Nov
13

Top 2 Best Practices for Employee Monitoring

Top 2 Best Practices for Employee Monitoring

November 13
By

In my previous post, I discussed ways you can manage your employees’ actions that are more effective than becoming a quasi-Facebook stalker. When you use other security methods to manage employee network usage, such as blocking malicious websites, leveraging access control and encryption solutions for files and applications, and filtering outbound emails and attachments, you will prevent a large majority of actions that could damage your company without having to analyze every keystroke of your employees.

However, you may discover, perhaps through multiple alerts or various log files, that someone in your office has been flagged several times attempting to forward encrypted documents to a suspicious party or accessing a blocked website using Tor or another Dark Net browser.  Such scenarios would give you probable cause monitoring that employee’s activity, but you probably don’t want to move forward with employee monitoring technology until you put some best practices into place. While it’s perfectly legal* to monitor employees, doing so without setting ground rules threatens employee morale.

In his recent LinkedIn post Disadvantages of Employee Internet Monitoring in the Workplace, Matthew Geiger writes:

[E]mphasizing the fact someone is always watching can breed distrust and resentment, thus reinforcing a lack of professionalism in the workplace. If an employer expects employees to behave responsibly, Internet monitoring can undermine the professional nature of the environment as professionals must have room to make their own decisions.

Given these caveats, how do you go about setting up best practices for employee monitoring? Here are my top two to consider.

  1. Restrict employee monitoring to situations where you have reasonable cause to believe an employee may be causing harm to your business.

Employment law specialist and author Lisa Guerin writes that you should only monitor employees for sound, business-related reasons:

If you have a reasonable suspicion that a particular employee is engaging in unauthorized use of your equipment, that would certainly qualify as legitimate cause for monitoring. Equally sound reasons include keeping track of productivity or monitoring the quality of customer service.

In other words, it isn’t appropriate to monitor an employee because she used your servers to email her child’s school for a parent-teacher meeting. As the lines between people’s work and personal lives continue to blur, using your Exchange servers to handle a pressing personal matter may just be a more efficient use of her time, than having to make a protracted phone call, let alone having to visit the school during work hours.

But if that same employee appears to be spending hours on social media without a legitimate reason for doing so, then yes, monitoring her activity would not be out of line.

2. Develop and implement a fair and consistent employee monitoring policy.

For those of you who haven’t written up a straightforward and consistent employee monitoring policy, you need to do so before you monitor any of your employees. And those of you who have already implemented a policy, you may want to review it with your legal team to make sure it is consistent and fair. Your HR department should also be involved in crafting your policy since that department will be (or should be) involved in any situation that warrants such actions.

There are two good reasons to implement a sound policy. The first one, employee morale, is the most obvious, and I’ve already beaten this point into the ground. Then second is legal. Although it’s technically legal to monitor employees without their consent, you may find yourself slapped with a lawsuit that will be expensive, regardless of its merit.

In a recent Spiceworks thread about monitoring employees, commenter MichaelITIN offers a great tip about developing and sharing a monitoring policy with your employees:

Courts often look at whether employees were informed that their calls or emails might be monitored in the workplace, whether there was a valid business justification for the monitoring, and whether the employer complied with established policy.

In other words, if you spell out the parameters of that policy and get your employees to consent to it, you’ll be less likely to find yourself dealing with disgruntled employees, let alone with a lawsuit that could damage your company much more than the majority of actions you might be monitoring.

*Note: Be sure to check with a lawyer and read local laws and statutes that govern employee monitoring in your area before implementing any monitoring program.

What are your thoughts about employee monitoring? Let us know in the comments or on Twitter!

Photo credit: Mike Mozart via Flickr