Home » Physical Security » Employee Protection

In Depth

Employee Monitoring: Watch This Way

What you don't know about how your employees are using company resources can hurt you. But remember this: There are acceptable, and not so acceptable, ways to monitor employee activity.

By Daintry Duffy

February 01, 2003 — CSO — Who hasn't mistyped a URL or clicked on an innocent-looking link only to end up in one of those vile little pornographic cul-de-sacs that seem to lurk on the periphery of many popular Internet sites? While Whitehouse.gov brings you to the president's squeaky-clean official website and updates on bill signings and the war on terrorism, the URL Whitehouse.com leads you to a smutty XXX site that capitalizes on its famous name with pictures of "Hot Interns!"

Whenever I accidentally hit one of these siteswhich usually results in dislocating some body part as I reflexively lurch to click the window shutI wonder whether I'll be explaining it to my manager at my next performance review.

This is the same employee fear that CSOs are up against when they implement an employee monitoring policy (often tagged with the kinder, gentler moniker of "acceptable use policy"). Workers fret that their private communications will be laid bare to any network administrator, that infractions of the policy, even accidental ones, will be a cause for disciplinary action and that the corporate culture could take a distinctly Orwellian turn.

Concerns about surveillance are also shared by many CSOs who would prefer to leave e-mail and Internet baby-sitting to direct managers. But the question of whether to monitor what employees do on company time with corporate resources has been largely decided by legal precedents that are already holding businesses financially responsible for their employee's actions. Increasingly, employee monitoring is not a choice; it's a risk-management obligation.

A 2001 survey of workplace monitoring and surveillance practices by the American Management Association (AMA) and The ePolicy Institute showed the degree to which companies are turning to monitoring. Eighty-two percent of the study's 1,627 respondents acknowledged conducting some form of electronic monitoring or physical surveillance. Of those, 63 percent of the companies stated that they monitor Internet connections, and about 47 percent acknowledged storing and reviewing e-mail messages. A follow-up questionnaire to the AMA's survey also probed the companies' rationales for monitoring. The highest-rated concern in this follow-up was legal liability (68 percent), followed by general security concerns (60 percent). Measuring employee productivity and generating fodder for performance reviewsthe motives that employees usually ascribe to so-called corporate snoopingwere significantly lower on the list.

The main reason for the disconnect between the corporate motives for monitoring and employees' interpretations of them is that communication around the issue is so poor. One in five companies, according to the same survey, still doesn't have an acceptable use policy for e-mail, and one in four has no policy for Internet use. Companies that do have policies usually tuck them into the rarely probed recesses of the employee handbook, and even then the policies tend to be of the vague and lawyerly variety: "XYZ company reserves the right to monitor or review any information stored or transmitted on its equipment." Reserving the right to monitor is materially different from clearly stating that the company does monitor, listing what is tracked, describing what it looks for and detailing the consequences for violations. No wonder employees are anxious.