Small and Medium-sized Organisations sometimes have issues which result in a thinking that they should monitor what employees are doing. These issues may be well founded in many cases, but the fact remains that there is often a need to monitor what is happening on the network. In this Blog we look at the right approach to employee monitoring for SMOs
This is an edited transcript from a video blog recording of Sarb Sembhi, CTO and the CISO for Virtually Informed, and his co-host Nick Ioannou, Director of Boolean Logic.
Introduction to Employee Security Monitoring
Today we're going to be looking at "employees monitoring in SMOs" This is a concern for many SMOs especially as they look to deal with the hybrid model of working from home and returning back to the office. And the drivers may be a combination of making sure that employees are doing more of the right things they should be doing, and less of the wrong things they've been told not to do.
Although we are going to explore this topic from a security risk perspective, we understand that we must cover some of the basic managerial supervision issues. We believe that security risk management is and should be the real challenge, and should be managed separately from employee monitoring. Yes, there are some overlaps, and we will try and provide insights into those where we can.
So, from a security perspective an employer should ensure that there is the right combination of prevention and detection controls in place, and that they work separately from those used for employee productivity monitoring.
Why Monitor Employees?
There may be many reasons for this, but the productivity related group is one of the key ones. Some of the productivity related reasons that monitoring employees can help with:
- Improve productivity - in certain workplaces monitoring employees can help lead to greater productivity. From timing and length of meetings, to travelling time spent, there are many examples of organisations and employees benefiting from improved productivity through monitoring.
- Ensure a level of quality of work - some monitoring enable employees are following procedures which ensure the required quality of work.
- Improve proactiveness – being able to identify that everyone is working on the same group of agreed tasks can mean that less time is wasted on lower priority tasks.
- Identify staff training requirements - monitoring often helps identify additional training requirement which can help productivity.
- Review skills and competencies - monitoring can also help identify any slippages of those who were trained early and may need a refresher based on the competency they should have given their experience.
- Observe health and safety practices – since health and safety is a legal requirement, the use of CCTV cameras on construction sites has made it easier to identify anyone not wearing the correct head protection, for example.
- Ensure compliance with policy or legal obligations – for example, monitoring activities where a policy requires that there must always be two people to effectively perform certain tasks can be assured through monitoring.
- Investigate criminal behaviour or other wrongdoing – any criminal behaviour can have an immediate or long-term effect on productivity whether it is theft or fraud.
- Wellbeing and fairness - employees who want to do the best they can may also end up not taking the breaks they are entitled to and end up being less productive over the longer period.
- Better resource allocation – monitoring can also help identify situations where there were more people than necessary or less than necessary to be effective.
Most organisations can probably come up with many other reasons to monitor employees.
The security and data protection related reasons to monitor employee activity:
- Security – this is the most important reason from our perspective. There should be the appropriate use and mix of preventative and detective controls in place. Later, we give examples of tools that are focused on monitoring, which is a detective control.
- Illegal / Unlawful activity – knowing that neither the employees and the network have not been compromised and used for the wrong activities is important to a keep track of.
- Compromise the organisation by breaking the law – for example, it is important to monitor that no one is misusing data against the data protection policy and data protection laws.
- Identify unauthorised access to accounts and services by malicious actors
It is possible to only monitor employees from a security and data protection perspective and considerably reduce the productivity requirement depending on the operation, field and work of an organisation.
Why Not Monitor Employees?
Some sectors and types of organisations feel they have compelling cases to monitor employees, however, we believe it would be prudent of all organisations to also take into consideration the reasons why monitoring employees may not be the solution to the productivity or other challenges they are responding to. Here are some of the most important reasons to not monitor employees:
- Stress and lowering morale – various studies have shown that even though some employee monitoring measures help improve productivity, at the same time they cause stress to a percentage of employees, and lower morale overall. Whether this will affect your organisation can only be confirmed by opening up the dialogue with employees.
- Ethics and fairness – where employee monitoring may be brought in without adequate consultation, staff may also question the organisations ethics and willingness to treat them fairly to responding with the original challenge that monitoring is attempting to solve.
- Additional resources to monitor effectively - any effective monitoring will require additional resources to ensure that the right data for the challenge is collected.
- Additional staff to monitor effectively - additional tools and resources will require further staff time to make use of the monitoring data to achieve the productivity efficiencies desired.
Just as organisations may be able to come up with several productivity gains for their particular circumstances, so to can they come up with reasons not to monitor which will be particular to them.
Employee Monitoring is Happening
The fact is that employee monitoring is happening in the UK and around the world right now. A YouGov survey of 2,000 employers in Q4 of 2020 revealed:
- 12% employers were already monitoring, a further 8% had plans to implement monitoring, and another 6% were considering whether to implement it in the future;
- 46% said employee loyalty had increased since the start of the pandemic.
With advances in technology, will come advances in surveillance and monitoring tools, however, some organisations may try to bring in monitoring tools under the guises of security issues. And although there is some overlap, as mentioned earlier, it is very possible to implement the correct security controls without using the more invasive employee monitoring tools.
This section of the article is only available for our subscribers. Please click here to subscribe to a subscription plan to view this part of the article.