We previously talked about web filtering packages and not restricting access to non-business web sites followed by how to write an effective Acceptable Usage Policy. This brings us to the third part of this subject: setting up an effective monitoring program. Email and the Internet are tremendous tools but they also have tremendous potential for misuse. While we need to treat employees as adults and trust them it as President Reagan used to say quoting a Russian proverb "doveriai, no proveriai" (Trust, but verify).
Unless you are running a top-secret government program, I do not recommend a program of continuous monitoring or assigning someone the duties of monitoring and reporting on email and Internet usage. Besides being demeaning to all employees it sets up IT as the bad guys. We have enough of an image problem already with out giving everyone the impression that we are out to get them. Monitoring everyone and making them answer for their usage can be an inhibiting factor. Inhibiting for inappropriate behavior which is good but also for proper use. If I have to explain the IT why I went to a particular site for which IT couldn't see a business rationale I might forego using the Internet and use lesser efficient alternative instead. IT is supposed to make users more efficient, not less.
The keys to effective monitoring are letting people know you'll be monitoring and be able to monitor and report on any perceived problems.
- Communications - Make sure everyone know about the monitoring and your policies. Communicate this clearly and frequently. It is especially important to note the companies legal rights in regards to monitoring so no one has an incorrect expectation of privacy. On this last point I recommend stating that user of company assets for personal use have no right to privacy subject to the prevailing laws of the controlling governmental authority. The reason for the "prevailing law" qualifier is that priviacy rights vary by country, something which must be considered if you are a multi-national company. Remember the goal is to make sure email and the Internet is used properly not to play "gotcha" with our users. With effective communications our users will be self policing. If I know you may be checking on me, I'm less inclined to do something improper.
- Monitor on Demand - If a supervisor notes a fall off in performance or has reason to believe one of their employees is using email and the Internet improperly then put a monitoring program in place for that employee. Be sure to do this in conjunction with the Human Resources department so things are done properly.
Beyond this there are two other provisions that you can consider depending on how large your company is and how big a problem managers think they might have. If they are not sure if there is a significant problem you can run some summary statistics to help gauge the situation.
- Random reporting - Once a month randomly select or have Human Resources select employees for reporting. Provide their mangers with reports of all their activities and let them decide if there are any problems.
- Provide reports on the top users - Most of the filtering packages allow reporting on the top 10 users or something similar. Again, provide their mangers with reports of all their activities and let them decide if there are any problems.
If you choose either of these last two options remember to educate the managers on how to interpret the reports. Some personal use is not a problem and some seemingly non-business related sites can have a business purpose. The reports should only be used as a review and starting point for discussion with the employee and not an absolute indictment for discipline.
If this topic was of interest, you might also like these:
- Surfing Conditions
- IT is NOT your Mother",
- Or the posts in the "Web / Web 2.0 / Internet" category
Recent Comments