Employee Monitoring: When IT Is Asked to Spy

Corporations crack down on digital delinquents

Not only do corporations appear to be monitoring their employees more frequently and more closely, but they're also punishing violators more severely when they do get caught -- and some are even terminating employees who violated company policies.

Percentage of companies that terminated employees when they violated stated policies on the use of:

The Internet -- 26%

E-mail -- 26%

Cell phones -- 6%

Instant messaging -- 4%

Text messaging -- 3%

Social networking -- 2%

Video sharing -- 1%

Personal blogs -- 1%

Corporate blogs -- 1%

2009 survey co-sponsored by the American Management Association and The ePolicy Institute.

In addition, 13% of companies surveyed said they review job applicants' social networking sites or personal blogs as part of the interview process, and 3% reported that they have rejected job applicants on the basis of content posted on such sites.

The conscientious objector

"Our department philosophy is that if the users fear us, the job gets 10 times harder," says Dan Olson, IT director at Farstad Oil Inc., a Minot, N.D., company with 500 employees. "Fear leads to coverup and spin. When we are trying to find [the cause of] a problem, what we need is the truth."

Fear of IT used to be a problem at Farstad. In the mid-1990s, after a manager caught an employee spending too much time in online chat rooms, IT was directed to monitor employees and report whenever they were doing anything non-work-related on their PCs.

"We had never agreed to that, nor were we consulted on it," Olson says. He mostly ignored the directive, partly because it was never a written policy, but even so, "the next two years were miserable for [IT], as everyone feared that we would assume they were guilty until proven innocent."

At one point, Farstad management became concerned that employees were using IM, a popular communication method among the company's scattered locations, for personal business. A memo cautioning employees about this caused even more upset among them, says Olson. "I remember one time carrying boxes through accounts receivable and people clicking their mice and quickly closing windows as I walked by."

That fear was counterproductive, says Olson. If employees' PCs caught a virus, for example, Olson would have trouble getting them to tell him what they had been doing or what Web sites they had visited.

Shortly thereafter, Olson persuaded management to ease the restriction. "We explained that we wouldn't be watching [workers] all the time. We would only check the logs if their manager complained that they weren't getting their work done," he says.

The new policy has made for much better working relationships between employees and the IT staff, he notes, with employees more willing to inform IT promptly about technology snafus and IT able to get the information it needs to remedy the problems.

Get used to it

Going forward, companies like Farstad that have policies that favor minimal monitoring are likely to be in the minority. Observers say IT managers can expect to be asked to take on even more monitoring duties, such are reviewing video surveillance, examining text messages, tracking employee location by GPS or listening in on social media.

Larger companies have started to hire third-party firms to monitor what's said about them in the blogosphere and on social media sites, but in many midsize and small companies, this duty could fall to IT.

Will IT managers resist this expansion or chalk it up to just doing their jobs? Florida Institute of Technology's Workman doesn't envision much pushback. "I see them doing it, but I don't see them being completely comfortable with the practice," he says.

How do you feel about being asked to monitor employee behavior? Would you rather not do it, or does it simply come with the IT terrain? Share your thoughts here.

Employee monitoring done right

Experts recommend these steps to protect your company and yourself if you're asked to monitor employees:

* Have a formal Internet usage policy in writing that spells out what employees are and are not allowed to say or do via e-mail and on the Web, including blogs and social networks.

* Explain the rationale behind the policy (that what employees say electronically can expose the company to legal risk, for example), state specifically what is being monitored and how, and lay out the consequences of violating the policy.

* In addition to having new hires read the policy, conduct ongoing training and awareness programs to educate and remind employees.

* Establish clear procedures to follow when IT discovers violations, including who should report the violation and to whom, how it should be documented and who will confront to the violator.

* Ideally, IT, legal and HR should be involved in developing and enforcing the policy. Legal, in particular, should provide guidance on the handling of electronic evidence related to any potential criminal charges or a civil lawsuit. (If your company does not have in-house legal counsel, it should hire an outside attorney with experience in employment law, IT and e-discovery.)

* Remember that you're being monitored, too. Although the IT staff may not realize it, many companies also monitor everyone in the IT department, including executives, says Larry Ponemon, founder and chairman of the Ponemon Institute, a data privacy and security consulting firm. "[IT staff] might be surprised to learn ... that someone is watching the watcher," he says.

Subscribe to the Security Watch Newsletter

Comments