workplace efficiency and compliance with Impero

Transcription

1 white paper: employee monitoring workplace efficiency and compliance with Impero task Keep employees on task whilst ensuring compliance with acceptable use policies solution Deploy a granular monitoring solution from impero to reduce risks and gain a return on investment Employers must address the reputational and financial risks of staff misconduct, keep their employees on task and adopt measures to counter misuse and increasingly sophisticated fraud In this white paper, we take a look into the legal, cultural and practical issues surrounding employee monitoring, and explore why its adoption is increasing in organisations of all shapes and sizes. Richard Smeeton BSc(Hons) CEng CITP MBCS: September 2012

2 the landscape Impero Monitoring is seamless and enables a granular policy to be implemented. These tools allow you to respect individuals privacy, comply with the law, and follow best practice guidelines. why is employee monitoring such a hot topic? The online conduct of employees is increasingly used in both hiring and firing decisions. Companies not only look to IT to investigate workplace misuse, but now commonly review job applicants social networking sites or personal blogs as part of the selection process and a personal profile may now result in being selected or rejected for a job on the basis of content posted. As new generations of employees grow up with Google, and surf their way into work, the distinction between work life and personal life has never been more blurred. Indeed many organisations encourage workers to be switched on; embracing social media to engage with customers and encouraging flexible practices such as working from home and bring your own device (BYOD). Yet these common practices whilst promoting creativity and efficient working also increase the risks of abuse and IT is being called in to proactively enforce acceptable use. To be effective, employee monitoring has to be part of a wider organisational policy that demonstrates an employer s commitment to fairness and doing things right. Some organizations rely on their employees to do the right thing. They feel that monitoring employees betrays trust and is an invasion of privacy, and in some countries it is an invasion of privacy. The approach may vary from company to company and from country to country (and different US states may have alternative laws), but it is always best practice that an acceptable use agreement is included in the employee s terms and conditions of contract, and that the employee understands their responsibilities and what is monitored and why. Under the Lawful Business Monitoring Regulations, this is a legal requirement in the UK. Accordingly, the chosen approach should reflect the local legal frameworks and union / works council agreements as well as IT policy best practice. employer reputation and legal liability It was back in 2000 but many still remember the case of a lewd sent to a Norton Rose lawyer from his girlfriend, which was forwarded to a few colleagues and ended up being circulated worldwide. Yet employees still use s inappropriately, and employers may not all have the clear policies needed to enforce acceptable use. In a more recent case, a London City banker hit the headlines after an he sent to colleagues about his private life quickly circulated and cost him his job. Just as employees are not expected to make costly business phone calls on their own phone bill, neither do corporations want to pay for your calls to your cousins in Australia or personal data roaming while on holiday. But the distinction between personal and business use of the Internet is often not as clear. Appropriate utilisation of the web is an area that cannot be ignored. However, as even leading companies have found to their cost, for the majority of cases the offensive material being viewed or forwarded on is pornographic. The employer who doesn t deal with this issue may be at risk of facing constructive dismissal, sex discrimination claims or even criminal prosecution. In the case of Morse v Future Reality E.T. Case No /95 it was held that the downloading and viewing of sexually explicit images in the workplace by male workers did constitute sexual harassment if it makes the working environment uncomfortable for a female co-worker. It s worth remembering that compensation for sex discrimination is not capped. All Internet content your employees read, send and receive carries a risk! Impero not only captures screen shots of actual use, but also provides a Web Filter and USB device management, providing the tools you need to implement and enforce your own Acceptable Use Policy. Impero gives you a completely consolidated solution for comprehensive protection against harmful and inappropriate Internet content risks.

3 right to privacy at work? The Human Rights Act 1998 came into force in October 2000 and implemented in the UK the European Convention on Human Rights (the Convention). The potential consequences for employers were clear from the decision of the European Court of Human Rights in the case of Halford v United Kingdom 1997 IRLR 471. Alison Halford, a senior police officer, alleged that her employer had tapped her private work telephone. She successfully claimed that this was a breach of her right to privacy under Article 8 of the Convention. It was held that as her employer had not given her any prior warning that her telephone calls were liable to interception, she would have had a reasonable expectation of privacy for calls made on the private facility her office provided. The fact that the calls were made from the workplace did not mean that her right to privacy did not apply. It follows that the same principles will apply to communications and Internet use as to telephone calls. digital native employers Just as we are now seeing the emergence of a new generation of employees; the digital native, employers are also embracing the best of the Web. Constantly looking for new ways to attract and retain the best people and increase overall productivity, successful businesses also thrive on improving customer engagement models and processes that give them a competitive advantage over the competition. Allowing employees who have grown up with virtual lifestyles to maintain a creative and flexible approach to work, whilst ensuring clear lines of acceptable use is key. Results include easier and faster recruitment of high quality new hires, higher efficiency and improved talent retention within the organisation. acceptable use policy The risks that an employer will face if they do not put into place such a policy can be seen from the decision in the case of Dunn v IBM United Kingdom Ltd E.T. Case Number /97. Here the employee was summarily dismissed for accessing pornography on the Internet. The tribunal upheld the claim for unfair dismissal as it was not a case where there was a clear breach of company policy such as to automatically warrant summary dismissal. The uncertainty that an employer faces with such an unfair dismissal claim can be avoided with a policy that complies with the following minimum requirements: Is in writing Is clearly communicated to all employees Sets out permissible uses of both and Internet Specifies the prohibited/inappropriate uses States what monitoring, if any, will take place Sets out acceptable on-line behaviour Stipulates unauthorised access areas Set privacy rules in relation to other users Sets out privacy rules in relation to employer s right to monitor Stipulates possible disciplinary consequences for breach of rules

