SoftActivity

How System Administrator Can Ensure Your Organization’s Remote Employee Surveillance Is Legal

With the rise of remote workplaces, given the COVID-19 pandemic and the evolution of remote work technology, more businesses can implement remote work to keep business operations flowing smoothly. Of course, with remote work comes a plethora of security risks and new vulnerabilities. Therefore, it is up to the organization to ensure that the operations in place will not only keep the business protected but also follow legal jurisdictions around employee surveillance. 

Whether the solution is temporary or you are looking for something more permanent, your organization needs to ensure that your business is monitoring your remote employees. You also need to make sure that everything you are doing is legal. A system administrator can assist you in this. 

Read on to learn how your system administrator job role can be extended to ensure legal remote monitoring practices. 

What is a System Administrator’s Role?

The system administrator, or the sysadmin, is mainly in charge of the network and computer systems and configuration. If your company operates on system servers or has multiple computers on multiple local networks, then your sysadmin will monitor system performance, perform troubleshooting, ensure security and IT infrastructure efficiency, install software, install hardware, and configure network settings. 

While you want a sound systems administrator for understanding the complex company network, they also need to be knowledgeable in scripting languages, computer automation, network security, account access management, Internet of Things, mobile device management, and more.  

The same duties for network management befall sysadmins even if your employee network is remote. Remote workers, remote teams, or connecting to another remote department are things that the sysadmin needs to manage. This is because an outside network will need to access the organization’s main networks or transfer information between the networks, and therefore sensitive information needs to be kept secure. 

The four main roles of a sysadmin are network monitoring, troubleshooting, managing the information system, and security (i.e., network security and information security). Monitoring includes checking the responsiveness, availability, performance, backup, and more of each system under the company’s control. Troubleshooting might come up at any given time throughout the day, especially when working with large networks. Managing the information system involves information organization and looking at databases. And security testing is often an ongoing practice, so organizational data remains protected. 

Remote Monitoring 

When an organization adopts remote employees, then they take on additional responsibilities. Remote employees might bring on additional security risks because they are using a personal modem/router (personal internet connection through their ISP), which often means that the internet connection is less protected. At the same time, many home offices are covered with basic internet protection like firewall or anti-malware, the software is often less comprehensive compared to enterprise security software. 

Because of the added vulnerabilities of remote working, organizations often deploy remote monitoring solutions. This might involve: 

  • Remote monitoring software to track insider threat activity and to alert admins to a potential security incident
  • Sending company computers that individuals use for work
  • Secure cloud access controls
  • And the implementation of security controls like least privilege, password changes, VPNs, multi-factor authentication, and authorized user rules

Depending on the size of the remote workforce, a business could implement remote infrastructure management software for business continuity, data security, and user monitoring. 

The most common type of remote security is remote employee monitoring. This is a simple software that monitors employee behaviors on a monitored computer. This surveillance does not entail additional software, like security cameras in the home, but instead relies on the functionalities in the computer software. Features might include: 

  • View remote computer screen
  • Tracking project/task times
  • Wasted time reports (i.e., time spent on social media)
  • Keystroke logging
  • Employee productivity
  • User behavior analytics (UBA) for common employee activity
  • And more

Employee monitoring software is usually the easiest thing to deploy and does not interfere with many of your employees’ security settings. Even if you can implement an enterprise security requirement like company computers or company install anti-virus, you still need to implement employee monitoring.

Legal Complications of Remote Workplace Surveillance

When employees come into the workplace, it is typically far easier to implement standard security to protect your data. From video cameras to key cards and secure server rooms, these are far easier to control. However, this is not going to be the case with remote work. 

Remote work comes with many challenges, including storing data securely (i.e., is it kept on-site in a secure server or should you outsource to a secure cloud location) and how potentially sensitive data will be transferred between the employees’ computer and the server mainframe. 

Additionally, no matter how you have it set up, your employee surveillance system should be supported by your company’s IT infrastructure. Do you have the systems, equipment, and personnel to run a work-from-home setup? Will you need more staff? And, as mentioned previously, how will data privacy be handled? 

