Many companies monitor their employee’s conduct online to make sure they are doing their job, not spending too much time on personal matters, or misusing company equipment. Monitoring an employee’s computer activity is an essential element of an effective cybersecurity strategy.
Whether it’s protecting trade secrets and confidential business information or monitoring for data breaches, it’s become a common practice in today’s connected world. According to the American Management Association, 66% of employers monitor internet connections and 65% block connections to inappropriate websites. 45% of employers track content, access, time spent, and keystrokes. 28% of employers have fired employees for email misuse.
Some employers may be required to monitor employee’s online communication to comply with government audits, compliance investigations, or potential litigation. Government contractors, for example, may need to prove they proactively safeguard sensitive or proprietary information.
Crafting Your Monitoring Policy
The first step is developing your monitoring, protocols, and security policies. You’ll want to be transparent to your employees and buttoned down on your procedures. It needs to be a formal policy, and it needs to be in writing.
- Monitor Only What You Need
Employees hate the idea that companies can monitor their every move at work, especially in the era of social media and near-ubiquitous online access allows for inter-mixing professional and personal interactions during the day. A policy that over-reaches into areas employees feel are personal can create difficulties.
- Be Specific About What You Are Monitoring, Why You Are Monitoring, And How You Are Monitoring
If there are specific concerns, such as complying with governmental regulations, laws, or policies, you will want to explain. You should also outline what won’t be monitored, such as personal health information. Spell out what you may be required to disclose to a governmental agency, law enforcement, or a court of law.
Make sure your policy spells out what devices your company is monitoring with particular attention to how you are handling personal devices (such as smartphones or laptops) that may be used sporadically for company business. It is also important to let your team know what you are not monitoring. For example, you may want them to know that anything accessed on their company-issued laptops can be captured except for social media accounts.
Your policy should provide some detail on how the data is captured and stored. In most situations, a dedicated software can be customized to your workplace to store information and flag potential problems.
- Explain Who Can Access The Data And When
Limit access to a key gatekeeper or compliance officer when possible. The fewer people that can access the data, the more comfortable employees will feel. Does their direct supervisor need access? It’s important to explain who can access the monitoring information and under what circumstances. Cybersecurity specialists at cybersecurity companies can help you with the plan. Emphasize security procedures protect employee data.
- Make Sure Your Policies Comply With Legal Requirements
Review compliance practices to make sure you are in step with federal and state laws, which have changed significantly over the years. You should have a professional assessment from at cybersecurity expert, and legal guidance in this area as a misstep can lead to both civil and criminal penalties.
- Finally, Communicate Fully
It’s crucial that whatever level of monitoring you decide to do, you let your employees know. You don’t want them to be surprised that someone can look at what they are doing at any time; it has proven to be a deterrent to misuse.
Deterring Data Breaches
When it comes to cybersecurity, monitoring is essential. 63% of all data breaches annually used insider information – such as legitimate user credentials – according to the Verizon Data Breach Investigation Report. Much of that information was gathered through malware, phishing schemes, and keyloggers installed surreptitiously on employee devices – scams active monitoring could have prevented.