Skip navigation
Skip navigation
You are using an outdated browser. Please upgrade your browser.

STOP SNOOPING ON YOUR EMPLOYEES by Ian Kilpatrick, chairman Wick Hill Group
March 03: 1742 words

Nobody likes to feel they're being watched all the time or that their employer doesn't trust them. But in some workplaces, every bit of email written is scrutinised and every web site visited is checked out by employers. Apart from the detrimental effect this has on employees, it is a hugely expensive and totally unnecessary waste of time.

At the other end of the scale, some companies have no rules, management or controls over email and a similar attitude when it comes to the web. This puts both the company and employees at risk.

The 'burying your head in the sand' approach is just as inappropriate as the 'big brother' approach, because there are effective solutions available to deal with the management and regulation of email and web use. There is a happy medium between these two extremes.

Why monitor?

Why do we need to consider monitoring email and the web at all? There are a number of legal, moral and business issues. Firstly, companies need to protect their employees from racism, sexism and pornography. If they don't, they can be prosecuted. The American oil company Chevron, for example, had to pay US$ 2.2 million to employees offended by a sexist joke circulated around the company. And there are many less expensive but just as unpleasant examples in the UK.

Clearly, if there is unfettered use of the web, unsuitable material can be downloaded into the work place and distributed inside and outside the company with no control over the legal consequences. Failure to manage racist, sexist, pornographic or just plain libellous content has been shown repeatedly in court to be expensive in terms of fines, legal costs and perhaps worst of all reputation. One thing is abundantly clear - ignorance is not a defence in law.

There are several other important issues if email and web use is uncontrolled. Company confidential material can be and often is easily emailed out of the workplace by ambitious, mischievous or disgruntled staff members. No sales manager in their right mind would let a sales person walk out of the workplace with the customer database tucked under their arm. But the same sales person could email the list out even more easily, if there is no email management system in place.

There are also major productivity implications if email isn't managed properly. Research from IDC and Gartner Group suggests that 30-40% of all email in organisations is personal. Failure to deal with this issue is expensive for both the business and for shareholders, as well as penalising hardworking staff.

Additionally, personal email traffic and its associated attachments, significantly increases network traffic and the overall load on your Internet connections. This adversely affects not only the performance of the whole network, but also has a potentially negative impact on your important email communications with customers.

Big brother?

When there is too much monitoring of email and the web, problems also arise. It is firstly a waste of time and money to read everything that is written in emails, checking all the attachments, and checking out every single web site visited.

Secondly, it is not consistent with other company policies, as most companies don't read every letter into and out of the building, nor do they listen to every telephone call. Staff disciplined for email abuse can feel aggrieved if the same standards are not applied throughout a company's communications.

Thirdly, it is an activity which companies will eventually be unable to keep up with, because email and web use is growing at such an exponential rate. Scrutinising everything may be working today, but it will almost certainly be unmanageable in a few years or even a few months time.

IDC estimates that around 15 billion emails are sent each day with that number rising to 35 billion in 2005. In a further study, IDC projected that 977 million people worldwide will use the Internet by 2005, with 50% of these doing so from a business location.

There is also the undeniable fact that people don't like to feel their every move is being watched, their every word scrutinised. The 'big brother' approach can leave staff feeling inhibited in what they do and positively hostile towards management and the company.

And what happens if you catch a large number of people breaking the rules. Do you sack half your work force? This has happened recently with some companies and it perhaps illustrates that when you start monitoring, you have to be absolutely clear what the rules are, how rule breakers will be dealt with and what is a sackable offence. Additionally, companies have to tell people that they are monitoring, or they could find themselves legally liable for snooping on staff.

The right balance

So how do you find the right balance that will keep staff happy, keep the board happy and fulfil all your legal, moral and business obligations? Firstly, you need a policy. You need to clearly decide and record what will be allowed and what will not be allowed.

You also need to think very clearly what the purpose of managing email is and what the consequences will be for those who do not follow the rules. While this sounds blindingly obvious, it is apparent from a number of high profile sackings of highly trained staff by major companies, that punishment is a major component of their policy rather than management.

