Your mission, should you decide to accept it, is to implement software that will monitor your employees’ every keystroke typed, every e-mail and instant message sent, every document opened and edited, even every Web site visited.
And then to disclose to your employees — as honestly and completely as you can — what you are doing and why you’re doing it.
Good luck, business owner (or mom, dad or spouse, as you’ll read later).
This is a situation more and more businesses face today. Employee-monitoring devices — known to many as “spyware” — have become more attractive, affordable and easy to use. Companies see their value in helping to increase security, improve productivity, and to reduce employee misbehavior, competitive information leaks, and liability risks. Many employees, however, believe monitoring software infringes their privacy rights. If the implementation is communicated poorly, or the company simply goes too far in its zealousness, morale could be damaged and good people may quit.
Mission impossible? See my need-assessment and implementation strategies below.
Internet use at work growing
The reality is that an increasing number of companies are making this investment, and not so much because of security concerns. Mostly, it’s because of increased business use of the Internet. As more and more businesses provide high-speed and dial-up Internet access to their employees, they seek to avoid employees accessing pornography or games or doing excessive personal business through the Web or e-mail.
A study by the nonprofit Privacy Foundation in 2001 found that, at the time, 14 million employees in the United States — more than one-third of the employees with access to the Internet — have had their Internet or e-mail use at work under continuous surveillance. Worldwide, the number of employees under surveillance was estimated in 2001 at 27 million, according to the Privacy Foundation study. Though still largely the domain of corporations, an increasing number of small businesses are monitoring employee Web and e-mail use. In-Stat/MDR found that as far back as 2000, 19% of the small businesses it surveyed were monitoring employee Web use, with 10% of the respondents also taking action to “block” certain sites considered inappropriate.
Monitoring products vary from piecemeal solutions to comprehensive. Websense Enterprise from Websense, for example, is a frequently used product to monitor employee Internet use; it can filter out Web sites, as appropriate. Likewise, Clearswift MIMEsweeper, is a popular e-mail monitoring product.
Meanwhile, WinWhatWhere from TrueActive Software monitors every e-mail, instant message and document sent and received, and also every keystroke typed on a PC where it is installed. The latest version even snaps pictures from a WebCam, saves screenshots, and reads keystrokes in multiple languages. Company founder and chief technology officer Richard Eaton says that about 80% of its sales have been to businesses, and the remainder to government agencies, parents monitoring their kids’ PC use, and men or women suspicious of their lovers.
Achieving the right balance
Yes, it is in the best interests of companies today to consider using surveillance software, many analysts say. But if they choose to do so, companies must tell their employees what they are monitoring and why, says Michael Gartenberg, research director at Jupiter Research.
“Employees need to understand that it is the employer’s right to protect its business communications vehicles from abuse, including situations that could prove to be liable or embarrassing to the company,” Gartenberg says. “Employers need to understand that expectations need to be set and met, and that an appropriate balance needs to be achieved” between total trust of employees and total lack of trust.
Before you buy any monitoring software, answer these questions, says Ann Meany, a human resources consultant for Watson Wyatt Worldwide.
- Are you solving a problem or concern, or are you just paranoid? “Doing it just because you are paranoid is not the right reason, in my opinion,” Meany says. There are better reasons, such as the security and safety of your employees, problems and concerns about sexual harassment of employees, and genuine concerns about employee fraud, espionage, and misbehavior, she says.
- Is it a cultural fit? An organization that thrives on independence, such as a research-and-development company, may create more problems than it is solving with significant monitoring. Also, Meany points out, if your company has instituted employee-retention perks such as dry cleaning, pet-sitting, child care, and so on, “you have to expect that your employees will be spending some time during the work day on personal business.”
If you are satisfied with your answers here, follow these five tips:
- Disclose your plans in advance and accept employee feedback. TrueActive’s Eaton suggests demonstrating to employees the monitoring software and the reports it prepares for IT administrators and others. (WinWhatWhere, for example, can send a myriad of different reports on PC use to a requestor’s e-mail address.) Warns Meany: How you introduce the subject to your employees is critical. Unless you can make a case for the benefits, in terms of increased productivity and safety and reduced concerns about internal fraud and other liability risks, she says, expect a backlash. And if you don’t give notice at all, you could be forced to explain why in a lawsuit.
- Have clear guidelines on what behavior is not acceptable. Spelling out every potential scenario is not possible, nor expected. But if you plan to filter out certain Web sites, such as pornography, gambling, or perhaps even job posting sites or F***edCompany.com, you would be smart to disclose this to your employees. Going too far in what you block could be costly, Meany says, but each company has to decide for itself. The point is, your employees will be better served, and more responsive, if you set their expectations on what is inappropriate. Same with personal e-mails and instant messages. Regarding instant messages, many employees don’t realize their unencrypted, one-to-one messages can be monitored. Tell them; even show them, if necessary.A word to employees: Never send an e-mail or instant message at work that you wouldn’t be afraid to read the next day on the front page of a newspaper, Gartenberg warns. Likewise, don’t visit Web sites at work whose URLs you’d mind seeing posted, next to your name, in a public forum.
- Be respectful of employee needs and time. If your company is one where employees work a lot of hours in the office and significant overtime, expect them to be doing some personal business on company time. A certain amount of employee “undertime” — which is stealing off time during the workday for appropriate personal needs, to compensate for heavier workloads and more stress — should be allowed if the employee is discreet and otherwise efficient.
- Strike a reasonable balance between security and privacy. If an employee wastes excessive amounts of his or her work time, you haven’t hired well. Otherwise, isn’t it more important to protect your company from inside information being leaked to the press or competitors, internal hackers or virus writers, sexual harassment or other potentially embarrassing situations, and threats to national security, than it is to know if an employee is rewriting his resume or has found a new love interest? Keep in mind that overzealousness in monitoring, such as stockpiling of employee records, could backfire — the records could be used as evidence against your company in future litigation.
- Hire people you can trust. This is easier to say than to do, especially if you are a rapidly growing company or one with thousands of hires each year. Still, trustworthy employees will be easier to monitor — and require less monitoring — than those you can’t trust.