Why Enterprises Shouldn't Limit Web Traffic

By Don Reisinger  |  Posted 2009-06-18

Why Enterprises Shouldn't Limit Web Traffic

It's become commonplace in the business world to limit employee Web traffic. At many firms, regardless of their industry or size, IT managers are being asked to block access to some sites and in some cases, limit the amount of time users spend on the Web. By doing so, they can limit the impact malware could have on the network as employees spend time surfing the Web. They also believe that the more employees visit their favorite sites and check their email, the less productive they are.  And that translates to poorer business performance.

To some, that argument might make perfect sense. And it's only bolstered by the recent report that over 40,000 Websites have been compromised in a mass attack.

According to researchers at Websense, an attack called Nine-Ball has targeted legitimate sites and redirected users accessing those pages to a malicious site.  The attack is the result of a Trojan that used FTP credentials to input automated bots on the sites. When a Web surfer visits a site that has been infected, they are brought to a page that contains the exploit code. The person is then pelted with drive-by attacks that attempt to exploit Microsoft, Adobe Reader, and QuickTime vulnerabilities. So far, Websense said the Trojan has a very low detection rate.

For some companies, that's all they need to know. There are real threats on the Web and if an employee even makes one mistake, they can be subject to malware that could put the entire network in danger. The end result could be lost, or worse, stolen data.

But perhaps that solution is nothing more than a quick fix to a much broader issue. The reality is this: more malware than ever is affecting company networks, even though the enterprise is doing everything it can to limit the amount of access employees have to the Web. Doesn't it stand to reason, then, that if blocking their access was such a smart move, it would actually work to limit company-wide outbreaks?

Companies don't need to limit the amount of access employees have to the Web -- they need to learn how to more effectively deal with the threats.


Nowhere is that more evident than in employee education. Simply blocking an employee's access to certain sites won't help the company stay safe. Malware is a real issue today because most people don't know what they have to do to keep themselves safe. Does a company's employee know not to open attachments from someone using an unknown e-mail address? Do they know not to visit untrustworthy pornographic sites? Do they know not to click on every link they see without making sure they're being redirected to the desired page? Do they know what phishing is and why it's such a major concern? Do they have apps installed on their computer that are designed to warn them about possibly malicious sites? And do they know how to react to those warnings?

These are some basic questions that most companies would probably answer "no" to. Most companies don't do enough educating of their employees. And in general, they simply look towards the easy solution -- blocking Web traffic -- instead of looking for the smart solution: educating employees on the perils of the Web. If employees don't know any better, how can they be expected to stay safe when faced with an attack like Nine-Ball? That Trojan uses trusted sites to gain access to a person's computer. Only education can stop it.


It should also be noted that the idea of productivity slipping due to more access to the Web is a red herring. Whether companies want to admit it or not, they can't block every Website. And no matter how hard their employers try, employees will gain access to sites that the company missed. And the worst part is, they'll be even less productive.

Employees are spending more time trying to find ways around the firewalls than working. If they had access to the sites they wanted to see, they'd go there and get back to work sooner.

Along that same line, it's important to remember that productivity can actually increase by allowing it to decrease. Yes, that might sound counter-intuitive, but hear me out. 

It's December and employee A is really behind on their holiday shopping. They want to get a few things for the kids at work today, but when they get there, they realize they can't access the online store they wanted to buy the products from. So, they decide to go on their lunch hour to a brick-and-mortar to get the products. The only trouble is, the lines are long, traffic is bad, and whoops -- that one-hour lunch break just turned into a two-hour lunch break.

It gets worse. That same employee is so far behind on their holiday shopping that they have no other option -- they need to take a Friday off to make sure it's done before the holidays. That's eight hours of lost work all because the employee didn't have a chance to buy gifts online at work. Buying gifts online would have taken no more than one hour. That company just lost eight hours. It's simple math.

And that's the biggest issue with the enterprise blocking Websites. It might make sense at first glance, but if we take a rational look at things, it's actually clear that it's quite the opposite -- firewalls cause more headaches.

So, maybe it's time companies stop focusing on limiting employees and start figuring out how to make them happier and thus, keep them working. Running scared isn't the best option. Freedom and education is the business world's best bet.

Rocket Fuel