Search
  • Shauna

Workin' it from home



So, WTF: Some employers now require software that monitors your phone and computer usage; depending on the tool, it takes screenshots or snaps from your camera at regular intervals (every minute in some cases), watches your keystrokes and mouse movements, and lists the sites you’ve visited and the software you’ve used, and for each activity, how long you’ve spent. These metrics are combined to create a “productivity” score that gets emailed to your boss each day.

These tools are wildly problematic - if, for no other reason because they normalize surveillance and are incredibly invasive. But practically speaking, we don't know much about these companies, their tools, and their security practices. While many of these so-called tattleware companies boast a security program, we’re forced to take them at their word that it’s any good; results for code audits, penetration testing, and bug bounty programs aren’t published. Buggy pieces of code are a reality for every software, and the gap between discovering an issue and pushing out the update (and users actually installing the update, *ahem*) can be months or years. That’s a big window for hackers to be accessing your growing pool of data.

Now, honestly, I might be okay with that level of risk if this were the Gap, which knows my preference for A-line skirts and history of office addresses. But, consider the data your company would share via employee monitoring: strategy documents, client data, intellectual property and ideas, calls and messages. Perhaps most irresponsible, employers hand over the intimate details of the lives of their staff; the always-on microphone and video camera, and avatars that reflect your *actual* face in a given moment, keep a log of their faces, their conversations with their children, spouses, and other intimates. That makes targeting a company’s employees much easier; a profile of overheard work-related grievances, financial concerns, and childcare or marital issues would be as nice a gift to a nation-state actor targeting your company as an SF-86. Last week, FBI director Christopher Wray said his agency opened a new case related to China’s targeting of American companies every ten hours. Christmas is coming!

These tattleware companies are the definition of a honeypot - a central point with lots of information about lots of groups. And your company's data is the honey. But you don’t have to be the target to have your data spewed far and wide. It also doesn’t have to be targeted; you could just as easily become the collateral damage of a disgruntled tattleware employee. You have no assurance your data is deleted when your subscription ends, and you have zero legal recourse!

Ack! As you can see, it’s absolutely bewildering to me that any company would take such a risk when there is no evidentiary link between surveillance and productivity. In fact, it seems the tattleware ultimately drives staff in the other direction.

And now, for the WFH! Those prods to get back to work trap employees at their computers. Taking phone calls, texting, and messaging, or just thinking while going for a walk or drawing things out *on paper* would not factor into a productivity score. Tattleware also adds to the trauma, exhaustion and overwhelm employees are experiencing. Overwhelmed brains are slow to learn, process, and produce, and piling on more work and increasing the consequences doesn’t help. On a deeper level, that the software is even purchased belies how little the company values its employees, and disintegrates the trust the employee may have had in the company.

While the first two make people less productive, the third is an absolute security risk: unhappy, undervalued employees should not be relied on to maintain the security and safety of the company, it’s intellectual property, it’s relationships, or its staff. When I was interning in the intelligence community, one of my younger colleagues who felt unappreciated flouted the rules, mapping a route from our office location on his desktop, and putting us all at risk. Losing employee buy-in opens a company up to these intentional or unintentional risks.

Unhappy folks are also likely to leave. Replacing staff could be more harmful to your bottom line than having a few weeks of lower productivity, and an NDA can’t protect against all security concerns arising from messy breakups. Departures also send institutional knowledge - your secret sauce, your strategy, your client lists and relationships - outside of the company on the wings of a person who no longer sees themselves aligned with the company’s mission.

So, if you see your company heading down this path in the new work-from-home culture, you’re not alone. And you don’t have to take the riskier path - implementing these tattleware tools - because while it seems to be the easier fix, like so much of tech it will likely just make things actually worse, not better, if you're not addressing the foundation.

Start by rethinking your organizational design. I’m fond of NOBL’s organizational charter planning tool, and their explainer on planning in uncertain times. What sticks out is the intentional building of trust into the organization’s culture through communication and transparency, up and down the hierarchy. The Motley Fool is known for this, and their culture blog is full of ideas and anecdotes. To build buy-in, we also believe that decisions must be sourced from your team; the International Refugee Assistance Project’s Becca Heller credits listening to her staff with figuring out how to pivot the organization during the Muslim travel ban. As these changes may compound employee overwhelm, you’ll want to consider a change management plan; we like Forbes’ series on reopening and on change during COVID, and use the tools we got from Change Guides, LLC’s change management certification training. Konterra Group is also here to help you consider the psychological safety of your employees, during COVID and all its incumbent changes.

0 views

© 2019 by Security Positive