A recent article on CSO discusses whether employee monitoring is valid, suggesting that such internal surveillance is beneficial not only for the company itself, but also indirectly, for the employees being monitored. The latter case can be made easily since internal espionage and data theft can have a major repercussion for the entire company’s well-being–as well as each employee’s continued employment.

Industrial espionage has gotten a lot easier since the old days, when the spy would have to break into a storeroom with a spy camera and take pictures of documents. Since almost all corporate documents (even secret ones) are now electronic, all it takes is the ability to break into a file server electronically, and then email the documents offsite.

Naturally, there’s going to be some backlash, some privacy concerns, and some complaints. So should your business monitor employee email? Everybody’s situation is different, but there are a lot of valid reasons to do so, and if done within the parameters of good practice and stated policy, it can be a beneficial practice. In fact, most thefts of corporate data are perpetrated by insiders–and many times, by trusted insiders. Standard security policy dictates at least some reporting on what data is being accessed, especially if attempts are being made by unauthorized individuals to gain access to very sensitive data. That’s a function of the firewall, and should be done by every company. Others may also monitor how employees are using specific applications, especially applications like instant messaging, web browsers, or web-based email accounts. And lastly, some companies are monitoring whether information is being downloaded, printed, or emailed by employees, sometimes to the extent of imposing regular monitoring of email. Even if the actual content is not monitored directly, employers may want to monitor volume of email, whether employees are using anonymous email services, and whether employees are sending emails with attachments on a regular basis.

A written policy should be created and followed scrupulously, however. Notification should be given that email may be monitored at the beginning of employment, so as to avoid lawsuits.