An employee copies top secret data and information onto a disc and gives it to a competitor. Someone downloads nonwork-related software just for fun during business hours, unwittingly unleashing a virus that wreaks havoc on your network. A staffer wastes company time by using his work PC to view inappropriate content or apply for other jobs.
Nightmare scenarios like these abound at companies across the country, and the productivity losses are significant. A survey by AOL and Salary.com found that the average worker wastes more than two hours per day online, costing companies $759 billion per year. So what is a small business supposed to do about it?
Many small businesses simply ignore the issue and hope for the best. But if you want to discover and prevent harmful computer-related activities, surveillance software from companies like SpectorSoft, Awareness Technologies, iMonitorSoft, and Spytech offer amazing insights (and even colorful graphs) on what employees do all day while at work. In addition to chat histories, websites visited, and document tracking, you’ll be able to generate detailed reports showing who waltzes in late, who takes long lunches, and who moves confidential documents to removable drives. SpectorSoft claims its Spector 360 offering can reduce “goofing off” in the workplace by 75 percent.
PC surveillance doesn’t have to bust your budget, either. Prices begin at less than $500; a typical small business installation can easily be had for less than $2,000.
Buying and installing software isn’t your only option. Some businesses opt for the convenience of hosted security solutions (think cloud computing) like Symantec.cloud, Trend Micro’s Worry-Free Business Security Services, and InterGuard from Awareness Technologies. With hosted security, there’s no hardware or software to install or manage, and no server maintenance. And these systems can easily grow along with your business. Pricing is competitive, with Trend Micro’s solution listed at $535 to cover 10 users for two years. Some small businesses worry about privacy issues related to releasing their sensitive data to a third party and whether the data will be available when needed, but others like the ease and flexibility of a hosted solution.
No matter which approach you choose, you still have to actually look at the data your monitoring solution turns up. Despite the pretty graphs, “looking at the results of employee monitoring can become quite boring,” explains Brian Dykstra, owner and senior partner of Jones Dykstra and Associates, an e-discovery, computer forensics, and incident response business in Columbia, Maryland. “It is a good idea to have more than one person looking at the results on a regular basis to make sure things aren’t being missed due to complacency.” He’s seen numerous instances where notifications revealed a dangerous situation, but no one reviewed the warnings.
If you suspect your business requires a more comprehensive approach than you’re capable of handling, you may prefer to contract with an outside IT security consulting firm to handle the entire process for you. Just be prepared to pay a little more.
“Implementation of network monitoring, integrated logging, firewalls, patch management, secure Wi-Fi, and so on can be quite complex and unique to each company,” says Dykstra, whose company offers these services. “It often takes working with a team of experts in each specific security area to find solutions that are appropriate to the needs of the company and fit the budget.” A complete security assessment of a small business (including an employee-monitoring program) typically starts at around $5,000, he says. After determining a client’s specific needs, Dykstra’s company then works with technology partners to implement the appropriate solutions.
Monitoring Can Be Complicated
Actually implementing a monitoring program may be more complicated than you think. There are many factors to consider, and you need to communicate the details to your workforce.
Always specify the devices being monitored (everything from BlackBerrys to laptops are candidates), exactly how you intend to monitor them, and what you plan to do with the information you gather. There are lots of questions to answer. For starters:
- Will you be reviewing stored communications, tracking use in real-time, or both?
- On mobile devices or vehicles, will you be tracking their location?
Regarding email, Philip Gordon, chair of the privacy and data protection group at labor and employment law firm Littler Mendelson, points out that there’s a big difference between messages stored on the corporate network and those held by a third-party, web-based email provider such as Gmail or Yahoo! Mail. You can monitor your own systems as much as you want, but “it is illegal to access an employee’s web-based email account without the employee’s prior consent,” Gordon says. “To protect [your business] in the event of a dispute, the consent should be written.”
What if a worker refuses consent? Gordon says that as long as the employer’s request for written consent is for a legitimate purpose, “such as to investigate allegations of misconduct, to implement a litigation hold, or to access important work-related communications,” the employer can terminate the employee.