4 best practice considerations Before you begin employee monitoring, keep the following in mind: Have a formal policy. This should be in writing that spells out what employees are and are not allowed to say or do via and on the Internet, including blogs and social networks that they use inside and outside work. Explain the rationale. Ensure this leaves staff in no doubt that what employees say electronically can expose the company to legal and reputational risk. State exactly what s being monitored. Be specific about what will be monitored give examples, and explain how monitoring will be undertaken. It is also important to clearly set out the consequences of breaching the policy. Educate and remind employees. As well as ensuring new staff read and understand the policy, have an ongoing training and awareness program to educate and remind all employees. Establish clear procedures to follow when violations occur. Procedures should identify who is responsible for reporting any breach and who will investigate. Include instructions how to document and preserve evidence, and who will confront the violator. Refer to your disciplinary policies and if these need review, liaise with HR. Guidance should also be provided to ensure investigators are protected both emotionally and legally when dealing with more serious cases. Consider BYOD and Remote Access. Allowing the business use of personal devices necessitates a review of your acceptable use policy. In many cases an AUP can explicitly prohibit use of employee-owned devices, and so these clauses will need careful review when allowing this. Keep employees on task Once an employee is aware that every website and application accessed is logged, this will deter the majority of inappropriate personal use. A package that can identify key words and alert in real time can achieve specific policy objectives, such as actively preventing staff from carrying out job searches using their current employer s time and resources. Home working and personal use. Employees have a duty to respect their employees privacy, and should not record personal use of the devices outside of work. With the Impero solution, this is simply addressed by off-line mode of the client which maintains the policies on the device with capturing and logging disabled. Typically used in conjunction with a VPN, the Impero client automatically provides logging and recording as soon as a work connection is established. Involve IT, Legal and HR teams in developing and enforcing the policy. Legal considerations, in particular, should guide on the handling of electronic evidence related to any potential criminal or civil charges. (If your company does not have an in-house legal team, appoint an outside employment lawyer to advise you).

5 good cop bad cop Organisations should ensure that IT teams are being monitored, too. Typically, IT staff have higher levels of access and any compromise carries a potentially higher level of impact. IT staff should therefore not be surprised to learn that someone is watching them too. Even police forces are not immune from staff misconduct, and a number are looking to Impero solutions to help maintain professional standards when it comes to the use of IT. Shocking figures recently came to light following a BBC Freedom of Information request about the misuse of police computers within Derbyshire, Nottinghamshire and Leicestershire forces. It emerged that in the past 3 years, there were 28 such cases in Derbyshire, 32 in Nottinghamshire whilst Leicestershire had 59. Across the three forces, 11 employees had been dismissed as a result of abuses and 19 staff had resigned either during or after being investigated. One case even involved an Inspector downloading pornography using his work computer. The Information Commissioner s Office said: We expect police forces to make substantial proactive efforts to check that any access to their records is for legitimate police purposes and to take action where they discover wrongdoing. securing evidence Best practice in securing digital forensics requires electronic evidence to be properly preserved. To be admissible in a UK court, information taken from a PC or laptop normally requires the hard drive to be removed and cloned, and then the clone examined leaving the original evidence untouched. IT staff may be tempted to skip the cloning step and examine the hard drive directly, and managers may take the view that it s highly unlikely that they would ever wish to bring a prosecution due to the adverse publicity this might generate. However, IT need to advise the business owner on the evidential requirements and consequence of a practice that could make their findings inadmissible. That s why Legal and HR advisors should be involved in formulation of the policy and process of monitoring activity. Impero software seamlessly creates a separate thumbnail audit trail, which works like a virtual video recorder and provides reliable evidence without the need to clone hard drives. Without such evidence, delinquents may never be caught and in serious cases fraud and crime may continue. Impero not only provides monitoring and alerting, but also delivers the irrefutable evidence needed to enable successful formal investigations.

6 strategic partner and solution Together with a comprehensive policy accompanied by an education programme for users, the right strategic partner and an efficient solution is needed to effortlessly implement a monitoring programme. The IT department must of course ensure that employees are not prevented from proper access to all business related content, so a solution that can provide white listing as well as filtering and logging is essential. Traditional tools available for misconduct investigations are retrospective and reactive these include logs, DHCP and web proxy servers, or subscription-based appliances that only filter and log web traffic. For a typical investigation, an IT administrator may have to trawl through gigabytes of log data on multiple different platforms. Few solutions do the job more effectively than Impero s integrated suite a comprehensive tool kit that can be deployed to pre-emptively support an acceptable use policy, and where necessary provide the evidence of inappropriate activity. Using Impero, IT staff can ensure the appropriate security profiles are in force. Consistent policies can be applied to both physical and virtual desktops, for example to prohibit saving data on local storage therefore extending security to employee-owned devices. Applications can be deployed automatically and transparently with remote assistance or, whilst an encryption policy for all corporate data created through IT delivered applications can be applied (without touching employees personal applications and data). Impero logs every website and application accessed by device users. Impero provides evidence such as a screenshot and/or a full frame recording of the user s desktop. Alerts and blocking can be based on a granular policy for different groups of workers. Even more powerful is that upon detection of access to a specific resource or key word, Impero can instantly alert via an . Where other point solutions typically only offer a single feature such as logging or internet restriction, Impero provides an integrated suite that proactively aids support. These allow IT to provide remote control, manage software licences and make more efficient use of print and power. Power management alone often provides a payback in under 12 months. So why not let Impero consolidate and simplify the job of managing your complex and distributed network, as well as providing the ability to monitor the efficient and productive use of your business assets? The Impero staff and management team have always shown a great passion to work with us and enhance their product to meet future requirements. Nick Bond, Services BSF Director, Capita IT Services, UK