The bossware debate

Issue 6 2023 Information Security

Carey van Vlaanderen.

Employee monitoring, also called ‘bossware’ or ‘tattleware’, is more popular than ever. Bossware is used to describe various tracking tools to monitor employee activity. It is mostly used to track productivity and mitigate risk by monitoring email content, browser history, location, app usage and phone use through software, webcams, CCTV, GPS, fitness devices, and access control hardware.

Increased remote working, driven by the pandemic, has seen around 60% of companies with remote workers implement some form of bossware. Over half (53%) of those companies have found that workers are spending three or more hours per day on non-work activities.

Additional studies conducted support these findings. One study reported that up to 40% of employee internet usage was not work-related, while global analytics firm, Gallup, estimates that disengaged employees cost the world $8,8 trillion in lost productivity annually.

Bossware can help employers spot productivity issues and is often also used to monitor security. Between 88-95% of data breaches are caused by employee errors such as recycling passwords, clicking on links in phishing emails, or failing to update security patches. Humans are indeed the biggest threat in the cybersecurity space, and bossware can shine a light on areas where security training and awareness may be lacking.

“While bossware could be one way to boost productivity and examine security issues, it requires some forethought,” says Carey van Vlaanderen, CEO of ESET Southern Africa. “If implemented properly, bossware can help to protect your company against security and legal risks, but it should never be considered a replacement for robust security software and practices. Employers should, nonetheless, still respect the privacy of employees and be wary of potential privacy concerns that could demotivate employees and damage your relationship with them.”

There are several benefits to bossware, including:

• Discovering workplace practices that hinder productivity.

• Identifying tasks that could be automated.

• Building a fairer workplace by ensuring equal duties.

• Mitigating security risks.

• Monitoring employee stress levels.

There are also some potential cons, such as:

• Limited insight into time spent problem solving and on non-digital tasks.

• Increased performance pressure on employees.

• Privacy and legal concerns.

• Low employee morale due to feeling mistrusted or undervalued.

Legal and ethical implications

In South Africa, employee monitoring is mostly legal as long as the employer complies with certain aspects of the law. The two applicable laws are the Protection of Personal Information Act (POPIA), which requires that an employee must be informed if they are being monitored, and the Regulation of Interception of Communications and Provision of Communication-related Information Act (RICA), whereby a business may only intercept communications as it relates to the business and during the carrying on of business.

So, employers may not access or seek access to employees’ private email or social media accounts, for example, or monitor them after hours. Typically, employers also stipulate any monitoring terms in the employment contract so that it is agreed upon by both parties in writing before any work commences.

Just because something is legal, however, does not mean it is always ethical. Van Vlaanderen says that employers should take care to ensure monitoring is proportionate and does not unnecessarily intrude on the lives of employees. “Take time to outline a framework that stipulates the extent of the monitoring and the reasons for tracking those activities. Ensure employees are aware of any monitoring and how it may be used and encourage them not to conduct personal affairs on work devices.”

“Good policies,” she says, “will strike a balance between business demands and privacy concerns. Most importantly, transparency and dialogue will be key in maintaining trust between employers and employees, as is ensuring that any collected data is safe and only available to authorised users. Remember that monitoring on its own is also not enough – whether your concerns are security or productivity. Regular training, clear guidelines, and a robust software framework should always be the priority.”

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Time is of the essence
Information Security
Ransomware attacks are becoming increasingly common. Yet, many individuals and organisations still lack a clear understanding of how these attacks occur and what can be done to secure their data.

All aspects of data protection
Technews Publishing Editor's Choice Information Security Infrastructure AI & Data Analytics
SMART Security Solutions spoke to Kate Mollett, Senior Director, Commvault Africa, about the company and its evolution from a backup specialist to a full data protection specialist, as well as the latest announcements from the company.

The song remains the same
Sophos Information Security
Sophos report found that telemetry logs were missing in nearly 42% of the attack cases studied. In 82% of these cases, cybercriminals disabled or wiped out the telemetry to hide their tracks.

How hackers exploit our vulnerabilities
Information Security Risk Management & Resilience
Distractions, multi-tasking, and emotional responses increase individuals’ vulnerability to social engineering, manipulation, and various forms of digital attacks; 74% of all data breaches included a human element.

Projections for 2024’s Advanced Threats Landscape
News & Events Information Security
Kaspersky Global Research and Analysis Team (GReAT) experts offer insights and projections for 2024 in the Kaspersky Security Bulletin, with a focus on the evolution of Advanced Persistent Threats (APT).

Veeam and Sophos in strategic partnership
Information Security
Veeam and Sophos unite with a strategic partnership to advance the security of business-critical backups with managed detection and response for cyber resiliency, and to quickly recover impacted data by exchanging critical information.

Unmasking insider risks
Information Security
In today’s business landscape, insider risks can manifest in various forms, including data theft, fraud, sabotage, insider trading, espionage, whistleblowing, negligence, truck hijacking, goods robbery from warehouses, and more.

When technology is not enough
Information Security
[Sponsored] Garith Peck, Executive Head of Department for Security at Vodacom Business, writes about the importance of creating a cybersecurity strategy in a world where threats never sleep.

Identity verification and management trends
Technews Publishing Information Security
Insights into what we can expect from identity fraudsters and the industry next year, ranging from criminal exploitation of AI and digital IDs to multi-layer fraud protection and the need for more control over personal information sharing.

From vulnerabilities to vigilance
Information Security
It is an unfortunate reality that generative artificial intelligence (GAI) has been embraced by cybercrime organisations, resulting in drastic changes in attack methods, strategies, and technologies, says Stephen Osler from Nclose.