Bring Your Own Device policies have infiltrated the Australian workplace environment. Walk into the offices of most Australian companies today and you’re likely to find employees using personal laptops and smartphones to perform their daily duties. Now, while this may be helping to lower some of the initial upfront costs for the employer we have to wonder, in an age of digital crime and security breaches, what are the potential risks?
From Ernst & Young’s 2014 Digital Australia: State of the Nation 2014 report, it was found that:
- 93% of Australians personally own their smartphone, and just 7% have it supplied by their employer
- 6 in 10 admit they check social media at work, while 74% say they use digital devices for personal use at work
Risk Mitigation, Online Evidence and Workplace Investigations
As a private investigator who sees the fallout from lax workplace policies every day, my advice in regards to BYOD policies is simple: avoid them. From a risk mitigation perspective, not only should employees be discouraged from using their own devices at work, but workplace policies should ideally prevent work being done by employees on any personal device.
How could BYOD policies affect an investigation into workplace harassment and online bullying?
Let’s be honest, the role of our HR departments has become grossly more complicated by the digital age. Once the domain of after-hours corridors and cubicles, workplace harassment is now online and can be a 24/7 proposition with perpetrators using email, Facebook, Twitter and Skype to stalk, defame or threaten colleagues.
Additionally, the digital era has opened up a whole new world to scorned employees wanting to seek revenge. What was once a scathing rant at the pub can now become a fully-charged online campaign to destroy the reputation of an employer or business. So how do employers protect themselves, their business and their staff?
The first step to workplace security always has been and always will be risk prevention. But the second step, and this is where it can get more complicated, needs to be considering what plan of action may be utilised when something does go wrong.
BYOD Policies Could Jeopardise a Workplace Investigation
It’s hard enough to repair the damage done by an employee who sets out on a malicious campaign of blackmail, bullying or defamation. No one needs the added difficulty of getting evidence from a device the employer has no lawful access to. If employees need to carry out work outside of the office, company-owned digital devices with the requisite security level should be provided and work should be carried out on them alone. This way, if an employee’s behaviour becomes problematic, there may well be evidence available.
How do BYOD policies risk your intellectual property?
Your employees are often going to have access to important and sensitive information about your business, no matter what device they’re using. That being said, BYOD policies will alter the investigative options available if intellectual property is breached or information is stolen.
If an employee breaches company confidentiality or intellectual property by emailing or otherwise copying sensitive documents, there may well be a digital trail left on the device from which the emails were sent. If the employee owns the computer on which untoward activity took place, access to the hardware or the identification of an unfamiliar IP address may only be made possible through expensive court orders and only in certain circumstances.
Read our article: 4 Things You Need to Know About Intellectual Property Theft
Should business owners clamp down on all personal online activity at work?
In short: no they shouldn’t. While the use of devices owned by the employee can make accessing important evidence more difficult, allowing the personal use of websites at work can actually have a positive effect.
Permitting employee use of personal websites on work devices helps build up a digital character and habit profile that can help investigators in their evidence gathering – if ultimately required. Having any background information on an antagonistic employee, such as what social media platforms he or she favours, or what linguistic patterns the employee adopts, can be helpful when mitigating against a potential threat.
In fact, while employers shouldn’t allow work to be performed on personal devices, they should encourage activity that helps them build a profile of employees’ personal devices and accounts. Asking employees to carry out certain non-sensitive tasks at the point of employment and at subsequent scheduled points in time from home can help facilitate this. If the whole profiling exercise is configured properly, the employer will ascertain information such as what ISPs the user uses, whether the IP addresses an employee uses are static, what email and social media accounts the employee uses, what browser the employee uses on a home computer, what operating system is in operation and so on.
Learn more about tracing an IP address.
What about my employee’s right to privacy?
The gathering of employee information must be in accordance with relevant privacy law. Legal advice should be sought by employers to ensure they understand the requirements.
Employees usually have the right to know when their computer usage is being monitored, just as they usually have a right to know when a CCTV camera is filming them. Failure to properly inform your employees of your surveillance could leave you liable to a sanction.
Will my employees feel like I’m spying on them?
No one wants to feel micromanaged or spied on by their employer. And no risk mitigation policy should have this as its objective. Workplace security, surveillance and online profiling needs to have as its ultimate goal the protection and care of all employees and the business as a whole. Employers need to clearly communicate to their employees how online monitoring will occur, how long information will be stored for, who will have access to it and how it helps to create a financially and emotionally secure workspace for everyone.
Security expert and owner of one of Australia’s leading home and commercial security providers, Calamity’s Daniel Lewkovitz, regularly provides advice to businesses when it comes to the installation of CCTV in the workplace. For him, it’s important that the positives of heightened security measures are properly communicated to employees. “I would argue that cameras protect employees as much as employers and customers. Whilst cameras typically prove someone did something, they can also disprove it–which can assist in protecting employees who are falsely accused of something they didn’t commit,” he said.
Lewkovitz’s message is relevant to online monitoring, too. A rogue employee may choose to attack through false accusations. That online workplace profile could be the evidence that helps to protect the reputation of an innocent employee.
Am I responsible if an employee is being harassed at work?
Yes. According to Sydney criminal lawyer, CM Lawyer’s Steve Kassem, an employer “may be responsible for harassment that occurs in the workplace (or in connection with a person’s employment), unless it can be shown that ‘all reasonable steps’ have been taken to reduce this liability. Implementing an internal system and updating the organisation’s policies and procedures for dealing with discrimination/harassment at the outset is critical.”
Kaseem also added that it’s important for employees to document both the offending acts and your employer’s response upon receiving your complaint, such as whether or not they provided you with counselling services or spoke to the offender.
Need evidence or expert testimony in a criminal matter? Head to our corporate and legal investigations page to find out more.
I’m an employer worried about my workplace security. How can a private investigator help me?
Even the most switched-on businesses are naïve when it comes to online workplace security. The mindset is reactive, not proactive. It’s very much: now something has happened, I have to deal with it. Rather than, if my business is successful long-term, it’s ultimately just a matter of time until I am negatively impacted. Plenty of employers will escape unharmed by menaces from employees but those who don’t will feel their full effects and all fail to realise just how detrimental this can be. So what should they be doing, and how can a private investigation firm like Lyonswood help?
Penetration testing, and network human risk monitoring are the proactive steps designed to minimise your workplace IT risks. A qualified investigative team can implement a platform suitable for your business, helping to identify and minimise the existing vulnerabilities and then formulating a plan of defence.
Read my article: Can You be Sure Your Business Won’t be Hacked?
In most cases however, you’re most likely to seek out a private investigator once an incident has occurred and a remedy needs to be sought. When this happens, a private investigator and a computer forensic technician can be employed to establish any available evidence of an untoward employee’s activities. In order for this to be properly performed, it’s imperative that the suspected device is isolated and left untouched until the private investigative team has examined it. Now, imagine how much more complicated that gets if the device in question is a personal phone, tablet or website that you have no lawful right to access?
Have a workplace investigation you want help with? From online investigations to workplace bullying, incident investigation and harassment (be it online or off), Lyonswood Investigations and Forensic Group can help. Click to speak to a private investigator today. YOUR CONFIDENTIALITY IS ALWAYS 100% GUARANTEED.
