Just as it is important to prepare for hackers, it is critical to prepare for internal theft or inappropriate use of resources stemming from employees and contractors. We routinely hear from our clients that there is suspicion surrounding an ongoing or recently departed employee or contractor. Without proper planning the ability to confirm or deny suspicions can be full of navigational landmines, both legal and technical that carry a stinging price tag.
Having the appropriate protocols and tools in place can help avoid panic and enable the organization to quickly obtain the facts. A clearly communicated plan will also reduce employee and contactor sensitivity surrounding monitoring that might otherwise kill a company’s culture.
So what should be done and what are some of the pitfalls to prepare for this unfortunate yet inevitable situation?
You need to be certain of both company and employee legal rights. Assuming that the monitoring of company equipment without notifying those who use it can be a mistake. Depending on the state your business operates in, your approach will vary. Many states require the employer to notify employees of its monitoring practices. This might include email activity, websites accessed, calls made, internal and external sites visited, files accessed, text messages and other communications. The best approach is to make certain that employee handbooks and policies reflect your right as an employer to monitor and that your employees acknowledge this. For specific information pertinent to your business we suggest that your in-house or other legal council assist in developing your approach.
From a cultural perspective it makes sense if you choose to adopt tools to monitor employees and contractors, that you spell out what can be monitored along with the internal procedures and approvals necessary to monitor employees. This will ensure that employee rights are not violated and overzealous management doesn’t create a draconian environment. Clearly defining your policies and why the approach is necessary helps reduce potential negative consequences reflected in employee moral and productivity. Both human resource experts, legal counsel, management and employee representation should be integral in defining your approach and the spirit in which messaging is provided to employees.
On the technical side here are some tips specific to areas that should warrant your attention.
- Define Objectives – including what information and activity should be monitored and why. Do this while paying close attention to the impact on company culture and other potentially negative impacts.
- Define Systems – including where is critical information housed and how is it shared within and outside of the organization.
- Define Access – including how are systems accessed and who has access to them. Pay attention to both in house connectivity and remote access.
- Define Portability – including what information can be transmitted and through what means. Consider all media that can be utilized including flash drives, email, print, mobile devices, and other platforms.
- Define Methods – including what type of monitoring should be implemented, who will have access, and how will use be audited. Clearly layout the steps taken when anomalous activity is detected.
- Define Tool Set – identify the necessary tools to meet the defined objectives.
- Implement Plan – review performance of the tool set in accordance with objectives and adjust as necessary.
Being prepared can save the organization from data loss, lawsuits, organizational and reputational harm among other negative consequences while protecting the rights of employees and contractors.
Network Management Solutions has been assisting organizations since 1996 to build, monitor and manage IT systems with a pragmatic business centric approach. Please contact us for further information.