Insider Threat Management

Employee Computer Activity Recording: Best Practices Checklist

(Updated on 30/10/2020)

What is computer activity recording?

Many corporations and government agencies deploy software to record the activities performed by their employees on company-owned computers. This is analogous to recording telephone conversations made by employees on the company telephone system or even video recording of the company’s premises. The resulting recordings demonstrate exactly what actions an employee took while using particular software or systems (including operating system processes which resulted from user actions), and can include both screen recordings and searchable-text activity logs.

Why monitor the computer activity of employees?

The three main reasons for employee monitoring computer activity are:

  1. Securing the company’s sensitive data and systems – By monitoring what employees do on their computers, it is possible to determine (in real time or during later investigation) when an employee has accessed or altered data or system configuration settings in an unauthorized manner.
  2. Complying with laws and regulations – Numerous government regulations mandate that companies and government agencies safeguard particular types of sensitive information, including the ability to audit all access to that information. Examples of such regulations are PCI, HIPAA, ISO 27001 and SOX.
  3. Attempting to improve employee efficiency – Employers see activity monitoring as a way to prevent employees from wasting time with non-work activities, such as playing games and using social networks.

Regarding the third point: It is almost always the case that there are better means of achieving this goal than by spying on employees’ activities, e.g., management methods focused on effective training, team-building and trust-building. Therefore, the checklist presented below focuses primarily on the first and second points.

What about employee privacy?

Employees tend to resent close monitoring of their activities. At best, they feel that it indicates a lack of trust on the part of management and, at worst, they feel demoralized by the “big brother” effect. These are valid feelings which happen to be backed up by laws to protect employee privacy. Examples of these laws include the Electronic Communications Privacy Act (ECPA) in the US, Workplace Surveillance Labor Code Section 435 in the state of California, the Bundesdatenschutzgesetz (BDSG) in Germany, the Human Rights Act in the UK and Data Protection Directive 95/46/EC in the European Union.

Is there a middle ground?

The ideal balance between the monitoring needs of employers and the privacy concerns of employees can be struck with a combination of intelligent corporate policy and effective communication. By implementing the following “employee monitoring checklist,” employers can achieve their security, regulatory and management goals while promoting acceptance and goodwill on the part of their employees.

Employee Computer Activity Recording: Best Practices Checklist

  1. Only monitor what must be monitored – Security and regulatory compliance needs apply to particular types of information (e.g., personal health information in HIPAA or cardholder data in PCI) and to the applications and tools that access it. When employees understand that only their activities relating to sensitive data, applications and systems are being recorded (but not everything else they do on their computers), their goodwill and cooperation will be maintained.
  2. Clearly inform employees what is being recorded and why – Configure the activity recording software to present a concise policy statement to the user upon every system login. The statement should describe what will be recorded and why (e.g., “Due to regulatory compliance requirements, your activity will be recorded while using SAP and while working with any server-based files.”). Ideally, the software will require the employee to click an “acknowledge” button in order to proceed, thus ensuring effective communication of this message.
  3. Protect recordings from unnecessary and unauthorized playback – When employees are aware that it is impossible for someone (even their boss or an IT administrator) to arbitrarily access recordings of their computer activities, their resentment of the whole matter tends to disappear. This can be accomplished by implementing strict “four eyes” double-password privacy safeguards, i.e., the recording software should be configured to require two separate passwords in order to access any employee activity recordings. Typically, one password would be held by IT and the second by a union representative or other legal counsel. This will assure that employee activity recordings can only be accessed for purposes of a security audit, data breach investigation or the like.
  4. Ensure transparency via an effective communication policy – Keep your employees in the loop throughout the entire process of implementing employee recording software and listen to their feedback. This will promote cooperation and goodwill while allowing the company to achieve its monitoring goals. Some specific communication advice:
  • State the goals up front – Let your employees know ahead of time the specific reasons you need to implement some form of computer activity monitoring (e.g., to achieve regulatory compliance, to protect the company from data breaches). This communication should originate from corporate management, not the IT or legal departments.
  • Highlight the benefits to the employees themselves – Instead of presenting activity monitoring as a burden, point out the ways in which employees can benefit: their own personal HR data will be protected from unauthorized access, stressful ad-hoc audits and investigations can be avoided, the overall company will be better protected from data breaches or server malfunctions which could result in embarrassment, lost business and even legal action against management.
  • Define clearly what will be recorded and what won’t – Make sure employees know that you will be recording all activities in certain applications (e.g., ERP, CRM), while you will not be recording anything in “personal” applications (e.g., Skype, Facebook). As described above, configure the monitoring software to remind employees of these policies every time they log in (clarity and goodwill may be lost if the details are forgotten or hidden within thousands of pages of corporate policy manuals that no one ever reads).
  • Describe how the recording software works – While you might be tempted to try keeping this secret in order to improve security and prevent workarounds, you’re better off being open about it. An employee determined to work around the system will probably find any weak points anyway, so better to gain the trust benefits of everyone else by focusing on open and honest communication.
  • Emphasize that recordings are secured – As described above, require the passwords of both in-house ITand of an outside person (such as union or legal rep) in order to gain access to user activity recordings – and communicate this clearly to your employees.

Subscribe to the Proofpoint Blog