Employee monitoring software is an amazingly useful, yet somewhat awkward technology. It can help your IT department weed out your worst time-wasters and layabouts — and even those who are sharing your corporate secrets. But while you may need to keep an eye on your employees, no IT or HR manager has the time to monitor the thousands of keystrokes that happen in a given work day across a busy network.
As a result, organizations that decide to “get tracking” have to make a few tough choices right off. Do you want a product that logs all keystrokes for later review? Do you want software that blocks Web sites and e-mail containing specific words or phrases? Or will you choose something more comprehensive that pushes reports to managers, allowing them to act on their suspicions to snare problem users?
The basic programs are cheaper, but they also require a bigger time commitment on the part of the IT or HR department. The solutions that can generate comprehensive reports can be more complex and costly.
Either way, says Jennifer Perrier-Knox, senior research analyst at the London, Ont.-based Info-Tech Research Group, organizations should do it right or not at all. “It’s one of those things that, if you do it, you have to commit to it, regardless of whether you go low-tech or high-tech,” she says.
But not a lot of companies are making this commitment. The adoption of employee monitoring software is not yet very deep, especially in Canada, Perrier-Knox says. It’s more common in the U.S., particularly at companies with legal or regulatory mandates to meet.
Many Canadian companies block well-known sites such as Facebook and MySpace, or spot-read e-mail. But, in most cases, it’s a complaint, or concern around a specific employee, that leads an organization to decide to monitor that individual, explains Perrier-Knox.
Monitoring mavens Still, at least one company isn’t satisfied with random checks and targeting obvious offenders — and it’s paying off. An IT manager at a mid-sized Toronto law firm (who did not want to be identified) says his 50 licences of SpectorSoft’s Spector 360 has returned to the firm’s HR manager 30–40 per cent of her working hours.
This is a big improvement over the old monitoring software. Before, if one of the firm’s managers asked the HR manager to watch one employee, it would take her “literally days” to provide an answer about the nature of that person’s activity “by going through each screenshot and watching it like a movie and seeing what the person was doing,” says the IT manager. “It was just tedious and time-consuming,”
Using the Spector 360 product, she simply sends back an e-mail report produced by the software that details all computer usage of a problem employee. (The IT manager still recommends the executive go through the report carefully to gauge the seriousness of the offences). Managers in that group or department can then, for example, see a keystroke count or what sites were visited over a given time period. Then they can decide if they want to approach the person and take disciplinary action.
A firm’s IT manager is often the one stuck suggesting which sites to block, as they can tell — via the monitoring software — which are the most popular non-work sites. But he says he tries not to be Draconian about it: “We block some of those sites that have consequences for the firm in terms of the threat of malicious code or viruses, but personal banking and stuff like that, that’s at their discretion. If they are using it during their break times, we can evaluate that and say, yes, you are using it for 15 minutes, and so be it.”
Spy vs. Spy(ee)
He says employees are often curious as to whether IT has the technology to view what’s happening on their screen, but often what they don’t know can’t hurt them. “I talk to a lot of users, and people always get paranoid, so I really don’t mention it to them. It’s in their release when they get hired and they sign off on it,” he says. He typically tells them that if they aren’t doing anything wrong, they have nothing to worry about.
When it came to choosing the software, the firm’s IT manager had a major say in the decision. This is important, but, he adds, formulating policy should be a group decision.
Perrier-Knox argues that IT managers already have too much responsibility in this area.
“It’s a technologically dependent form of monitoring, but, in reality, and in terms of best practices, IT managers should not be dictating these policies,” she says.
Instead, it should be coming from the business side and HR — they can take privacy issues into account, and inform current and new employees about what’s being monitored and to what extent. In addition, says Perrier-Knox, anyone with the authority to carry out monitoring should also observe a strict code of conduct. They should only be monitoring things and people that they have been tasked with monitoring. This is meant to eliminate situations where an IT staffer might, for some reason, start paying special attention to an individual, in effect spying on them.
And, if individuals in the IT department are being asked to monitor usage, they should definitely not be the ones carrying out any disciplinary action. There should be a “fairly straightforward escalation procedure” in place whereby the authorized individuals can report violations either to supervisory staff, management staff or HR, and there should be very clear handoff lines, according to Perrier-Knox.
My house, my rules
Expectations of employee behaviour should also be clear. Typically, in order to avoid legal issues later, an employer should implement a policy that notifies employees that it does monitor their system and online activities, and that the employee should have no expectation of privacy when using the company’s systems.
There are two ways to do it. Some employers will have employees sign an acknowledgement of the fact that its employer does monitor at the time of hire or when a new policy is implemented. Other employers will just rely on the existence of the policy. Andrea York, a partner at Toronto’s Blake, Cassels and Graydon LLP, says her firm writes numerous privacy policies for organ