In the nearly two years since the world shifted from working at the office to working remotely, IT and Security teams have been playing a never ending game of catchup.
Work from Office (WFO) always had its challenges. Managing security on the network, and then the transition to increasingly shifting the workload to the cloud kept both the technical and policy folks from the IT/Security teams plenty busy.
Everyone knew that the road to the cloud was inevitable, but we always had the sense that we had more time to figure it out.
And then COVID-19 hit and people’s cloud adoption roadmaps got shortened from five years to yesterday.
All of a sudden we found ourselves going from WFO to Work from Home, and that brought up a whole host of questions and challenges.
- How do we track employee engagement?
- How can we secure work from home when people are no longer on the company network?
- How do we handle it when things go wrong?
The answers to a lot of these questions could be found in security and productivity monitoring solutions that allowed organizations to track how their employees were spending their time and using company resources.
However, many companies have struggled to stick the landing on rolling out these kinds of security solutions with the necessary transparency and communication required for them to be successful.
We take a look at the increase in adoption of employee monitoring solutions and how to implement them the right way for your organization as we head towards a WFH or work from anywhere mindset in the future to attract the best talent.
Rise of the Employee Monitoring Solutions
According to Gartner, 60% of large corporations have adopted employee monitoring solutions for tracking their people.
Surprisingly, this number is double what it was a year ago, perhaps showing that this trend has picked up as organizations settle in for the long haul of WFH. This is due in part to the marked rise in cyber attacks by criminals and state actors who have capitalized on the diminished security posture in remote work settings to run rampant. Social engineering and specifically ransomware attacks have hit organizations of all sizes and types, from energy to government to hospitals to small businesses.
So beyond the need to maintain employee accountability, there are numerous security use cases that one of these solutions can address.
1. Insider Threats
Insider threats have grown in concern, especially as many of the transactions that used to be conducted under exacting standards at the office, are now done at home and lack the necessary supervision.
Away from the eyes of supervisors and the sense of team cohesion, it can be easier for a disgruntled employee to take advantage of their access to the organization’s systems to steal or cause other kinds of harm.
It was only recently in August that a malicious actor ran a campaign advertising to split the take with anyone willing to put malware on their company’s systems as part of a ransomware attack. Nigerian authorities have reportedly made an arrest in this case, but this fellow is unlikely to be the only scammer out there attempting this “rev share” model.
2. Account Takeovers
Sometimes, a malicious insider isn’t exactly an insider.
Credentials get popped all the time, with attackers using leaked password lists to spray at different targets, hoping for a hit. Maybe someone got phished. There is no shortage of ways that a user can find their account being compromised by hook or by crook.
So when an employee’s account does get taken over, it is important to have security controls to monitor what the account is doing. Monitoring can tell the story of the account acting out of character with logging, and even detect suspicious activity with User Behavior Analytics.
The rules for certifying that an organization was taking the right actions for protecting their customers’ data were written with the office in mind.
Many of these rules about where data has to be stored, how it can be shared, or how transactions are supposed to be carried out, become challenging to uphold when many of these organizations find themselves remote by default.
Compliance regimes like PCI-DSS and HIPAA have rules that require tight controls that include monitoring, session recording, and other measures that ensure that only authorized personnel are allowed access to sensitive data.
The case for why organizations need these types of tools is fairly clear to them at this point.
Where they are prone to trip up is not in the technical details, but in their communication with their teams.
Common Pitfalls When Implementing Employee Monitoring
When it comes to the workplace, employees have expectations about how and where they can be monitored.
These expectations are not always realistic.
Plenty of folks use their work devices for shopping, checking their personal email/social media, and other activities that really belong on their own machines. Far too often people will use their company issued laptops for activities that would definitely be no gos at the office. Searching for jobs on a company computer is never a good idea, along with plenty of other ill-advised activities on a work device.
Monitoring solutions are nothing new for those working in more sensitive sectors like financials, health, and government. But with the increased adoption amongst a full range of sectors, it is important for companies to be crystal clear about:
- What tools they are using (screen captures, keylogging, etc)
- What is being monitored (emails, file transfers, messages)
- Why monitoring is important for the security of the organization and the employees
It is far better to be upfront about what it is that you are and are not doing as part of your monitoring activities than to have surprises later.
To help avoid some of these surprises, here are some tips for how to optimally roll out your monitoring implementation.
3 Musts for a Successful Employee Monitoring Rollout
This could be a long list of good boxes to check for avoiding confusion with your employees, but here are a couple of the top points that we believe are essential.
1. Get Professional Advice
Understanding what you are and are not allowed to monitor often comes down to local legal standards.
Your HR and legal teams should be on top of these and should definitely be consulted before deciding which features you can use for your monitoring.
Bring them into the process early so that you can plan your implementation on sure footing.
2. Communicate Your Monitoring Policies Early and Often
Following the same line of it being better to start early, make sure that new employees are told about what is being monitored during their onboarding. Be sure to coordinate with HR on this to make sure that they include this in their process.
Employees have a right to know that their actions may be monitored. Explaining why this policy is in place from the start can help to build buy-in. So even if they may not be thrilled with the idea, at least it is clear and they know what the situation is.
As an added bonus, an employee that knows that they are being monitored is less likely to take a risky illicit action.
3. Use common sense and respect privacy where possible
This should be obvious but it bears repeating. The purpose of monitoring is to improve your security posture and quality assurance.
Excessive surveillance can also be a hindrance to effective monitoring because it can overload your capacity to pull out the valuable information from the technology. When regulations allow, try to set your monitoring searches to more narrow keywords and actions.
This will help to keep your searches in scope, reduce the workload on your security team, and avoid being overly intrusive.
Remember Why You Hired Them
The past two years have seen significant growth in more companies adopting employee monitoring solutions as a way to ensure business continuity in uncertain times.
These tools have shown themselves to be of value with their ability to create records, detect suspicious activity, and hopefully even prevent many incidents from happening in the first place as a sort of deterrence.
But at the end of the day, hire people that you trust, and trust them to do their jobs. If people don’t feel generally trusted, then they won’t be good employees and they definitely won’t stick around for very long.