Monitor your Employees to Protect us all
This is a paper I wrote in college for an English assignment. This paper is about the need for employers to ethically spy on employees to protect the company, employees, and customers. This paper is written based on research done for the class.
08 August 2017
Monitor your Employees to Protect us all
Your company is monitoring your digital activity at work and that’s a good thing. Companies are struggling to keep up with new technologies, which is leading to more and more major hacks. These breaches of security are leading the public to not trust companies with their data; this leads to the loss of income. There is a simple solution to this, monitor your employees’ digital activity when they are using company property.
When we think of cybersecurity breaches, we think of hackers somewhere on the outside using a computer in a dark room listening to music and typing really fast, but the real threat to companies is not on the outside, it is, instead, on the inside. Employees are the insider threat and according to IBM Security General Manager Zadelhoff in 2016 IBM “found that 60% of all attacks were carried out by insiders.” Now not all attacks are created equal, in Zadlehoff’s article “The Biggest Cybersecurity Threats Are Inside Your Company,” he goes on to explain that only three-quarter of attacks are intentional; whereas, a quarter are unintentional.
The employees that intentionally threaten a company’s security do so for several different reasons. Some employees may act out because they are disgruntled by work conditions and want to exact revenge on the company, others may see a chance to make money and want to profit off of the company’s information. While others may take shortcuts, by bypassing security or ignoring policies to make their job easier. No matter the reason, the threat is real. These insiders can steal private documents and share them with competitors or criminals, create openings for outsiders to exploit, both of which can cause damage to a company’s reputation or cause a loss in revenue.
The unintentional threat tends to be careless or undertrained employees, who might click on malware filled emails or accidentally send information to the wrong person; all of which can lead to systems becoming compromised and leading to a leak of information or theft of employee data. The leak of information can cause personally identifiable information of customers to be stolen and used by others; such as social security numbers and account info. Either way, employees are at fault and companies need to be able to defend themselves from these insider threats. One of the more effective ways of doing this is to monitor employee digital activity when at work or when using company property.
As stated before, monitoring of employee’s activities is one of the stronger ways to protect a company and its data. Good employers should monitor email systems, messaging systems, workstations or computers, data storage systems, logins, data transfers, and in today’s world mobile device usage. Employers should focus on securing important areas first, such as customer private information or private intellectual property and make sure only employees that must have access should have access. Employees with top clearance should be monitored heavily and their emails should be scanned for changes in activity using the special analytical software. Lawrence points out in their article “Companies Are Tracking Employees to Nab Traitors,” that there are over twenty companies that make software that can build a profile of each employee and notice any significant change in behavior. This can lead to catching employees that are getting ready to leave the company and take private files with them. There is also the opportunity to catch hackers posing as employees, because the software will recognize changes in the employee’s behavior, due to the actions not coming from the employee. Now, this is great for catching intentional insiders, but what about unintentional insiders?
The best way to stop unintentional insiders is to limit what they can do online or who they can contact. The holy grail of prevention would be to block all types of contact and not allow employees to access the internet. However, that’s not very realistic. Email and the internet have opened up a golden age of instant communication and increased production, so to hide behind a wall and prevent an employee from using the internet would cause more harm than it would prevent. By denying access to the internet the employer, while safeguarding information, can also lose out financially. For instance, employee A spends 15 minutes researching a topic on the internet, while employee B spends 2 hours researching the same topic without the internet; the company saves money with employee A and loses money with employee B. Efficiency is just as important as security in the business realm; employers shouldn’t prohibit internet access since it can hurt their bottom line. Instead, employers should set policies in place to limit certain types of activities, such as banning fantasy football, personal use of social media, personal email, and using Youtube for cat videos. Companies should also use firewalls to block known hazardous websites. Email scanning should be in place as well, to help prevent malware and to watch for strange activity.
In both cases, information should be logged and kept secure. Some would believe that monitoring and logging information would be a violation of the employees’ rights to privacy. However, the employee is using company property and should be only performing company work and shouldn’t require privacy. In some cases, the government calls for strict monitoring of employee activities, such as in the case of the HIPAA act which requires US healthcare industries to safeguard medical information (Chelsie). In this case, the company is protecting itself and its clients from the misuse or theft of extremely private information. Even when there is no government-mandated monitoring there can still be a benefit to productivity by monitoring your employees’ activities.
Another form of monitoring has less to do with preventing insider threats, but instead, monitoring is used to check up on employees and verify they are using their time wisely and productively. This form of monitoring can be useful in deterring employees from visiting sites used for fantasy football or watching cat videos at work. This kind of deterrence can save a company money and Yerby points out in their paper “Legal and ethical issues of employee monitoring,” that a “company with 500 employees surfing the Internet for just a half hour a day” can cost a company a million dollars annually. However, constant monitoring of employees has been shown to increase stress and cause a disconnect with their employer.
In some cases, employees may become concerned that their employer does not trust them, due to the amount of monitoring that may be going on. Some may become overstressed by the belief that they are being monitored for performance and may wear themselves out in trying to overperform (Paganini). Paganini suggests to be upfront with your employees about what is being monitored and to respect their privacy. Monitoring should never exceed what is needed to keep the company safe from inside attacks and to have strict known policies, which includes warning employees when they are being monitored. As you can see, ethics can definitely affect how employees handle the overall monitoring process.
