Cybersecurity, Emerging Issues in Security, Policies and Training

Working Remotely? Here’s What You Need to Know About Bossware

The pandemic created various challenges for both employers and employees. As organizations rushed to transition to remote work, employees were shifted to various types of technology to accommodate the change in work environment. Employees were required to learn a new way of connecting to corporate networks to be productive remotely, from virtual private networks to cloud-based applications.

As employees move out of sight, employers are looking for ways to understand what workers are up to 9-5 through the use of surveillance technology known as “bossware.” The software allows companies to track employees’ every keystroke.

According to SHRM, employer adoption of monitoring tools grew 66% in 2021. As organizations attempt to understand employee performance, monitoring tools are part of this mix. These tools are not new to the market. When employees sign Acceptable Use Policies, they agree to be monitored on company systems. From data loss protection (DLP) tools that monitor individuals’ behavior surrounding data and files to the complete monitoring that includes screen capture, keyboard activity, and productivity reporting, employers are actively attempting to understand employee work activity.

Employees should assume that every keystroke, website visited, and email is being tracked by employer systems using these tools. Often, employees are unaware of these tools because the technology gathers data, behavior, and activity silently in the background. Employees should assume that application use is being monitored. Even in a Bring Your Own Device (BYOD) situation, employers can track activity within cloud environments.

Tools in this space like Teramind, for example, provide employers a complete platform to monitor end-user behavior. This tool allows administrators to record all online activity and precisely monitor times of inactivity. It can help determine whether an employee’s web browsing is considered work related or something like online shopping.

The downside for employers is that implementing monitoring tools can impact employee morale. Employees often feel like this spying is infringing on privacy. However, organizations have the right to monitor and secure computer environments no matter where the employee is physically located.

The use of these tools assists organizations in reducing the risk of threats and protecting data significantly. These same tools detect account compromises, data movement, and unauthorized access to systems by bad actors. For example, if a U.S.-based employee connects from an IP address in Russia or moves thousands of files into private cloud storage, that might not be an employee at all; it could be a bad actor that gained access to an account.

The other downside of this technology for employers is that, should access to these systems fall into the wrong hands, it can create irreparable damage. For example, if keyboard recording is turned on for employees and a domain administrator’s sessions are being recorded, a hacker could effectively go back to those sessions and gain the details for logins and passwords, allowing the hacker to access at an administrative level across the network. These types of tools must be secured through several different methods such as multi-factor authentication and other technology to reduce the risk of application takeover that could result in a more significant breach.

HR organizations and industry experts agree that the pandemic has transformed how organizations think about remote work. To reduce the material costs of brick-and-mortar buildings, companies are selling off space or reducing the amount of office space that employees once occupied. With this transition, either hybrid work environments or a complete shift to remote working is occurring. With this transition comes new challenges for employers on how to validate the productivity of the remote workforce. According to PWC, 95% of HR organizations surveyed in a recent poll state that they either have adopted or are going to adopt employee-monitoring tools to manage employee productivity in the workplace.

There is a fine balance between micromanaging employees and protecting the organization’s security posture. Employers that actively monitor employees should openly disclose that they are using tools to monitor productivity.

Employees should assume they are being monitored at all times while on organizations’ systems and applications. Even in a BYOD world, the time and activity of cloud-based systems can be, and most likely are, monitored.

As organizations continue to grapple with the decision of how to navigate the new normal and where employees will work, one thing is certain: Bossware is here to stay, and employees need to be aware that their every keystroke is monitored.

Stephanie Benoit Kurtz is Lead Faculty for the College of Information Systems and Technology at University of Phoenix and has taught IT-related courses over the past 20 years. She is also Principal Security Consultant at Trace3. Stephanie has over 25 years of industry experience in Information Technology and Security Solutions and Consulting.