Earlier this month, I spotted the article provocatively titled, "SMB Security: Do You Need Employee-Monitoring Software?" over at Small Business Computing. The article walks through various methods that businesses can use to monitor employees in the office.
It caught my attention because I consider some of the suggestions a tad invasive and morale-sapping, not to mention potentially illegal depending on the locality. The unfortunate truth, though, is that not all employees are angels, either. It is not uncommon for staffers to be up to shenanigans to hide their tracks and get away scot-free.
Even in the absence of malicious intent, the abrupt departure of staffers for various reasons such as job dissatisfaction, accidents or poor performance can result in continuity problems. And we've not even started yet on the slacker who participates in prolonged hours of gaming during office hours. Finally, certain employee activities, such as viewing pornography at work, can lead to sexual-harassment suits if not quickly detected and stopped.
Like it or not, it makes sense for businesses to take steps to protect themselves by monitoring and archiving crucial electronic data streams within the company. So I will highlight some junctions that the small and mid-sized business will do well to monitor, limited resources notwithstanding.
Internet Monitoring and Logging
Internet monitoring will probably be one of the most contentious aspects of any employee-monitoring efforts. While few will argue against maintaining a historical record of URLs visited, the situation changes quickly when it comes to debating whether Facebook or YouTube ought to be blocked.
My suggestion would be to use a respectable and publicly maintained blacklist of sites such as the one on URL BlackList.com. An exclusion list of "whitelisted" sites can be configured to override the defaults, while a separate blacklist can also be maintained in the same manner. Addition to either the whitelist or blacklist should follow a well-defined process, encouraging a policy of openness and discussion over what is acceptable, and enacting a minimum legal protection for the company.
Since everything is in the open, staffers are thus indirectly discouraged not to spend too much time lingering at sites they have no business visiting during office hours.
Maintaining an independent log of all incoming and outgoing e-mails can be incredibly useful if employees are tempted to delete all their correspondences in a huff. Legally, it is also forms an excellent counter against the possibility of staffers doctoring electronic correspondence.
Moreover, real-time e-mail archival makes perfect sense in the context of disaster recovery, too. Due to this fact, appropriate software or cloud-hosted applications that offer this function are readily available and affordable.
The way to eliminate unauthorized gaming would be to ensure that none is installed in the first place. On this front, it is always a good idea to know the software installed in workstations to ensure license compliance. As you can imagine, there are many administration tools out there that can do detailed software audits. The more advanced ones can even be configured to report regularly back to a remote central administrative console.
Obviously, these suggestions above are far from foolproof. However, I do believe they represent methods that are relatively cheap and easy to implement, yet reasonably effective against most computer users. Above and beyond the sophistication of any technology used, I feel that it's important that employees do not end up feeling alienated or distrusted.