When discussing the ethics of employer monitoring, we need to realize the fine line between the employees’ privacy and the company’s right to monitor activities. If an employee feels they are being monitored to an extreme they may feel that their right to privacy is being violated. For instance, if an employee checks their personal email during work hours; should the company monitor that activity? At the same time, if the company does not monitor the employee they run the risk of internal threats. “When it comes to the subject of employee monitoring there is a grey area; current laws mandate that monitoring is legal, yet the questions of effectiveness and ethics arise” (Yerby). According to Ciocchetti, “The American legal system’s effort to protect employee privacy is a patchwork of federal and state laws combined.” This makes it hard for both sides when dealing with the ethical impact of company monitoring. So what is the answer; is there a medium that can be reached between both employers and employees?
Mahmoud Moussa (2015) tells us that in order to find the balance “employees should be aware of the devices that will be used to monitor them, how the data will be used, and when exactly they will be monitored; and employees and customers should be notified when telephonic monitoring is taking place through the use of a specific tone that can be heard by both employee and customer.” These actions let the employee be involved with the overall monitoring process. There is no secret to the employees as to when, how and what monitoring is going on. Mathis and Jackson tell us from a Human Resource Management perspective several different policies that can help limit ethical concerns. To start, employees should have the understanding that any electronic resources provided by the company; whether it is a company email, voicemail or file should only be used for business purposes. This can help limit the inadvertent temptation to share private information on company time. Furthermore, if employees have access to company products that require a password, the password should be made available to the employer. This is the only way to ensure that the proper use of the software or product.
The last step in maintaining the ethical balance between both employees and employers is to make sure that all employees are aware of what is expected of them when maintaining internal security. To accomplish this the employer needs to keep open communication and give detailed guidelines on their expectations. Such guidelines include email policies, internet policies, Acceptable uses for accessing the internal network and spam policies (Mathis). These policies serve to let the employee know what is expected and how they are being monitored in a clear concise manner. That way when an employer finds an internal threat down the road, there are no surprises for the employee.
As more companies become targets of hacking and security breaches we’ll see a steady increase in the use of monitoring software. As the software becomes cheaper we will start to see monitoring software trickle down to smaller companies. When this software is used in the right way and managed by professionals, companies should be better protected from cyber attacks and employees who were afraid of losing privacy will start to realize that companies are not just looking out for themselves, but instead looking out for the safety of their employees and the organization that they work for.
Ciocchetti, C. A. (2011), “The Eavesdropping Employer: A Twenty-First Century Framework for Employee Monitoring.” American Business Law Journal, vol. 48, no. 2, 19 May 2011, pp. 285-369. Wiley Online Library, doi:10.1111/j.1744-1714.2011.01116.x. Accessed 10 Aug. 2017.
In Ciocchetti’s article, Ciocchetti covers the growing need for employee monitoring and the effects it is having on the employee’s sense of privacy in the workplace. They go onto talk about the legality of monitoring employees in the workplace.
Lawrence, Dune. “Companies Are Tracking Employees to Nab Traitors.” Bloomberg Businessweek. 12 Mar. 2015. <https://www.bloomberg.com/news/articles/2015-03-12/companies-are-tracking-employees-to-nab-traitors (Links to an external site.)Links to an external site.>. Accessed 28 July 2017.
In Lawrence’s article, he talks about how there is a growing business for companies that manufacture monitoring software that can detect when employees are about to leave a company and might take private company documents with them, by analyzing the change in an employee’s behavior.
Moussa, Mahmoud (2015), “Monitoring Employee Behavior Through the Use of Technology and Issues of Employee Privacy in America.” SAGE Open, vol. 5, no. 2, 13 April 2015, <http://journals.sagepub.com/doi/full/10.1177/2158244015580168#articleCitationDownloadContainer>. doi:10.1111/j.1744-1714.2011.01116.x. Accessed 10 Aug. 2017.
In Moussa’s article, they talk about the need for companies to monitor employees as a necessary tool to maintain security, while also needing to avoid loss due to lawsuits brought on by the failure to recognize an employees rights.
Mathis and Jackson (1997, as cited by Moussa, 2015), “Monitoring Employee Behavior Through the Use of Technology and Issues of Employee Privacy in America.” SAGE Open, vol. 5, no. 2, 13 April 2015, <http://journals.sagepub.com/doi/full/10.1177/2158244015580168#articleCitationDownloadContainer>. doi:10.1111/j.1744-1714.2011.01116.x. Accessed 10 Aug. 2017.
Paganini, Pierluigi. “Employee Monitoring, a Controversial Topic.” Security Affairs. 29 Apr. 2016. <http://securityaffairs.co/wordpress/46814/digital-id/employee-monitoring.html (Links to an external site.)Links to an external site.>. Accessed 28 July 2017.
In this article, Paganini talks about how the need for monitoring employees is necessary to maintain security, but should not be at the cost of increased stress on their employees. He suggests that companies use appropriate software to only ethically monitor employees based on business needs.
Yerby, Johnathan (2013), “Legal and ethical issues of employee monitoring.” Online Journal of Applied Knowledge Management, vol. 1, no. 2, 2013, <http://www.iiakm.org/ojakm/articles/2013/volume1_2.php>. Accessed 10 Aug. 2017.
In Yerby’s article, they explain what monitoring is and they argue the why there is a need to monitor employees while addressing the ethics behind monitoring employees.
Zadelhoff, Marc. “The Biggest Cybersecurity Threats Are Inside Your Company.” Harvard Business Review. 19 Sept. 2016. <https://hbr.org/2016/09/the-biggest-cybersecurity-threats-are-inside-your-company (Links to an external site.)Links to an external site.>. Accessed 28 July 2017.
In this article Zadelhoff outlines how employees are the major cause of security breaches. This is due to inside attacks, theft, or accidents. He suggests monitoring employee day to day behaviors using AI, focusing on value systems and knowing exactly who has what access.