The Rise of Employee Monitoring: Ensuring Security without Sacrificing Trust

Insider threat has become one the biggest risks to businesses globally, accounting for 64% of security breaches today. With the average cost to resolve insider-related incidents reaching $2.08m per incident, it should come as no surprise that organizations are beginning to invest heavily in employee monitoring technology.

In fact, according to Gartner, well over 50% of large employers are already monitoring employees in non-traditional ways such as analyzing e-mail text, logging computer usage or tracking employee movements. 
While the average employee of a US-based company accepts the fact that nearly all of their virtual activity in the workplace may be monitored, they expect a certain level of privacy in their personal life.

Yet as the world becomes increasingly digital, massive amounts of publicly available data about employee’s lives outside of the workplace, like arrest records or severe financial distress, is now available to employers and can be used to detect anomalous activity, which may adversely affect the employee, other employees and/or the workplace. 
While seemingly controversial, detecting concerning or otherwise anomalous activity outside the workplace can inform a company that an employee may need assistance in a variety of forms, even if it is just someone to talk to about on-going personal issues unrelated to work.

Being aware of a stressor affecting an employee’s personal life and possibly preventing it from negatively affecting an employee’s professional life, to the point where the end result is termination of employment, is good for both the employee and employer.  
Now more than ever, the burden has shifted to employers to detect and respond to abnormal or anomalous employee-related behavior before it manifests violently. Employers that use cost effective tools aimed at improving the welfare and safety of employees while securing their organization at the same time should be applauded, not disparaged.
As a company’s most critical asset and largest investment, employees should not be a surprised if an employer utilizes available tools to be made aware of adverse events involving employees that could negatively affect them or the workplace. Of course, the employer has a concrete responsibility to use any collected information and resulting knowledge to protect and help the affected employee(s) in the same fashion as it uses the data to protect the company and the company’s lines of business, and any use must be in accordance with applicable local, state and federal laws or regulations.
So, why are employees – who often want their employer to care more about them as a person and value their contributions – opposed to their employer monitoring publicly available information outside the workplace? The biggest reason is fear. Employees are afraid how the information will be used, and afraid it may be used to harm them instead help.

Employees may wonder: Will they terminate me? Will they demote me? Will they lose trust in me? Will all my co-workers find out, and what will they think of me?  
Any employer that is considering monitoring employee activity outside the workplace should be mindful of these fears and work to ensure a culture of trust. This includes:

  • Communicating with employees and listening to their concerns;
  • Ensuring employees are aware of the benefits to the company and to themselves;
  • Explaining to employees how the information will be used and how it will not be used; and
  • Convening a multidisciplinary working group consisting of key stakeholders (human resources, legal/ethics, privacy, corporate security etc.) to develop and maintain policy and procedures clearly outlining how an activity monitoring service can and will be used.

For the employee whose activity outside the workplace may be monitored, before declaring this to be an invasion of privacy, remember that all the data being monitored is already in the public domain available to be read by anyone—family members, friends, coworkers, employers etc.

Keep in mind that an employer, following carefully considered policies and procedures that comply with applicable laws and regulations, is monitoring for anomalous activity—not targeting specific people—and doing so for the safety and security of employees and the company at large.

What’s Hot on Infosecurity Magazine?