Some companies have lost sight of the original purpose of monitoring - to help grow their business and meet their legal requirements. Once you have decided on the rules, the most important thing is to make them crystal clear to staff. After that you make the consequences for transgression similarly clear. Will it be verbal warnings, instant dismissal, or some other reprimand? It would be totally unfair to sack someone for something they haven't been warned against.

Fundamental to the effective implementation and management of email and web access, is staff buy-in. Managers should explain, for example, why it is crucial that the customer database is not emailed out, how it could adversely affect the company's profitability and the employees' own job security if it is.

That way, employees are aware of the purpose of the policies and the benefits to them and to the company. Then, if someone is disciplined, the reaction is more likely to be relief that they have been stopped, rather than sympathy for the staff member and resentment against the company.

Education and training are key parts of any email and web strategy. Policies should be explained and staff given any training needed to comply with policies. Surprisingly, many companies have policies, but fail to train their staff on how to carry them out.
In an IDG survey in the US, 81% of responding companies had an email policy, but only 24% trained their employees on those policies.

Managing without snooping

The next step is to monitor in a workable way. This can be done by automating the monitoring process and monitoring for exceptions. You don't have to physically keep someone permanently engaged in reading emails and checking all web sites visited. But you can still check everything coming into the building, going out of the building and circulating around the building.

Solutions such as Clearswift's market-leading MIMEsweeper range provide effective management by exception. Monitoring by exception just picks up emails where the rules have been broken.

Similarly, when dealing with the web, you can use products such as Clearswift's WEBsweeper, which bars access to selected categories of web sites and constantly monitors for inappropriate activity, informing you of any problems. Sophisticated 'web filtering' solutions such as Allot's NetPure use artificial intelligence for more flexible and more selective web monitoring.

The rules don't have to be rigid. For example, some companies will allow staff to surf the web on permitted sites (e.g. sports and leisure) during their lunch hour, when less work is being done, but not during peak business hours. Some companies will allow a limited amount of personal emailing, in the same way that some companies allow a limited amount of personal phone calls. These steps show employees that the company is being reasonable and listening to their needs, but also clearly says that there are rules.

On the email side, you can use software which will pick up key words in emails, such as swear words or words associated with pornography, racism or sexism. Such software can be context sensitive, so for example, it may allow in the word 'bloody' once in an email, whereas twice might be a problem and more than twice would probably get picked up, especially if it's in association with another swear word.

You can manage your response to such emails. You might choose to reject the incoming mail and notify the recipient that it failed the test. Or you might quarantine it, check it, then send it on. For example, you might do this with an angry letter from a dissatisfied customer which may contain swear words, but may still be considered necessary and suitable to send on to the recipient. Or it may be too offensive to send on, so the contents could be noted and the recipient informed in more acceptable terms of the complaint.

You could set different rules for different groups or different individuals. Senior management could be allowed to receive unmonitored email. Or, in certain professions, specific rules can be set, e.g. a solicitor's office may receive email containing strong language because it relates to a case.

If you're worried about sensitive information being emailed out, such as research data, marketing plans or customer lists, you can set your monitoring system to pick up key words which would highlight this information.

Having these systems in place tells staff that you have rules and you are managing the rules. It tells them you are checking to see when the rules are broken, but that employees are not being individually monitored nor their every move watched. Staff will know that if they stick within understood rules, they have no need to be worried.


With rapidly growing email and web use, it is increasingly necessary to set and enforce security policies to manage these areas. Companies, however, should avoid the 'big brother' approach. Email and web monitoring can be dealt with perfectly sensibly by using solutions which monitor automatically and by exception. That way, companies can fulfil their legal, moral and business obligations, without being accused of snooping.

Ian Kilpatrick is chairman of Wick Hill Group, a company specialising in secure infrastructure solutions for ebusiness. Contact 01483 227 600, email, web

For further press information please contact Annabelle Brown on 0192 252 8548, email

This press release was distributed by ResponseSource Press Release Wire on behalf of Annabelle Brown in the following categories: Consumer Technology, Personal Finance, Business & Finance, Computing & Telecoms, for more information visit