Compliance Management, Network Security, Privacy

Security pros struggle to balance monitoring of remote workforces with privacy expectations

Remote working amid the pandemic is a contributing factor to increased investments. (Photo by Erin Clark/The Boston Globe via Getty Images)

The work-from-home revolution ushered in by COVID-19 has created new challenges for businesses looking to monitor their employees’ productivity and behavior without violating their privacy.

Of 1,249 global IT and security professionals recently surveyed by Ponemon Institute, 65% of respondents said their organizations have increased their monitoring of remote workers due to the perceived risk they pose to sensitive data. And yet only 46% said their organization is transparent about how they track performance, productivity and data usage, while just 53% said their employees truly comprehend how their activities are being tracked.

And although 63% of the security pros said it was important or very important to protect their workers’ sensitive information, only 34% said they are effective or very effective in doing so. Furthermore, only 31% of respondents said their organizations have been effective or very effective at protecting sensitive information while still achieving their operational goals. (Survey-takers were asked to score importance and effectiveness levels based on a scale of one to 10.)

Many companies realize that “protecting and preserving their privacy in the workplace is really important,” said Larry Ponemon, chairman and founder of the Ponemon Institute. But “the bad news is that people recognize the fact that the employer is not necessarily doing all they can do to ensure the privacy of the employee information. And so this issue has been a big issue for organizations for a long time, and it doesn't look like there's a cure in order.”

If anything, the tracking of employees working from home has actually created new challenges.

“Right now, we all have a view into your personal life that we've really never had… before the pandemic,” said Jonathan Daly, chief marketing office at workforce security company Dtex, which sponsored the research and its corresponding report. And as employee monitoring tools and technology proliferate, it’s important for businesses to recognize that “you… don't have to be so draconian and invasive, that you are completely ruining anybody's personal privacy.”

According to Daly, when employees work within an office, they are likely more aware that certain aspects of their digital workplace behavior – like perhaps browsing history – are being monitored. But at home, especially after conventional working hours, that concern may not be top of mind – even if employees are using company-issued devices.

“While people were in the office, they were very particular and they were thoughtful as to what emails they wrote. There wasn't as much crossover… between personal and private life,” said Daly. “The pandemic changed that – and work and life become so blurred, people [now aren’t] as apt to shut down one laptop, and turn on the other, to continue with their after- or out-of-work activities.” But by staying on the work PCs, they are perhaps being watched.

Security and privacy professionals seem to understand that this can lead to trust issues. Indeed, 64% of survey respondents acknowledged that it’s tricky to monitor employee engagement without affecting worker morale and trust. Fifty-three percent said they believe their workers expect that their personal behaviors and activities will remain private and anonymous, unless they are placing sensitive data at risk or causing operational inefficiencies.

Amy de La Lama, a partner at law firm Bryan Cave Leighton Paisner LLP, noted that in the U.S. a key issue is that federal regulations are primarily designed to protect consumers, not employees. “In Europe, for example, there are significant restrictions on how and under what circumstances monitoring can be conducted – e.g., prohibitions on monitoring communications marked as private or “personal” – and privacy officers and employee representative bodies often have to be involved in approving new tools or monitoring activities,” she explained. Moreover, “employers that circumvent these restrictions can find themselves in a situation where information gathered against employees who are involved in wrongdoing or inappropriate behavior could not be used against the employee or could constitute violations of law on the part of the company.”

Fortunately, there are options for businesses looking to strike a balance between network security and employee privacy. One potential solution, said Daly, is pseudoanonymizing the data collected from workers’ computers. “That allows an enterprise to see productivity, to understand risks or threats, to understand compromised credentials, without invading privacy,” he explained. And that anonymization can still be removed, and the offending employee revealed, if “unidentified Employee X” is straying far from acceptable baselines and the evidence indicates that there is wrongdoing afoot.

However, fewer than half of respondents – 47% – said their employee data collection is anonymized, even though 55% said that anonymizing data improves operational performance because data collection endpoints and the network itself are not overtaxed.

Companies may also want to set policies that limit how much and specifically what employee data is actually collected, while also prohibiting excessive forms of surveillance – especially visual monitoring. In total, 58% of respondents said they limit what data is collected, while 52% said they restrict physical surveillance in the workplace.

“Anything related to cameras, where a solution turns on someone's camera, should automatically be off limits. Quite frankly it's unnecessary. It's very old school, and it's unnecessarily in the world we live in, as is, in our opinion, email scanning, content scanning keystroke logging and screen capture.”

The most common forms of monitoring, according to the survey, are file scanning (60%) and data access and usage (59%), while recording keystrokes was the least common of the identified techniques (39%).

Scott McIntyre, partner with BakerHostetler, said that one technology that measures productivity well without encroaching on privacy is time-keeping software, which has "long been available to indicate when an employee is checked in and checked out of work."

"We expect this type of software to advance in the near future as the demand for remote tracking goes up," McIntyre continued, adding, "There are AI solutions which can track an employee’s time and monitor productivity as well as analytics software."

Another key strategy is simply to clearly communicate to employees what their privacy expectations should be. “Most employees say they're aware they're being monitored, but they don't know how. And again, if they're made aware, and they're made partners in the process… I think the whole entire process and undertaking will become more successful,” said Daly. 

De La Lama noted there has been “increasing attention on providing employees with more transparency regarding how their activities are monitored, as well as expectations with regard to company system use, and the growing need to balance expectations regarding productivity and engagement with flagging morale as the pandemic has continued.”

“Therefore, organizations should be focused on understanding how best to achieve their internal goals while minimizing the level of monitoring and intrusiveness where possible,” she continued. “They should also provide their employees with information regarding these efforts and related employee expectations by implementing and disseminating an Acceptable Use Policy or similar policy or procedure. Finally, they should consider local requirements regarding monitoring and factor these into the decision-making and notice processes.”

And that will be particularly important as the companies continue to face a changing workforce, even as the pandemic fades away.

“The hybrid work environment, in my humble opinion, is going to be kind of model that's most desired by employees,” said Ponemon. “But with that comes a responsibility for the individual to protect their personal information and sensitive information… This is all stuff that companies need to think about if they’re going to shift the way we do work.”

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.