As I discussed in my last post, employee surveillance may be legal, but it isn’t necessarily ethical. If you’re using it to improve employee productivity, for example, you paradoxically risk lowering productivity by destroying employee morale. Just because your accounts payable employee spent a half-hour playing solitaire or buying Christmas gifts, doesn’t mean she is loafing on the job. She may be a quick worker who deserves increased responsibilities rather than a scolding. A good manager should be able to tell the difference (whether they can or not is the subject for another post).
But even if ethics weren’t an issue, company-wide employee monitoring just isn’t practical. Think about it. If you run a 200-person business, who is going to sit down and scrutinize every chat session or browsing activity, let alone every screenshot or key logged in a given day? Your IT department? Your legal team? It just isn’t an effective use of their time.
You’re much better off using layered security solutions to prevent such vulnerabilities as malware, loss of IP (Intellectual Property) and other confidential information, and possible litigation resulting from illegal activity or non-compliance. Here are three actions to consider.
1. Proactively block malicious or otherwise distracting websites and domains.
Worried the resident “bro” sales engineer will download new porn from ThePirateBay? Then why tempt him? It makes so much more sense to block access to these sites than to complain about lost employee productivity or risk a sexual harassment lawsuit. Most security solutions offer this capability and include blacklists of sites known to harbor malware or inappropriate content. Although this tactic isn’t 100% foolproof, it will prevent a large percentage of potential headaches without having to snoop on the majority of your employees.
2. Leverage access control and encryption solutions for your files and applications.
If you’re worried that employees may be sending confidential PDFs or other files to a competitor, you have several options. For example, you can:
- Make the file read-only so that it cannot be printed
- Encrypt the file and require a complex password to access it
- Limit access to the file to a limited group of people — or even just one person
Access control solutions have become so granular in nature that the effort involved in trying to access, let alone steal a given document, is going to dissuade the majority of your employees from even trying (and should prevent the majority of accidental loss scenarios).
And you can limit access to certain apps, endpoints, and other parts of your network to just the people who have the clearance to use them. It’s a much better option than trying to pinpoint the source of a data leak after the fact.
3. Filter outgoing emails and attachments.
You probably filter incoming emails for malware and other goodies, but filtering outgoing email and attachments is just as important. Filtering technologies can look for specific keywords or other thresholds and prevent emails and attachments from leaving the network before a qualified person can check them out. If, for example, an employee tries to send an encrypted PDF to an unauthorized party (and perhaps the PDF’s password through another means), the outgoing filter will still prevent the file from leaving the network.
And if you notice—either in passing or by checking log files—that someone in your office has gotten flagged one or more times for doing something sketchy, then you would have probable cause to monitor his or her subsequent activity. And surveillance on a handful of employees is much more cost-effective than snooping on hundreds of employees, most of whom have done nothing to cause suspicion.
My last post in this series will look at some best practices for employee monitoring. Until then please leave your thoughts in the comments!