3 Reasons to worry about bossware

The term ‘bossware’ was coined in 2020 by the Electronic Frontier Foundation (EFF). It refers to a range of technologies that organisations use to monitor what employees do on their devices. There’s a wide variety of technologies and use cases at play here, from wearable devices on warehouse workers to GPS cameras used to monitor lorry drivers; and the type of bossware we’re going to focus on here, which consists of software that monitors employee activity when they’re working from home. 

This software might include keyloggers and screen monitoring software (for example, software that takes screenshots or audio recordings throughout the working day). The goal is to track employee activity and keep tabs on where they are – and in particular, whether or not they’re at their desks and actively working on their devices. 

In 2021, research by Digital.com found that 60% of business leaders were already using bossware; and another survey found that more than 90% of employers with mostly remote staff were using it. 

The core goal of bossware is to maintain productivity in a disparate working environment. But bossware also comes with a number of evolving security concerns – so it’s worth considering whether the potential benefits really outweigh the risks. 

1. It might not be as effective as you think 

The first reason to exercise your sceptical brain muscles is that bossware might actually just not be very useful. 

As working from home has boomed in popularity since the pandemic, the notion that your boss is quietly watching what you’re doing has also become increasingly normalised. 

From an employer perspective, bossware tech might seem like a bit of a relief – a way to make sure you’re getting your money’s worth from an employee’s salary even when they’re not in the office. But the reality is that we don’t really know if bossware actually protects productivity at all. 

The aim of bossware technology is to check that an employee is engaged in productive work on their device, and to do this it monitors mouse and keyboard activity. In response, entrepreneurial minds developed technologies that enable employees to simulate device activity in order to deceive bossware into thinking they’re working when they’re not. The use of this trickery has come into focus recently, particularly when Wells Fargo terminated the employment of several members of staff after finding they’d used simulated keyboard activity to pretend they were busy working. 

However, the Wall Street Journal recently reported on an analysis of bossware efficacy by Teramind. Out of one million employees monitored by Teramind (a bossware provider) for business clients, 7% were found to be faking work. But after improving the algorithms used to come up with that finding, the rate of simulation rose to 8% – and Teramind suggested the true rate was ‘probably higher’, because there were many cases that could be, but weren’t definitely, proof of slacking. 

And apart from unreliable data analysis techniques, the actual cost of employees pretending to work (or taking extended breaks) is unclear. Some research suggests that employees who take regular breaks and aren’t tied to their desks add significantly to their own productivity, which has a net positive effect for employers. If this is the case, then bossware that traps employees in front of their devices could actually do more damage than good. 

2. Bossware could become a vulnerability in the case of a data breach

From a security perspective, you want to minimise vulnerabilities across your network to prevent threat actors from gaining access. And bossware has potential to create new vulnerabilities to be exploited. 

Attackers know that bossware captures personal information from employee devices and transmits it to employer devices. So without effective end-to-end encryption in place across all bossware technologies, it does create the potential for sensitive data to be stolen – including employee credentials that could give cyber criminals an entry point into the organisation’s network. 

For this reason, any organisation considering the use of bossware should carefully evaluate whether the benefits outweigh the risks of capturing, transmitting, and storying such sensitive data. 

3. Bossware could put organisations on the wrong side of discrimination law

It’s very difficult for employers to take the data they collect from bossware tech and understand it in the context of different employee’s lives. So there’s a real risk that organisations could fall foul of anti-discrimination laws if they act on bossware data that implies an employee has been slacking, and it turns out that employee has protected characteristics. 

For example, an organisation might penalise employees for taking breaks, when they were actually undertaking necessary activities relating to a disability; or breastfeeding a child; or any number of other activities that are protected by discrimination laws. 

This means that any action an employer takes based on bossware data must also be informed by other information about the employee’s status and behaviour. An employer should not act on bossware data alone. 

Bossware shouldn’t be an obvious choice

Bossware has strong potential to be bad for both employees and for your organisation itself. While there are cases where it might prove effective as a tool used in conjunction with other processes, there are numerous reasons not to deploy bossware to monitor employee activity. 

It can be bad for business, bad for employees, and bad for security. Instead, building a culture of trust in your organisation, which promotes intrinsic motivation and a sense of ownership from employees over their work, will be more effective for productivity and cyber resilience long-term. 

Interested in the pros and cons of bossware for cybersecurity? Register now to attend Black Hat MEA 2025.