Computerized time clocks are a common technology in the workplace. I use a computerized time clock at both my job at home and my job here at the University. Before acquiring my current job at home, I worked at a small store that used a traditional time clock that required that each employee have a card for each week so that our boss could collect and record our hours at the end of the week. Computerized time clocks make this process of logging employee hours more efficient. With computerized time clocks, managers of organizations can simply use software programs to keep track of the hours that employees work and can distribute pay accordingly. For my job at home, each employee has a personal identification number, and when we arrive at work, we input this number onto the computer, and at that time we also select which role we will perform, i.e.: maintenance, wait staff, hostess, etc. For my job at the University, my coworkers and I use our student identification cards to “swipe in” to a magnetic card reader.
The owners of this technology expect that the computerized time clocks will protect the integrity and availability of the information that is stored on them. They expect that the identity of the employee, the number of hours that each employee works, and the task that the employee performs is authentic, and they also expect that the employees are consistently able to interact with the system. These expectations are part of the overall expectation that the time clock will be consistent, easy to use, and accurate. Also, as an employee interacting with the system, I would expect that my information would be kept confidential.
An attacker could want to exploit this system in several ways. The most frequent attacker of a system like this would be an employee attempting to make more money than he or she earned for the tasks that he or she performed or the number of hours worked. Other attackers could include competitors who want to shut down operations by either violating the integrity of the information, shutting the system down so that employees could not clock in, or disclosing personal information of employees like bank account numbers, assuming that the time clock software connects to the bank for direct deposit.
The biggest risk inherent to this system is that it is not monitored as thoroughly as traditional time clocks and is more vulnerable to employee dishonesty or tampering as a result. Like I said, at my job at home it is the employee’s responsibility to enter into the computer which task he or she performs that shift. Breaching the integrity of this system is as easy as telling the computer that I worked a higher paying job than I actually did every so often. Also for this organization, the employee identification number is only four numeric digits long, so it would be very easy for other employees or outside attackers to access my personal information.
As a manager who would use this technology I would mitigate my risks by putting several safeguards in place. To reduce my risk I would either make my employees’ identification numbers longer, or I would require them to enter two forms of identification to clock in. I would also make sure that my employee’s information was protected to insure that their bank account numbers were not vulnerable to theft. Finally, I would check the information stored by the computerized time clock at regular intervals to protect myself against expensive employee dishonesty.
Sunday, October 4, 2009
Subscribe to:
Post Comments (Atom)
Posts
I feel the key to any time clock management system, mechanical or computerized, is trust. When you allow employees to interact with a system such as this, you are essentially saying to them that you trust them enough to have them accurately report the work they performed. The integrity of the data coming from this system is a direct result of the honesty of the employee. The biggest safeguard in this system is the conscience of the user.
ReplyDeleteSince I'm also a student worker at the university, this seems very relevant since I use my ID card to swipe into the system. I really was not aware that they only take the last 4 numbers to identify a person. What I was even told by a friend last year is that all he did was enter the number of hours he worked. This is pretty concerning if some employees are unfairly taking advantage of the system by abusing the identification system to get more money. As important that it is that the employees report their hours fairly, it is also important that their personal information is secure. I agree that the last 4 numbers of identification is not entirely safe. It's almost like using a Caesar cipher with a short key. In response to RR, it is also a mutual trust. The employer must trust his employees to fairly enter the amount of hours they worked, but the employees must also trust the employer in keeping their personal information safe.
ReplyDeleteI agree with what RR said- trust is the key to any time clock managment system. No system will be able to fully ensure honesty on the employee's behalf. However, I think the issue here is the security of the employee's information. Is the employee's personal and financial information stored on the computerized software? If so, hackers would attempt to gain access to this for obvious reasons. If this information is stored in the computerized system, I feel it is an unnecessary risk to take on. Why not stay with the mechanical system? It might take longer and be a little less efficient but the only risk involved is employee dishonesty rather than dealing with employee dishonesty and information security.
ReplyDeleteLike people said above really what is important it trust because no matter what system is used, employees can try to find a way to cheat. If employees aren't honest, they will find a way to get around the system and get paid for work they don't do. Along with that, supervision is important to make sure someone is actually working when they are clocked in. If there isn't a supervisor checking it would be easy for someone working on campus to clock in then just leave and come back later to clock out or to get a friend to swipe them in. So the technology is important but so is the physical security.
ReplyDeleteThere are other issues at hand when it comes to time clock management systems, regardless of whether they are computerized or mechanical. Human error is still a problem that does not go away with computerized systems. Human error, whether it is intentional or unintentional, must be regarded when it comes to employees signing in. For example, I know that one problem employers have with both mechanical and computerized systems results from employees that forget to either check in or check out. This affects the integrity of the data and especially with computerized systems can make it look like an employee works either many more or less hours than they actually did and causes managers to have to go back and look at when the employee was scheduled to work.
ReplyDeleteTimeclocks often seem to require only one identification -- sometimes it's a PIN and sometimes a card. I think requiring employees to swipe a card and input a pin would be a good way to prevent at least some of employee fraud, as well as adding a layer of security to the timeclock system itself.
ReplyDeleteThis also kind of gets into issues of integrity. If two-factor identification is required for my time to be recognized, what happens when I forget my ID on my desk -- like I do once a month? As it is, my boss can add the hours, but that means that she has access to add or change all of my hours. That brings in another point at which the timeclock data can be manipulated, especially if she leaves her computer unlocked or someone steals her password.
This type of Time Clocks are great to know timings of all employee with perfect timing.
ReplyDelete