Monday, August 20, 2007

Counting Clicks: Monitoring PC Usage at Work

If your business has started to find too many employees endlessly surfing the Web, constantly instant messaging their friends, or spending too many hours viewing the latest YouTube videos at work, it may be time to check out some of the software tools now available for tracking who's doing what with your company computers, on company time.

"Every key you strike, every site you surf, every note you send, every chat you start, we'll be watching you ..." The Police's timeless anthem to lovelorn paranoia and obsession could easily be turned into a catchy soundtrack celebrating employer eavesdropping on employee computer and Internet habits.

Employers who are tired of paying employees who fritter their working hours away surfing eBay for deals or managing their fantasy football squads are increasingly turning to monitoring software to track what employees do with their computers. Such software brings technological sophistication to the table that bosses love and workers fear.

The Web Giveth and the Web Taketh Away

There is no doubt the Internet has been revolutionary for corporate America, placing an incomprehensibly vast storehouse of information just a few mouse clicks and keystrokes away and contributing immensely to employee productivity. The problem is, the Internet is also a vast source of entertainment: from porn sites to online chat rooms to gambling sites, there is a Web site catering to just about every vice and time-wasting habit.

Naturally, employers are increasingly keeping tabs on what employees are doing online. The 2005 Electronic Monitoring and Surveillance Survey conducted by the American Management Association and the ePolicy Institute found 76 percent of employers monitor employee web surfing, and 65 percent use software to block inappropriate web surfing. And, statistics show the tried and true "I didn't know" excuse doesn't work anymore: over 80 percent of companies notify their employees they monitor content, keystrokes, and time on the keyboard, store and review employee files, and retain and review e-mail messages.

It might sound hypocritical, but most employers probably don't mind perpetuating workers' e-addictions, just as long as the information they're processing is work-related. The problems start when employees use their PCs, laptops, or mobile devices for "extracurricular" computing activities. This is why so many employers find monitoring software so appealing.

The Tale of the Tape

So, how do monitoring programs work? In general, monitoring software allows employers to capture and maintain an ongoing log of employee online and PC activities. Usually, these programs store information in a database which can then be used by employers to create reports summarizing employee activity.

For example, SpectorSoft's Spector 360, the company's "flagship" enterprise product, records Web site visits, inbound and outbound e-mail traffic, chats and IM, keystrokes, file transfers, and even documents printed and applications launched. One of the software's niftier features is the ability to screen capture employee activities.

Granted, nifty is in the eye of the beholder -- or the watcher -- but it's hard to deny the effectiveness of photographic evidence: after all, it's awful hard for a gaming addict to argue their case when the boss is armed with full color screen captures. (Memo to those who insist on a daily dose of gaming: do it at home or risk getting an unexpected permanent vacation.)

Spector 360 stores all this information in a database. Employers who want to see the results can access the information using more than 50 built-in reports, some with charts, summarizing the information. These reports can be used to zero in on a single employee's surfing habits or to provide an overall view of online usage patterns for an entire department or business.

Is online shopping universally popular across departments, or just a distraction in accounting? Is online poker only a problem in the manufacturing department, or is everyone from the boardroom to the mailroom preparing to go on the pro poker circuit? Inquiring employers now have the tools to know.

Filtering with Policies

Other types of employee monitoring programs work a bit more proactively by enforcing Internet usage policies and blocking employee access to sites blacklisted by administrators.

Websense Enterprise does this by enabling administrators to implement custom Internet usage policies from a centralized management console. The program also enables admins to filter Internet access using the Websense Master Database, with filtering actions such as Allow, Block, Continue, Quota, Block by Bandwidth, and Block by File Type.

Like other monitoring programs, Websense is armed with a wide variety of reporting options to give managers and administrators the summary information they need to monitor their policies and tweak them as necessary.

Spytech Software's SpyAgent is another example of a monitoring program that actively tracks employee activity. This software logs keystrokes, Web sites, applications launched, Internet connections, files opened and printed, chat conversations, e-mail sent and received, etc. The list goes on and on. As with other popular programs, SpyAgent records virtually everything and allows administrators to create extensive reports documenting employee online activities.

For those who need to create a usage timeline, SpyAgent's Events Timeline feature lets administrators view logged events in chronological order. Think of it as a faithful chronicle of wasted time spent web surfing, e-mailing, and chatting. And yes, the company even promotes the use of its software for spousal monitoring. Now bosses can keep tabs on their spouses. What a deal!

There are many other examples of software designed to track, monitor, or filter employee PC and online habits, including PC Acme Professional, Realtime Spy, Spy Agent, and NetVizor.

Bottom line: when it comes to spying on employees, employers have a huge arsenal of tools at their disposal.

Is It Right?

Peggy Eisenhauer, founder of Privacy and Information Management Services, a law firm specializing in assisting industry with privacy and security Relevant Products/Services compliance solutions, says CEOs need to be sure their organizations are managing risks properly and detecting security threats and breaches.

"Appropriate employee monitoring," adds Eisenhauer, "is an essential part of this process."

But, employers should strive to strike the right balance between privacy and monitoring by considering all the factors, she adds. For example, employees in the financial services, healthcare, education, and other sensitive industries should expect monitoring commensurate with business risk, says Eisenhauer. In addition, employees with access to sensitive data, such as I.T. and H.R. personnel, should also be subject to monitoring with regard to the sensitivity of the information they handle, she adds.

Also, says Eisenhauer, employees should be informed about the level of monitoring with transparency, so they know what to expect. Multinational companies should understand that employee monitoring programs outside the U.S. are subject to many other legal requirements, she warns.

For employees, the calculation is straightforward. As Eisenhauer points out, employees should expect all activities at work or some other public place to be subject to some level of scrutiny.

"Employees should govern themselves accordingly; if you want to send a private message or enjoy adult Web sites, you should use your personal PDA or home computer," says Eisenhauer.

It's actually pretty simple: in a world where technology is plentiful and the legal climate is favorable (at least in the U.S.), employees should come to work with no presumption of privacy when it comes to online and computing activities. Workers who don't want to run afoul of the boss' Internet usage policy should police themselves and save their personal online activities for after-hours.