Cybersecurity, Emerging Issues in Security

Is It Time to Roll Back Employee Surveillance Practices?

The shift to remote and hybrid work has put employees out of sight but, thanks to technology, not necessarily out of mind.

Since the pandemic began, the use of employee monitoring software has leapfrogged by over 50% and, with hybrid work still the norm, shows little signs of receding. It’s not just the ubiquity of employee monitoring software that has increased, either. With product development catalyzed by surging demand, the kinds of monitoring solutions offered by major vendors are more capable than ever.

Armed with what is effectively corporate spyware, employers can silently collect and analyze vast amounts of employee data from sources like keystrokes, randomized screenshots, and even email text. However, just because employers can collect endless amounts of worker data doesn’t necessarily mean they should.

Employee Monitoring Needs to Have a Strong Use Case

Even though most organizations with a remote workforce use employee monitoring software, the jury is still out on whether monitoring employees actually improves productivity. Opponents of the practice point to reports about the negative impact monitoring can have on employee morale. Moreover, studies show that employees are more likely to do “fake work” when being surveilled.

Therefore, indiscriminately using employee monitoring as a patch on poor productivity may not be a good idea. Instead, strong monitoring use cases are those where monitoring employee behavior can have a measurable benefit both for organizations and employees themselves.

For example, one area where employee monitoring looks promising is in corporate cybersecurity. Whether due to a lack of security awareness training or a different perspective on corporate risk when working from home, remote employees often neglect their cybersecurity responsibilities. Proving this point, Blurred Lines & Blindspots, a 2021 global risk study by the IT giant HP, found that employee security behaviors are often significantly weaker when they’re away from the office. According to the survey, 70% of employees use work devices for personal tasks, a practice that is heavily frowned upon by security professionals. Similarly, over 30% have allowed someone else to use a work device for their personal use.

Worryingly, further research from the email security provider Tessian seems to indicate that a large proportion of employees are well aware that their behavior is dangerous. Yet, the study found that 30% of workers felt like they could get away with risky conduct while working away from the office.

From an IT security point of view, being able to monitor employee behavior could potentially help nip bad security habits like these in the bud and improve enterprise security. However, even in cases where employee monitoring may be justified, the practice still needs to be carefully considered by security professionals.

Transparency Cannot Be an Afterthought

For most employees, even the idea that their employer might be monitoring their communication channels like email and Slack is highly off-putting. A recent survey by ExpressVPN found that 56% of workers feel anxious and stressed about their communications being observed in the workplace. The same study found that almost one in two (48%) of the 2,000 employees surveyed would take a pay cut to avoid being monitored.

A quick scan of employee monitoring-related headlines shows the real-world impact of these kinds of survey responses. Ill-thought-out efforts to implement monitoring programs at companies like the British bank Barclays have led to immediate employee backlash and negative PR. Similarly, even planned rollouts of monitoring features by vendors such as Microsoft and Zoom have stalled in the face of user criticism.

These examples show that implementing a monitoring program, even when it has a strong use case, is far more than just a technical challenge. Any employee monitoring program, no matter how necessary, needs to be sympathetic to employee concerns. A good place to start is by being transparent.

While employees can object to being monitored for a variety of reasons, lack of awareness of why monitoring needs to happen is a major one. A Gartner study from 2018 found that when an employer gave no reason for monitoring employees, only a third of workers were okay with their emails being tracked. However, when the employer explained why employee emails needed to be monitored, the acceptance rate rose to 50%.

Generally speaking, employees are less likely to object to their work-related behaviors being monitored once they know that a) monitoring is indeed happening and b) employers have a good reason to do so. Putting in place a justification and rationale for monitoring is therefore vital.

Don’t Collect Data You Can’t Secure

IT professionals also need to be aware that just because they have the capability to collect a certain class of data, doing so may not be in their organization’s best interest.

Ultimately, whenever an organization deploys a solution that collects information from employees, particularly when some of that information may be highly personal, an awareness of the legislative environment surrounding data privacy is critical.

Although no existing data protection legislation outlaws employee monitoring, various rules place restrictions on what employers can do with that data and what must happen to it after it is collected.

For organizations based in California, the soon-to-be-enacted California Privacy Rights Act (CPRA) places clear obligations on organizations that monitor employees. From the 1st of January 2023, businesses impacted by the CPRA will have to legally notify employees that their data is being collected as well as keep employee data safe from data breaches. Not doing so may result in fines of up to $7,500 per violation.

Across the U.S., similar legislation has also been passed in Colorado and Virginia, and more states, including Massachusetts and New York, are likely to follow in their wake soon.

Any efforts to collect employee data, therefore, need to be counterbalanced against the potential of increased risk the exposure of that same data might create. And with research from IBM finding that almost one in three organizations will suffer a data breach this year, this risk cannot be underestimated.

Rob Shavell is Co-Founder and CEO of Abine / DeleteMe, The Online Privacy Company. Rob has been quoted as a privacy expert in the Wall Street Journal, New York Times, The Telegraph, NPR, ABC, NBC, and Fox. Rob is a vocal proponent of privacy legislation reform, including the California Privacy Rights Act (CPRA).