OPINION: Could monitoring Web surfing habits of employees be used by HR managers as a staff morale barometer?
When security meets personal privacy, it all gets rather confusing. The new Australian security standards and privacy legislation raises the importance of addressing privacy--of employees and customers--and implementing standards.
It also raises more questions than answers. According to a Deloitte Touche Tohmatsu survey last year, 67 percent of companies felt they were meeting the requirements of the National Privacy Principles, although only 55 percent encrypted personal information stored in their databases.
The New South Wales Bureau of Crime Statistics reported that 10,221 laptops were stolen in 2000, 336 of which were later recovered. Of those recovered, none had data security.
Question 1: The Australian information security standard (AS/NZS 4444:2000) covers physical and environmental security. It is designed to help prevent unauthorised access to and possible damage of information assets and data.
But what is an appropriate level of physical security? Encrypting all personal information held in corporate databases? Encrypting all data on notebooks? It's all possible now and it's becoming increasingly cost-effective. However, even with the new standards we're a long way from public acceptance and widespread deployment of these technologies.
What e-mail management? The Web site of SurfControl, a vendor which provides e-mail and Web filtering, has some interesting statistics (based on a UK survey) on e-mail habits and attitudes:
- 61 percent of all respondents (about 800) stated that "non-business related e-mail use in the workplace allows me to balance a busy professional life with important social and personal commitments".
- 57 percent agreed strongly or very strongly that "non-business e-mails are harmless fun and help to keep me motivated at work".
- 28 percent admitted to sending non-politically correct e-mails (including sexist, pornographic, racist or using bad language).
E-mail has become, in most companies and industries, the single most pervasive and important means of communication. It would almost always have a considerable impact on productivity if access to e-mail was restricted or removed.
Yet the same factors that make it so widespread as a messaging medium-speed, informality and the ability to store e-mails for reference-also make it increasingly perilous in terms of hastening the spread of viruses, loss of confidential information, and even legal liability for inappropriate comments made via e-mail.
Many of these threats can be managed through software applications, which typically scan e-mails for viruses and/or specific words (lexical scanning) deemed inappropriate or offensive.
Employee surveillance now extends as far as monitoring every keystroke, so even unsent e-mails can be monitored.
Question 2: The new National Privacy Principles requires an organisation to clearly express policies on management of personal information. But neither in the private or public sector is there any general constitutional or common law right to privacy.
So, how far should monitoring of e-mails be taken? How do you respond if an e-mail, flagged because of an offensive word, consists of a staff member outlining to a friend his affair with his boss's wife?
Finally, Web browsing. As with e-mail, it is claimed that inappropriate Web surfing is increasing, costing employers dearly in terms of lost productivity (conversely, it can be argued that the ability for employees to do their banking via the Internet during the lunch break actually improves morale and productivity). Again, technology exists to both monitor, and restrict, access to sites deemed "inappropriate".
Question 3: As with e-mail filtering, a policy should outline what Web surfing is appropriate, and how this is monitored. Again, how far can this be used?
A colleague in a different industry (who shall remain anonymous) recently pointed out how, during a time of some uncertainty and change, the organisation's Web monitoring software showed a considerable increase in visits to recruitment sites.
This could be marketed as a new staff morale barometer for HR managers! If employees are silly enough to use their employer's network to look for a new job when the IT policy discloses that all Web activity is monitored, could a list of users with the most number of hits to job sites form an effective method for determining redundancies?
Oliver Descoeudres is marketing manager at network IP/Internet network infrastructure builder and solutions provider NetStar Australia. He can be contacted at marketing@netstarnetworks.com or on 02 9805 9759.
While sometimes I get a lot of non-work related e-mails They really don't take very long to go through & it definitely can brighten a day or give someone a good laugh. I work longer hours than the usual & I think I wouldn't do that if I could only go through e-mails at home & not be able to use the web at work.