Hello,
We are an organization of about 100 staff users. We are looking for a program that can install on a users’ workstation that will track activity. This is not for “big brother” type monitoring but to create and store a history of activity so if there is ever an incident (like viewing adult sites) that gets reported we can go back and see if/what anything happened. I know of a few services that do this but wanted to throw this out there to see if anyone is doing something similar so I don’t have to reinvent the wheel.
Since this is a sensitive topic, I’ll go ahead and start by saying my response is going to be direct. Please don’t take it the wrong way.
Constant, mass surveillance of all activity is, in fact, precisely what “big brother” means.
Talk to your legal team about this before moving forward at all. If you do not have a legal team, do not move forward.
Talk to your elder / management team about this before moving forward at all. This is an ethical grey area, and would be a clear way of communicating to your staff that they are not trusted or valued.
Understand the data security implications of recording this information. You will almost certainly capture sensitive, personal information like banking details, private personal communications and more even if you select a product that is designed to identify and expunge this data.
If you determine you still need to move forward, it’s important to have clear policies around this tool. Ensure only a very limited number of people (preferably only HR, and definitely not any third party contractors) have access to the data. Have a clear policy explaining under what circumstances this data can be accessed, and how it will be used. Over-communicate everything about this system and listen to the concerns of your staff. Expect there to be unrest and potentially turnover due to this policy.
And, the most important thing… If you decide to implement this, use a top quality product and maintain active support on it. Keep it updated, keep the data secure and encrypted, and always uses strong passwords to protect the data.
I’ve done a considerable number of these projects over the last decade. I’ve learned a lot. Let me condense those lessons.
The complications around this are largely trust and culture, not technical. Purely through their presence, these systems erode organizational trust, security, and effectiveness. If they were to be abused in any way - and they often are - the problem becomes orders of magnitude worse.
I always reply to this request with a multi-hour, in person, meeting where we outline the goals of the org, and the effects of these types of systems on those goals. Normally we don’t proceed further.
If we do proceed, the effective usages of these systems are always surrounded in good ethics, policies, and communication. Here is what this typically looks like:
Build an ethics policy and keep it on file that establishes firm limits on what the system can and can not be used for. Typically this communicates that it will not be used to snoop, pass judgement, or measure perceived efficiency.
Build an access policy and keep it on file that establishes who can use the system. Typically it is restricted to only the HR manager and IT manager, with the later being restricted to system maintenance. Never let it be accessible to any of the lead leadership staff. Never.
Require all requests for data be requested through a visible and documented chain.
Make it an immediate firing offense to break these policies.
Have an all-hands meeting to announce what you are doing and field the ethics concerns which will arrise. Be prepared with good answers.
Have each of your staff sign a monitoring consent form. Make it part of your onboarding going forward.
If you aren’t ready to do all of the above, you are setting yourself up to loose more than you could possibly gain. If the above conversations make you uncomfortable, you shouldn’t do it. But if your need is big enough to justify the effort, then you should use a great tool. I like ActivTrak
Feel free to reach out for more in depth conversations.
While I agree an ounce of prevention is better than a pound of blame, unfortunately no web filter is impervious and on-prem filtering solutions have the added limitation of not realistically working off-network.
Given that you have a 100 users, you probably have quite a large bandwidth demand. Have you considered putting in a content caching system?
Something like Squid (www.squid-cache.org) act as a web proxy, through which all your users access any internet content. Squid stores local material that is frequently accessed, so that it comes off the cache at LAN speed (Gbit/s) rather than WAN speed (Mbit/s). Using a cache will bring a significant reduction in latency and speed of loading of your user’s web pages. Squid is open source and will run on almost any standard server system.
The additional benefit is that all caches have log files. These record all details about the content cached including who initiated the original request, so you will have the forensic data you need if you want it at a later date.
If you want to add an element of content filtering, then as a first point of call I would set the DNS to use AdguardDNS service (How to set up AdGuard DNS). This will restrict some sites, particularly those used in phishing attempts through unscrupulous web advertising, etc. As a secondary level of filtering, consider adding a formal content filter system like Dan’s Guardian (an add on to squid).
If you are looking for a commercial solution, I would recommend BlueCoat Systems who have a very powerful cache & content filtering solution.
Just quickly revisiting this thread that I started a year ago. Could you briefly tell me with a quick reply of “yes” or “no” whether your church is using any sort of software to track what employees are doing on their computers?