Businesses can benefit from monitoring their internal users' behavior. Learn what user activity monitoring is and how it can improve your overall security and productivity.
Data and network security, legal compliance, and employee productivity are three important facets of running a business. One way to achieve these goals is by implementing user activity monitoring (UAM) tools; however, you should be aware of a few caveats. If you are considering using these tools, it is important to understand the best practices of user activity monitoring and how it can help your business.
What is user activity monitoring?
User activity monitoring is a set of software and tools that can track and record the activity of users (employees) on a system. UAM can be used to track systems as small as individual company-owned devices (e.g., desktops, laptops, cellphones) or as large as entire networks.
"The purpose behind the monitoring is to maintain security, whether that be a network intrusion, the theft of sensitive information or other threats," Michael Trust, human resources leader and certified mediator at Michael Trust Consulting, told business.com. "UAM is used to monitor threats from internal actors, as opposed to an external threat, which is a different type of security."
Additionally, some businesses turn to UAM to monitor and improve employee productivity. Employers can implement user activity logs to track individual user activity and filter results by specific criteria. The size and depth of your UAM policy will depend on your business's size, industry and security needs.
Editor's note: Looking for the right employee monitoring software for your business? Fill out the below questionnaire to have our vendor partners contact you about your needs.
Employee monitoring and the law
Although monitoring employee activity is beneficial, employers should use discretion and sensitivity when implementing employee monitoring software and policies. For example, the Electronic Communications Privacy Act of 1986 loosely governs employee monitoring and requires employers to have legitimate business purposes for monitoring user activity. States such as California, Florida, Louisiana and South Carolina impose tighter restrictions on employee monitoring.
What are the benefits of user activity monitoring?
Employers can take advantage of three major benefits of user activity monitoring: It helps businesses maintain network and data security, it aids in legal compliance and protection, and it improves employee productivity.
One of the main reasons companies turn to user activity tracking is for cybersecurity. UAM tools can secure networks and devices, reduce the risk of data breaches, protect proprietary information and trade secrets, and prevent data loss. Organizations can fall victim to threats like employees sharing proprietary information with unauthorized users, cyberattackers or malicious employees uploading malware to networks or devices, or naive users unintentionally accessing harmful web content. UAM tools can monitor these security threats in real time and create an audit log, allowing your IT or security team time to respond promptly.
Legal compliance and protection
Some employers rely on UAM solutions to maintain legal compliance and protect their organizations against litigation. For example, highly regulated industries like healthcare and financial services tend to have strict guidelines on what type of information can be shared and with whom. Tracking user behavior in real time helps companies ensure users are complying with those laws and regulations.
Additionally, if a specific user is engaging in illegal activity (such as theft, gambling or harassment) on your network or devices, you can quickly identify it and take appropriate disciplinary action. Since these surveillance tools not only track user actions in real time, but also store and report on historical activity, your business can use UAM to protect against litigation claims from disgruntled employees or customers.
Another advantage of tracking user activity is the potential increase in employee productivity.
"A very common example is monitoring of employee access of social media for personal use on company time and using company IT resources," said David Miller, labor and employment attorney at Bryant Miller Olive. "If employees know they are monitored, they are deterred from wasting paid time on unproductive activities."
Although some employees may view monitoring software as a lack of employer trust, you can mitigate this concern by discussing your monitoring policies with your team and explaining the reasons behind them. Instead of using UAM to micromanage employees and discipline unproductive workers, use it to improve your business. Be transparent with employees about their activity, reward high performers, and create improvement plans for areas where workers are lacking.
What does user activity monitoring software do?
User activity monitoring software can include a multitude of features, depending on what benefits you want from it. It can perform functions like recording video for surveillance, capturing files and screenshots, logging keystrokes, and tracking mouse, keyboard and network activity.
"UAM software reviews in real time what files, applications, devices, servers, networks, websites, internal drives, external drives, etc. are being accessed, what is being accessed, and by whom," Trust said. "It can also show if and what documents are being uploaded and downloaded during this review."
UAM data is often recorded in real time, but it can be configured to display filtered results for a particular date, time or set of files.
What should you consider when implementing UAM?
To create a successful user activity monitoring policy, you should choose software that has the specific features and integrations you need, incorporate a combination of security efforts, and disclose all monitoring processes to your employees.
1. Choose your software carefully.
There is no single platform or tracking tool that will suit every business's monitoring needs. You first need to determine the specific benefits you are looking for in a user activity monitoring solution. Do you need to track user activity to maintain cybersecurity, or is employee productivity your top priority? If you already have other business platforms or data security software, you may need to find a UAM platform that easily integrates with those programs.
"Define your needs and objectives, and then choose a software that meets them," Miller said. "Only choose a software that can integrate with your other platforms, like data security systems."
2. Use UAM in addition to (not instead of) other cybersecurity measures.
User activity monitoring software can be an excellent security tool, but it's not enough by itself. Trust recommends implementing other security measures – such as multifactor authentication, fewer shared accounts, strong password requirements, frequent password changes and strict file-sharing procedures – to avoid the loss of data and associated risks.
Perhaps most importantly, you should only permit essential users to access highly sensitive or confidential information. Some businesses mistakenly give all employees access to this kind of information, even if they don't need it to perform their role.
"Many organizations do not lock down this information, and so employees could freely, for example, obtain a confidential customer list, or product design, or financial information, or payroll information and share it maliciously inside and/or outside of the organization," Trust said. "It could also be shared innocently for gossip. In either case, it's a security threat."
A combination of various security measures will give you a greater advantage in maintaining a safe and secure business.
3. Openly disclose UAM policies to employees.
Whether you are legally required to or not, you should be transparent about what you are monitoring and openly disclose your policies to your employees. This can ease their concerns about lack of trust, while helping them adhere to your expectations for privacy and security.
"User activity monitoring has 'invasion of privacy' implications," Miller said. "Employers should be careful to eliminate any expectation of privacy employees might have in, for example, personal emails, personal documents stored on company computers, or social media use."
After you discuss your monitoring policies with your team and answer any questions they have, obtain their consent with their signatures. You should also add your employee monitoring policies to your employee handbook.