Incorporating Accountability into Annual Employee Performance Reviews

It is everyone’s responsibility to adhere to security policies. This is accomplished by the collective action of many leaders. The enforcement starts with executive support. This support goes beyond receiving permission to implement security policies. Executive support also means personal commitment by the managers to use their position and skills to influence the direction of their teams.

Executive support is key to security policy enforcement. At some point in the enforcement process, you need to change workers’ behaviors. This can require disciplinary action. Even taking workers aside and coaching them runs the risk of negatively impacting a department. It is important that you lay the foundation for such discussions in advance. Incorporating accountability for adherence to security policies is one method. You accomplish this through the executive of the department. This executive can send a clear message that there’s zero tolerance for ignoring security policies. The executive must be clear that violations of policies will be taken seriously and noted in an individual’s annual performance. This type of message establishes a tone at the top.

It’s important to remember that the employees look to executive management for direction. The executive leaders are expected to lead by example. This means they follow the same policies as employees. The act of exempting themselves devalues the policy’s importance. Executive management needs to take an active interest in key performance indicators and show continued support. They should be visible in approving a deviation from policies only when absolutely necessary.

Noncompliance with policies and any improper handling of data should be reflected in annual performance reviews. The performance review sends a powerful message about the importance of security policies, risk management, and the risk culture within the organization.

Organization’s Right to Monitor User Actions and Traffic

The prevailing legal view is that employers have the right to monitor workers’ activities on company computers. This right is not absolute. In other words, it’s important that an organization acts in accordance with its policies and the law. The policies must be clear and concise. The COVID-19 pandemic in 2020 forced many users to work from home, using personal networks and potentially personal equipment. The interpretation of what can and cannot be monitored becomes blurred.

The controls in place to monitor user activity remotely from home networks and equipment should be reviewed by the organization’s legal department annually. The laws on privacy and expectations on employees continue to evolve. Policies and related controls allowing such capability should be updated potentially more frequently than other policies. Having such updated policies reduces employees’ argument that they perceived a right to privacy. It is always best that organizations put in writing their intent to monitor workers’ activities when accessing company data regardless of the end-user device.

There are a number of good reasons to monitor workers’ computer activities:

• Maintaining a productive workforce

• Detecting when security policies are not being followed

• Maintaining the security of sensitive data

• As a general deterrent of noncompliant behavior

When the lines between a worker’s personal and professional life blur, the court rulings can become less clear. Some organizations, for example, allow personal smartphones to be used to send and receive company emails. Even when these devices have the same encryptions and other controls, it blurs the legal lines between work and personal life. Although this is done to reduce costs, it can quickly create legal entanglements.

There is little dispute that organizations can monitor employer-owned computers used during work hours through company accounts. There are typically three areas of monitoring employee actions that should be in the scope of an audit:

• Internet

• Email

• Computers.

The legal department needs to check state regulations. Certain states have specific regulations regarding employee monitoring. For example, Maryland, Illinois, and California require user consent. A few states like Connecticut and Delaware require the user to be given notice before the monitoring begins.

Being transparent about the monitoring and the reasoning behind the decision is important. Morale and productivity could be harmed if employees feel less trusted and micromanaged. The reality employers need to keep in mind is that the lines between work and personal life are often blurred. Leadership must have honest and open conversations with users on expected behavior. Finally, this expected behavior is in policy and part of the user’s training.