Home » Physical Security » Employee Protection

In Depth

Employee Monitoring: Watch This Way

What you don't know about how your employees are using company resources can hurt you. But remember this: There are acceptable, and not so acceptable, ways to monitor employee activity.

By Daintry Duffy

Page 5

Outside of the daunting prospect of courtroom appearances, there are some practical human resources arguments to be made for monitoring. Usually, employees have only to hear that e-mail and Internet use will be tracked, and 90 percent of the problem behaviorsfrom raunchy jokes to excessive Internet surfingwill cease. Companies that don't nip their employees naughty habits in the bud risk the creation of a much larger HR problem. When employees were caught either sending or receiving dirty jokes and images at a New York Times Co. facility, the company ended up firing 10 percent of its workforce at that location.

Monitoring also becomes far more palatable to employees when you make it clear that it provides a measure of protection for them against all the previously mentioned problems. At The Regence Group, an affiliate of Blue Cross and Blue Shield, CISO David MacLeod makes just such an argument to his employees. Through newsletter articles, posters and technology fair booths, MacLeod gets his message out about monitoring. "We characterize it as something that's for their own protection," he says. "If somebody claims an employee did something, we have good audit trails to show if they did or didn't."How You Can Monitor: Got Enforcement?Clearly defining the company's expectations and notifying employees of how and when monitoring will take place are important steps on paper but even more critical in practice. Flynn recommends that companies take what she refers to as the "three-E approach." Establish your policy; educate the workforce; and enforce your policy consistently. That could mean pairing content-scanning technology with a written policy and then reinforcing it with a strong education program that cements the issue in the employee's mind.

Many companieseven those with exceptionally detailed policiesdon't actively educate employees about what acceptable use means in day-to-day office life. During orientation, the HR rep might hand a new employee the acceptable-use policy form, and in the blizzard of information, it fails to stick. At The Regence Group, visual reinforcements like posters and newsletters remind employees about policies. And MacLeod requires every employee go through a security awareness program that is separate from the orientation process. He also ensures that his group's new slogan"Security is everyone's job"is widely circulated and highly visible throughout the company. The company has an oversight committee composed of all the senior executives, and when it decides on a security initiative, MacLeod has the executives bring that decision to their organization. "That way when somebody goes to [an executive] complaining that security thinks we should do this or that, the executive can say, Yes, I participated in that decision, and here's why we're doing it," says MacLeod. "We don't have to be the only evangelists."