Home » Physical Security » Employee Protection

In Depth

Employee Monitoring: Watch This Way

What you don't know about how your employees are using company resources can hurt you. But remember this: There are acceptable, and not so acceptable, ways to monitor employee activity.

By Daintry Duffy

Page 6

Part of the education process is ensuring that employees know bad things can happen when they ignore the policyand not just to them personally. E-disaster stories can be a tremendous education tool for CSOs. While most security executives would undoubtedly blanch at the idea that they should be inciting fear among the masses, employees do need to understand that there's a connection between what they do and the kinds of stories they see in the news. When a company is hurt by internal e-mails made public, it's a good time to circulate a reminder that what employees say on e-mail is neither private nor confidential and can be used against the company. If there's a story in the news about employees posting confidential corporate information to Internet bulletin boards, it's worth reiterating at that time that such activities are against corporate policy and will be investigated.

It's one thing to craft a "take no prisoners" policy that threatens serious consequences to employees that flout its rules; it's another thing to follow through with it. In fact, setting out a tough policy and monitoring employee behavior but doing nothing about what you find is one of the most dangerous things a company can do. "The biggest mistake companies make is not taking action," says Miriam Wugmeister, a labor and privacy law attorney with Morrison & Foerster in New York City. "A company that puts out a policy and finds those sexually explicit e-mails and does nothing about them [will be vulnerable to a lawsuit] because they monitored and took no action. They knew about the situation, tolerated it and condoned it as an employer." Also, when the company has a policy but repeatedly does nothing to enforce it, it takes the teeth out of it. If an employee then violates the policy in a sufficiently egregious way and the company decides to terminate him, it could face a discrimination suit because its failure to enforce the policy in the past has created the expectation that it won't be enforced at all.

Flynn suggests that CSOs make a bold statement by terminating the first person who violates the policy after it is put in place to set the precedent early on in the company. "If you terminate that first person to violate, you may avoid having to terminate a dozen or more employees down the road," Flynn says. When a policy infraction leads to disciplinary action, it's also a good idea to get the word out. Whether the employee was disciplined for e-mailing inappropriate material or spending too much time on eBay, let the fact that the policy is being enforced leak out. "The grapevine does a great service in these situations," says Russell Schofield, managing director of IT at National Cooperative Bank in Washington, D.C., who notes that you can almost hear the collective "Uh-oh!" from the rest of the employees who suddenly realize that the company really is watching.