Access to sensitive data may be required over VPNs and secure laptops, but you might also need to adopt additional security settings like two-factor authentication. You can’t install cameras in your employee’s homes, so how can you monitor the physical space if your employees handle sensitive legal documents?

When it comes to legal monitoring, you need to identify what needs to be protected and what does not. You also need to address where vulnerabilities are, such as data being stored in an area that is redundant, not fully protected, or unnecessary. You’ll also need to restrict access so that only those who need to access a given folder can.  

How Can The SysAdmin Ensure Remote Surveillance is Legal

There is a range of laws covering employee privacy and workplace monitoring. While regulations might differ from in-person to remote monitoring, your team still needs to be aware of potential complications and limitations around employee surveillance. 

While this can be a complicated process, especially for a small business, rest assured that when you use employee monitoring software, you know that you can at least have a monitoring solution in place, and you won’t be violating major privacy infringements. Employee monitoring in the US is legal, and it often comes ingrained with user privacy settings. 

Employee monitoring is software that is installed on the computers that need to be monitored. It will often track time for projects/tasks, provide project managers with more accurate project estimates, and track idle time (or wasted time). 

More importantly, employee monitoring software can be deployed with remote access through a central admin console. From here, the sysadmin can view the active screen of the monitored computer and can view all of the screens from a single console view. 

The sysadmin can keep tabs on each user/employee to ensure that that user is actually the person who should be working and that unauthorized access doesn’t occur. 

Employee monitoring software also takes into account major regulations like the GDPR, and the software can prevent the recording of personal online banking data, personal health data (which will likely fall under the HIPAA Privacy Rule and related HIPAA security rule), corporate financial apps, credit card numbers, and other sensitive, private, regulated info. 

Therefore, sysadmins can navigate to the admin console and ask that the data recorded by keystroke logging redacts username and passwords, sensitive banking information, and sensitive personal data, or turn off the keylogger completely. That way your business won’t have that information collected at all, and you don’t have to worry about properly disposing of it or insider threats taking advantage of this data. 

Integrating the SysAdmin Oversight for Remote Employee Software

While there are other things that your business will need to check before moving to remote work, like whether your insurance policies cover potential cyber-attacks, there are some simple steps that you can take:

  • Follow basic protocols around data protection, including the Federal Trade Commission’s five principles to data protection: take stock, scale down, lock it, pitch it, and plan ahead. 
  • Connect with HR to first identify what jurisdiction (i.e., regional, statutory, city-based, and federal) your business falls under for surveillance/employee privacy and which data protection law(s) you fit under. For example, if you collect sensitive data from consumers in California, then you’ll need to ensure data security for those customers. This means that certain remote employees who deal with this information may need restricted access, protected network access (like VPN), and secure cloud access. 
  • You should also touch base with your employees to ensure that all of the work functions can be completed as agreed upon; things may change when you get to remote work, but basics should be established. 

Once you do this, you can begin to map out your remote surveillance network. When it comes to ensuring that their monitoring is legal, there are a few steps that need to be taken:

  • Your organization needs to define the monitoring goals and must-haves and then work with the IT department and sysadmins to ensure that the plans are attainable. If your organization operates in a certain industry, like the medical industry, you know you have to follow HIPAA compliance and have a stringent security policy around personal information and medical data. 
  • HR should also get involved so that they can verify that the monitoring solutions are reasonable
  • If you have a legal team, have them set up working docs around what your business can or can’t do for remote monitoring
  • Ensure with your sysadmin that this can be set up, then ask that it is set up
  • Continually monitor your surveillance plan and check in every few months

One sure-fire way to ensure employee monitoring is conducted legally is to implement employee monitoring software operating and monitored by your system admin.

Naturally, your sysadmin will be in charge of monitoring your company’s network, whether you are in-person or remote. Therefore, they should take it on them to configure the network settings and optimize for security.

By SoftActivity Team

May 10th, 2021