Employee Monitoring: Watch This Way

Monitoring also becomes far more palatable to employees when you make it clear that it provides a measure of protection for them against all the previously mentioned problems. At The Regence Group, an affiliate of Blue Cross and Blue Shield, CISO David MacLeod makes just such an argument to his employees. Through newsletter articles, posters and technology fair booths, MacLeod gets his message out about monitoring. "We characterize it as something that's for their own protection," he says. "If somebody claims an employee did something, we have good audit trails to show if they did or didn't."How You Can Monitor: Got Enforcement?Clearly defining the company's expectations and notifying employees of how and when monitoring will take place are important steps on paper but even more critical in practice. Flynn recommends that companies take what she refers to as the "three-E approach." Establish your policy; educate the workforce; and enforce your policy consistently. That could mean pairing content-scanning technology with a written policy and then reinforcing it with a strong education program that cements the issue in the employee's mind.

Many companieseven those with exceptionally detailed policiesdon't actively educate employees about what acceptable use means in day-to-day office life. During orientation, the HR rep might hand a new employee the acceptable-use policy form, and in the blizzard of information, it fails to stick. At The Regence Group, visual reinforcements like posters and newsletters remind employees about policies. And MacLeod requires every employee go through a security awareness program that is separate from the orientation process. He also ensures that his group's new slogan"Security is everyone's job"is widely circulated and highly visible throughout the company. The company has an oversight committee composed of all the senior executives, and when it decides on a security initiative, MacLeod has the executives bring that decision to their organization. "That way when somebody goes to [an executive] complaining that security thinks we should do this or that, the executive can say, Yes, I participated in that decision, and here's why we're doing it," says MacLeod. "We don't have to be the only evangelists."

Part of the education process is ensuring that employees know bad things can happen when they ignore the policyand not just to them personally. E-disaster stories can be a tremendous education tool for CSOs. While most security executives would undoubtedly blanch at the idea that they should be inciting fear among the masses, employees do need to understand that there's a connection between what they do and the kinds of stories they see in the news. When a company is hurt by internal e-mails made public, it's a good time to circulate a reminder that what employees say on e-mail is neither private nor confidential and can be used against the company. If there's a story in the news about employees posting confidential corporate information to Internet bulletin boards, it's worth reiterating at that time that such activities are against corporate policy and will be investigated.

It's one thing to craft a "take no prisoners" policy that threatens serious consequences to employees that flout its rules; it's another thing to follow through with it. In fact, setting out a tough policy and monitoring employee behavior but doing nothing about what you find is one of the most dangerous things a company can do. "The biggest mistake companies make is not taking action," says Miriam Wugmeister, a labor and privacy law attorney with Morrison & Foerster in New York City. "A company that puts out a policy and finds those sexually explicit e-mails and does nothing about them [will be vulnerable to a lawsuit] because they monitored and took no action. They knew about the situation, tolerated it and condoned it as an employer." Also, when the company has a policy but repeatedly does nothing to enforce it, it takes the teeth out of it. If an employee then violates the policy in a sufficiently egregious way and the company decides to terminate him, it could face a discrimination suit because its failure to enforce the policy in the past has created the expectation that it won't be enforced at all.

Flynn suggests that CSOs make a bold statement by terminating the first person who violates the policy after it is put in place to set the precedent early on in the company. "If you terminate that first person to violate, you may avoid having to terminate a dozen or more employees down the road," Flynn says. When a policy infraction leads to disciplinary action, it's also a good idea to get the word out. Whether the employee was disciplined for e-mailing inappropriate material or spending too much time on eBay, let the fact that the policy is being enforced leak out. "The grapevine does a great service in these situations," says Russell Schofield, managing director of IT at National Cooperative Bank in Washington, D.C., who notes that you can almost hear the collective "Uh-oh!" from the rest of the employees who suddenly realize that the company really is watching.