Jeanne Achille, CEO of The Devon Group, a marketing, branding, and PR firm in Middletown, New Jersey, agrees. “If an employee refused to comply with the company’s policies, we would find that as cause for termination.” The Devon Group requires all employees to acknowledge understanding and receipt of the employee handbook, which states that the company’s network is monitored and protected. It costs her about $100 per PC to use software from SpectorSoft, plus $100 per month for weekly reports from an outside IT vendor to monitor the company’s 15 employees (herself included).
Is it worth it? In 17 years of doing business, Achille has terminated 2 employees as a direct result of her PC monitoring program. She’s not alone: 30 percent of employers surveyed by the American Management Association reported firing employees for misusing the Internet.
Beware of Legal Problems
Whether you choose software, the cloud, or contractors, you have to be careful when monitoring employees’ computers. Ironically, if you don’t handle it properly, trying to root out misuse of company computers can actually get your company into more trouble — from angering employees to potentially exposing you to lawsuits.
“Small business owners could unwittingly cross the line because the law in this area can be complex and is relatively unsettled,” warns Gordon. As an example, he points to software that captures electronic communications in real time. “Using these products without providing employees with specific notice and, ideally, obtaining their written consent could expose the business owner to potential liability under the Federal Wiretap Act,” he explains.
The solution? “Don’t keep the employee monitoring program a secret,” advises Dykstra. And don’t just inform employees of your surveillance policy — state your reasons for implementing it, and get them to sign off on it. “Letting employees in sensitive positions know that the company takes the security of the data they are working with seriously is a great security measure,” Dykstra says. In many cases, just knowing the company may be looking is enough to keep wavering employees on the straight and narrow.
On the flip side, companies have a responsibility to handle any information they gather with special care. Monitoring often uncovers details about an employee that aren’t harmful to the organization but that could be used to discriminate against the worker. Potential misuse of the information gathered is yet another legal minefield for computer monitoring.
Beyond the Legal Issues
The dangers of PC surveillance aren’t just legal. Monitoring your employees can have other negative consequences that are just as important, particularly those affecting morale and job satisfaction.
“Employers who choose to monitor their employees’ PCs are basically saying that they don’t trust their workforce,” says Keith Ayers, president of Intégro Leadership Institute in Newtown, Pennsylvania, and author of Engagement Is Not Enough: You Need Passionate Employees to Achieve Your Dream. He points out that without trust, employees may come to resent their managers and fail to take the initiative businesses need to thrive.
That kind of negative thinking can hurt small, entrepreneurial firms, so it’s not surprising that many choose to forgo monitoring. According to a 2009 survey by Inc.com, only 19 percent of respondents reported that they monitored employee email, and that was only if they suspected a problem. Just 16 percent screened all PC usage.
One small company determined not to take a big brother approach is Heyzap, a San Francisco-based social network for mobile gamers. “We have a 100 percent no-monitoring policy here,” says James Smith, the firm’s chief technology officer. “I previously worked at a large financial data company [that was] required by law to monitor employees, and it bred an atmosphere of distrust. We wanted to make sure there was no such atmosphere at Heyzap.”
As an alternative to aggressive computer monitoring, Ayers suggests addressing computer usage issues and concerns with employees face-to-face. “Doing so will allow the employer-employee relationship to be based on openness, honesty, and respect, and inspire employees to achieve results beyond what is expected.”
That may be enough for many small businesses. But if you’re worried — and if your company handles sensitive data like customer credit card numbers or relies on proprietary business information you can’t afford to see in a competitor’s hands — don’t wait too long to start taking a closer look at what’s going on. “Companies that wait until after a data loss or suspicious activity to start a [monitoring] program may have missed the boat,” says Dykstra. “We frequently find that the start of an unfortunate event goes back months or even years before someone notices something odd.”
Charlotte Jensen is an internationally published journalist who specializes in business topics.