Can a VPN log really point to employee slacking?

Yahoo CEO Marissa Mayer cited low VPN usage as a reason to kill telecommuting, but that metric misses an awful lot

Yahoo CEO Marissa Mayer's decision to ban telecommuting has understandably generated a buzz, which has since grown louder after we learned what sparked her decision: She discovered that remote employees weren't logging into the VPN enough. Low VPN usage means low remote-worker productivity, she concluded, which is at least part of the reason she decided to require all employees to starting showing up at an office.

Her decision has garnered a mixture of praise from some onlookers alongside plenty of second-guessing and backseat CEO-ing from others. Supporters have commended Mayer for having the technical acumen to check VPN logs, a skill that the majority of CEOs likely don't possess. Critics, however, have argued that VPN logs aren't an adequate tool for measuring worker engagement and productivity -- not to mention Mayer's move strikes an unfair blow to the telework movement.

The reality is, VPN logs can provide at least some evidence as to which workers are pulling their weight and which ones aren't. However, that only works when companies make employees connect via VPN consistently and when supervisors or IT monitor VPN usage on a regular basis.

One of my favorite recent examples of a VPN revealing slacking employees comes from Verizon. Earlier this year, the company revealed how it helped one of its customers, a U.S.-based company, figured out that one of its highly paid developers (dubbed Bob) had been outsourcing his six-figure job to China for months. Bob wasn't even particularly subtle about it; he physically shipped his RSA token to the third-party contractor, enabling the person to log in under his credentials during the workday. The unauthorized VPN connection to Shenyang, China was present in months' worth of log data. Somehow, the scam had been entirely overlooked.

That's one real-world example of how a company can weed out slackers using a VPN log. Sure, there are such obvious questions as, "Why didn't the company's IT team notice the unauthorized connection to China earlier?" and "Why didn't anyone notice that this particular employee was using the Internet to connect to YouTube, eBay, and Reddit all day?" Notably, he did have years' worth of positive performance reviews, citing code that was "clean, well-written, and submitted in a timely fashion," which may have helped him fly below HR's radar and perhaps even his manager's radar. But how did IT miss it?

That leads to Mayer's decision to ban telecommuting, purportedly because she'd found employees weren't connecting to the VPN enough. Critics may rightly argue you can't always measure employee engagement or productivity based on how often they connect to the VPN. For starters, some remote employees simply may not connect to the VPN every day, be it because they don't know it's a requirement, they don't know how, their VPN client isn't properly installed, or they just don't want to. That doesn't necessarily meant they aren't doing their jobs: One can access email, write documents, and perform all sorts of work-related tasks without being connected via a VPN.

Furthermore, workers can connect to a VPN and still slack all the live long day, as demonstrated by our friend Bob. Anyone who works at a company with lax security-and network-monitoring could log in to the VPN upon arriving at work, then spend the day playing Candy Crush Saga on Facebook or repinning ridiculous cat pictures on Pinterest without raising any flags.

Back, then, to Yahoo: Were employees not required to connect via VPN? Were they all, in fact, required to, but no one was enforcing the rule? Or did the rules vary from department to department? Whatever the case, Mayer's crackdown on slacking teleworkers is likely part of a greater strategy to boost productivity, which presumably (for Yahoo's sake) will include processes for measuring employee output on criteria beyond "number of hours connected to VPN."

Checking VPN logs can prove useful in tracking down slacking employees, but that's only if employees are forced to use the VPN consistently and if supervisors or IT monitors those logs from time to time (such as when an unauthorized connection to China materializes). If no one is bothering to force employees to use the VPN or to peruse the logs once in a while, that company has more to worry about than unproductive workers; that company is setting itself up to be hacked.

This story, "Can a VPN log really point to employee slacking?," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.

Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Join the discussion
Be the first to comment on this article. Our Commenting Policies