner to their in-house colleagues.
Employees that consider themselves to be productive and ethical professionals that are capable of managing their own workloads and behaving appropriately may feel that employee monitoring is a sign that their employer does not trust them to self-manage. This feeling of a lack of trust can cause even the best employees to begin to feel resentful, resulting in – ironically – a decrease in their productivity!
To help reduce the feeling that employees are not trusted, it helps to start by acknowledging the positive impacts of their efforts and ensure that their managers are there to truly listen to their concerns and make them feel understood. Employees need to understand that the solutions used are not a reflection of personal feelings towards a specific individual and are instead a tool for the organization to meet its objectives.
When it comes to employee monitoring, there are some legislative requirements that organizations should be aware of. The exact legislation that applies to the organization will depend entirely on where the organization operates, and legislation is bound to change over time.
CurrentWare has customers in over 50 countries, each with its own unique legal considerations. Legislation concerning employee privacy, data security, and other compliance needs will vary greatly depending on the relevant jurisdiction. As legislation is often incredibly complex and subject to change over time, the best practice is to consult directly with lawyers that specialize in the organization’s industry.
Aside from specific legislative needs that must be determined through the appropriate channels, there are some best practices that can be considered in the early stages of planning outlined below.
The legality of employee monitoring depends entirely on regulations and other legislation that are specific to the organization and its industry. It is important to ensure that the methods used by the organization are legally just according to their specific context and the governing bodies associated with them.
The recommended best practice is to have employees read and sign technology in the workplace policy that ensures they are aware that their activity is being monitored to ensure that employees have provided informed consent. An example of mandated employee consent can be seen in Europe’s General Data Protection Regulation (GDPR), which requires that employers inform employees that they are being monitored in the workplace and the methods that will be used (security cameras, internet usage tracking software, etc).
Tracking the internet usage of employees is typically no issue so long as the organization has informed consent from the employees, the monitoring is being done in the context of their work (e.g. not their private lives), and the methods used are not excessively invasive (e.g. keystroke logging).
Depending on the nature of a given organization, tools such as internet filtering, user activity tracking, and endpoint security software may be more than legal – it could very well be mandatory.
For example, healthcare organizations that are subject to HIPAA are required to implement suitably robust technical safeguards to adequately protect the data they collect and store in order to meet their compliance requirements.
With the best practices presented in this article, organizations can implement an employee monitoring strategy that respects the privacy and autonomy of employees while allowing the organization and its members to make the most out of the data collected.
Are you ready to take charge of your organization’s employee productivity and endpoint security? Do you need to monitor and restrict internet access to ensure compliance? CurrentWare is here to help.
CurrentWare provides a suite of software solutions to help organizations improve employee productivity, meet regulatory compliance, and bolster their data loss prevention capabilities with robust endpoint management features.
Visit our download page to sign up for a 14-day free trial for up to ten computers and see first-hand how CurrentWare’s employee monitoring software solutions can transform your workplace!
Authors: Dale Strickland
Editors: Sai Kit Chu, Jaimin Lakhani, Andy Phan, & Neel Lukka