Preventing Employee Cyber Slacking – Handling the Soft Issues

By Asa Davidson, International Marketing Coordinator, WebSpy

As today’s business environment becomes increasingly web-enabled, organizations worldwide continue to display a growing interest in understanding and managing their employees’ Internet and email use. Blocking and filtering solutions are often implemented to eliminate or reduce employee Internet access in order to minimize the risk of malicious virus exposure, network overload and productivity losses. However, limiting or denying employees’ Internet access can create employee resentment, hostility and even reduce productivity further by complicating and delaying the accomplishment of Internet related tasks.

Big Brother is watching
Many organizations that recognize blocking and filtering limitations have turned to monitoring and reporting solutions. In essence, an effective monitoring solution will assist in maximizing employee productivity, identifying download issues, improving network management and minimizing litigation risks. However, no matter how innovative the monitoring solution may be, in order to fully leverage the intuitive benefits provided, businesses must establish, and effectively communicate, comprehensive acceptable Internet usage policies.

The effectiveness of employee monitoring directly relates to employees’ awareness of the content of the policy and corresponding breach consequences. Thus, organizations must develop appropriate policies, publish and communicate them so employees understand exactly what is expected of them and the conditions of their working environment.

Recent research clearly indicates substantial benefits in obtaining employee consensus regarding the organization’s monitoring activities. It is when employees do not fully comprehend the organizational motives and objectives behind monitoring activities that the relationship can turn sour. Trust between employees and the employing organization is imperative for employee wellbeing but also because of the potential economic savings derived from increasing trust. Research shows that there is an inverse relationship between cost and trust, thus, as trust increase costs decrease. It has been established that in organizations with high levels of trust, productivity consistently exceeds other businesses where trust is low or latent.

Do they trust me?
In recent years, organizations’ monitoring practices have raised increasing concern regarding individual privacy at work and employee trust. Research in the employee monitoring area has correspondingly attempted to understand the policy and monitoring program characteristics that can enhance employee acceptance, trust and thus effectiveness. It has been demonstrated that Internet and email monitoring systems designed to provide workers with performance feedback influences the monitored individual’s perception of fairness, satisfaction and task performance. Research also suggest that when monitoring work related activities, such as Internet usage, and allowing those who are being monitored the opportunity for feedback and input into the process can reduce fear of invasion of privacy and enhances procedural justice. Hence, employees feel affirmed if procedures are adopted to treat them with respect and dignity and the likelihood of acceptance is increased, even for outcomes they do not like.

Get everyone involved
Frequently IT Managers and Administrators are given the ultimate responsibility of managing, enforcing and communicating acceptable Internet usage for an entire organization. This approach warrants concerns and its effectiveness is questionable.

John Stewart, Chief Security Officer at Cisco, is one of many leading ICT professionals that have recognized the importance of mutual responsibility in organizational security. He recently made the following statement:

“What I’d rather never say is that a security team is responsible for security at a company... That means that 99 percent of the company somehow isn’t... I’d rather be helpful to the business, towards it understanding that we’re all responsible”.

It is apparent that here is an emerging trend in many countries where companies are recognizing that issues relating to inside threats need a two pronged attack – protection of the internal IT resources through reliable security systems and education of the workforce to drive responsible behaviour.”

TOP 5 TIPS FOR EFFECTIVE MONITORING AND OVERCOMING THE SOFT ISSUES

1. Allow a certain amount of online recreation
Allowing a certain amount of (monitored) online recreation can enhance many workplaces and ultimately make employees more productive.

2. Establish Acceptable Usage Polices
Establish policies around the use of the Internet and email and make staff aware that you are monitoring and reporting on usage. Ensure the amount of acceptable online recreation time is specified. This alone is an effective step towards reducing inappropriate usage, but if it’s not backed by actual reporting, employees will soon learn what they can get away with.

3. Allow Employees Access to their Individual Internet Usage Behaviour
Allow employee access to conduct their own ad-hoc analysis to view, for example, their productive and non-productive activity. This can help foster and drive responsible Internet usage behaviour. Employees who understand the organizational costs of their personal unproductive activities are more likely to accept the organization’s monitoring activities and modify their own behaviour.

4. Protect Employee Privacy
Most log analysis solutions, trying to address issues related to decreased productivity due to recreational surfing or illegal online activities, lack any protection of employee privacy. They provide open or shut access, meaning that anyone with access to their monitoring solution can view anyone else’s activity.

To protect employee’s personal data it is essential for organizations to use monitoring software that provide functionalities designed to protect employees’ privacy rights by only allowing authorized users to see the employee’s identity. For instance, Network Administrators may need to investigate all traffic going to a particular site but should not need to know the user names – in this case user names should be anonymous for them but available for HR.

5. Assign and Distribute Responsibilities
Identify roles and responsibilities for taking action on events, remembering that responsibility is not only the IT managers or security administrator’s domain. Distributing employee internet activity reports to managers or department heads will allow them to see how internet usage affects the security and performance of their own department and distributes the responsibility of enforcing acceptable usage with the managers themselves.

WebSpy is exhibiting at Infosecurity Europe 2009, the No. 1 industry event in Europe held on 28th – 30th April in its new venue Earl’s Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit www.infosec.co.uk

Courtesy of Infosecurity PR
<>