It’s 4:00 PM – Do you know where your employees are Surfing?
Do you know what your employees are doing on the Web? At a minimum, they're probably goofing off watching YouTube videos. At worst, they could be steering your company toward financial ruin. Employees leak intellectual property or trade secrets, either on purpose or inadvertently; violate laws against sexual harassment or child pornography; and waste time while looking like they are hard at work. In this quick guide, I'll show you how to keep an eye on employee Internet use and monitor just about everything else they do with their PCs.
I can already hear the groans of disgruntled readers as I type these words, but gone are the days when PC monitoring was an optional, draconian security measure practiced only by especially vigilant organizations. Today, more than three-quarters of U.S. companies monitor employee Internet use. If your business is in the remaining quarter that doesn't do so, you're probably overdue for a policy change.
Spurred in part by stricter regulatory, legal and compliance requirements – organizations large and small are not only filtering and blocking Web sites and scanning e-mail. Many are also watching what employees post on social networks and blogs, even if it's done from home using non-company equipment.
They are collecting and retaining mobile phone calls and text messages with mobile device management. They can even track employees' physical locations using the GPS feature on smartphones.
Why You Should Monitor
Everything your team does on company time--and on company resources--matters. Time spent on frivolous Websites can seriously hamper productivity, and visiting objectionable sites on company PCs can subject your business to serious legal risks, including costly harassment suits from staffers who may be exposed to offensive content.
That doesn't look like work to me. Spector360 can give you a real-time look at employees' screens.
Other consequences may be far worse than mere productivity loss or a little legal hot water. Either unintentionally or maliciously, employees can reveal proprietary information, jeopardizing business strategy, customer confidentiality, data integrity, and more.
And, of course, unchecked Web activity can expose your network and systems to dangers from malware and other intrusions. Even something as simple as a worker's failure to keep up with Windows patches can be a threat to your business, so don't think of monitoring as merely snooping.
Monitoring Software
Employee monitoring is just one facet of a larger discipline known as endpoint security, which includes everything from malware protection to policy enforcement and asset tracking. Large enterprise computing environments demand comprehensive endpoint-security systems, consisting of server software coupled with client software on each user's machine that can handle many of these functions at once. These systems tend to be complex enough to require the expertise of a trained IT pro. But in this guide, I'll be looking primarily at simpler tools designed for smaller organizations.
For a small business, you have several good ways to achieve endpoint security. You can install a Web-hosted system that combines software on the PC with remote monitoring services to protect your computers and enforce compliance with company policies. You can combine a few complementary tools, such as a desktop security suite and professional tracking software. Or, if your company is very small and your budget is tight, you can adopt free tools à la carte.
The most secure way to monitor PC use is to deploy a system that consists of a host, server, or appliance together with client-installed software. Unless you have a dedicated IT staff or the budget to bring someone in on a regular basis to check on things, a cloud-based service--such as ComTech’s Endpoint and Email Protection, can help the Small Business monitor at a low cost. These services are relatively inexpensive and easy to set up compared with on premise server offerings, and we give you the flexibility to set and monitor compliance with acceptable-use policies from a single management interface. They also deploy system security updates automatically, block malware, and protect sensitive files to prevent data from leaking out of your company. Better still, these hosted systems effectively protect laptops that frequently leave the office.
The cost for a hosted endpoint-security service is generally very low. ComTech has great solutions for all your devices.
If you're not up for a total security overhaul and you just want to track user activity on a few systems, you have several affordable ways to go about it. Packages such as Spector360 can monitor all e-mail and IM sessions, track and filter Web usage, log users' keystrokes and program use, and capture screenshots on command for as little as $99 per user.
If you're really on a shoestring budget, plenty of free and open-source tools can log PC and Web use. A freebie called ActivTrak, for instance, can keep tabs on which applications your staffers are using and which sites they're visiting, complete with simple reports that give you a pretty clear idea as to how employees are spending their time on their PCs. A word of caution on stand-alone tools, though: Some antimalware utilities can quickly identify and disable stand-alone monitoring tools, so you may need to create an exception in your malware protection settings to ensure that ActivTrak or Spector360 can work properly on your systems.
Best Practices
It should go without saying that employee monitoring ought to be just one small component in a comprehensive strategy to protect your business and maintain productivity. Once you've made the choice to monitor, you should follow these general guidelines to ensure your success.
Be forthright: Nobody likes being spied on unwittingly. Unless you think someone on your team poses a serious threat that requires covert monitoring, it's best to be up front with staffers about what you track and why. Many companies accomplish this with a formal Internet usage policy in writing that spells out what employees are and are not allowed to say or do via e-mail and on the Web, including blogs and social networks. Letting employees know that their behavior is being monitored can serve as a powerful deterrent against unwanted online activity.
- Explain the rationale behind the policy (that what employees say electronically can expose the company to legal risk, for example), state specifically what is being monitored and how, and lay out the consequences of violating the policy.
- In addition to having new hires read the policy, conduct ongoing training and awareness programs to educate and remind employees.
- Establish clear procedures to follow when IT discovers violations, including who should report the violation and to whom, how it should be documented and who will confront to the violator.
- Ideally, IT, legal and HR should be involved in developing and enforcing the policy. Legal, in particular, should provide guidance on the handling of electronic evidence related to any potential criminal charges or a civil lawsuit. (If your company does not have in-house legal counsel, it should hire an outside attorney with experience in employment law, IT and e-discovery.)
Filter proactively: Most good endpoint-security tools include Web and e-mail content filters that can block inappropriate sites and prevent users from sending or receiving files that can jeopardize your business. Use them. By limiting the ways your staffers can get into trouble, you can prevent problems up front.
Check reports regularly: There's little point in generating usage reports if you're not going to look at them. Take the time to at least spot-check the reports that your monitoring software generates so that you can identify potential problems early and take remedial action. Whatever you discover--whether it's a time-wasting Website that everyone is watching this week or a single person who is addicted to solitaire--you can often fix problems with a simple e-mail that tells your team you know what's up: "Just a reminder, people: Facebook is not an appropriate use of company time."
Training: The main reason for monitoring is not to find employees doing things wrong and scolding them. It is more to find training opportunities. Most users do not set out to cost your company money by watching YouTube Videos all day long or watch a movie, this is usually caused by forgetting about or not being trained properly. Monitoring employees and send an email to all users when maybe one or two are infraction of the rules helps employees remember their training and usually stop or at least curb their bad habits.