Should you be watching?
Cybersecurity and employee morale
Recent spectacular breaches of organizational data reiterate the need for vigilant cybersecurity. One component of this effort is keeping an eye on employee use of data resources. Surveillance may also be used to combat theft of proprietary information, wasted work time online, allegations of sexual and racial harassment, and bullying. What’s more, monitoring can help compliance with regulations and protect your company in lawsuits.
However, monitoring can sometimes come with a price: fostering a culture of mistrust; feeding an adversarial relationship between management, security personnel and staff; and possibly harming employee performance and commitment. Here are some things to consider when introducing surveillance.
Getting buy-in
In their 2006 book The Visible Employee, Jeffrey Stanton and Kathryn Stam write that security personnel actually avoid communicating with employees when possible: “Rather than talking to users directly about the appropriate and inappropriate ways of doing something, they preferred to program the permissions and restrictions into the technology. [In a 2004 Genesee study] more than half of managers and non-managers reported that their companies never offered training. Almost two-thirds also reported that their companies never let employees know how they were being monitored.”
Employees will give up a certain amount of privacy and autonomy for a perceived good cause, such as protecting the company and their own data. Yet, they resent the introduction of cumbersome procedures and policies when they don’t know the “why.” They need to know what the concerns are (for the company and the individual) and why the new policies, procedures and/or surveillance will improve things. They need to know if they could get fired for infractions and why. They also need to know who will have access to records of their violations — or to their permissible use of the internet, for that matter.
Employees should be made aware that being victimized by hackers has its own price, even if blame is not assigned to the employee. There can be shame and self-condemnation for being naïve, gullible, greedy or worse. In their 2011 book Cyber Crime: The Psychology of Online Offenders, Grainne Kirwan and Andrew Power likened the experience to post-traumatic stress disorder (PTSD). These effects should be highlighted to employees in advance and used to support efforts to improve the security culture as a mutual benefit.
Anticipate the pushback
Stanton and Stam write that “employers fall victim to the temptation to set quite draconian policies pertaining to the collection and use of information about employees. … However, the effect of such policies on the employees who are governed by them may create worse problems than the ones employers are trying to solve.”
Introducing surveillance can affect culture in surprising ways. A 1958 research study by Lloyd Strickland showed that the mere fact that supervisors were using surveillance on employees decreased the supervisors’ level of trust in employees, even though the employees’ behavior was no different than before. Trust-eroding behaviors could easily start an adversarial relationship with an array of negative effects. Lewis Maltby, president of the National Workrights Institute in Princeton, N.J., says that surveillance can decrease productivity because “nobody does a good job with their boss looking over their shoulder.”
Employees annoyed by unexplained changes may supply their own rationales for the new policies and come up with certain self-serving “leniencies.” As Stanton and Stam note: “Workers can be extremely creative about subverting monitoring and surveillance [and] may resort to work slow-downs, absenteeism, sabotage, theft, and other subtle or not-so-subtle forms of resistance.”
Improve, not punish
Author Lee Michael Katz stresses that it is critical that employees find out about upcoming monitoring before the procedures are put in place, not when they are caught committing an infraction. When an employee is caught violating a policy and is surprised to find out they were being monitored, their resentment may exceed their contriteness over the misdeed. Katz says that it is wise to use monitoring for improvement and not for retribution.
An organization needs clear policies, rationales and workarounds around blocked sites for emergencies. The policies need to avoid the appearance of being selective or even discriminatory by class or any other differentiator. For example, is surveillance equally distributed or does it pick on low-level female clerical workers? If the policy is unequal, a rationale should be provided. In general, author Miriam Schulman says, employee buy-in and involvement in the creation of a monitoring policy can be helpful for morale.
Maintain trust and communicate
In a 1997 Journal of Business Ethics article, Rita Manning wrote: “When we look at the workplaces in which surveillance is common, we see communities in trouble. What is missing in these communities is trust.” Close to 20 years later, surveillance is in many cases the societal norm. Still, there is room for misuse and abuse and employee pushback. Stanton and Stam cite privacy advocates who argue that “organizations routinely overstep their bounds by capturing too much information about employees, too frequently, and with too little control over how the data are used, protected or maintained.” To make monitoring work, there is no substitute for establishing and maintaining trust, and for clear, open communication.
Fred Mael, Ph.D., helps organizations and their employees work more effectively, and coaches executives and managers. This article appeared originally in 2016 in Washington SmartCEO magazine and Baltimore SmartCEO magazine.