The use of social networks by staff and the maintenance of corporate information on social Websites have created four main problems: productivity issues, misuse of company resources, and increased security and liability risks. First, the time employees spend on personal Web surfing, especially on addictive Websites such as Facebook and YouTube, can dramatically impact productivity. It has been found that people spend more time on Facebook than any other site.
Second, the misuse of company resources through excessive bandwidth use is crippling some networks, as employees are increasingly storing large amounts of personal downloads. This can be expensive and slow down the entire network, especially for hosted applications such as peer-to-peer software and instant messaging (IM).
Third, liability from inappropriate content on the network (most commonly pornography) can also create a hostile work environment and ultimately result in a lawsuit. These types of hurdles incorporate a wide range of cultural, social, legal and commercial concerns. Finally, malicious Web links are increasingly targeting social Websites for personal data or to infect servers, causing downtime and crashing of the network in some cases.
Organizations are now beginning to ask, “What kind of tools do we need to monitor the Internet for security and control?” and “How do we best manage employee access and time on social Websites?”
Minimizing and mitigating these risks depend on convincing staff to tread carefully online, and putting controls in place to detect attacks early. However, implementing Web content control can seem a daunting task. To the uninitiated, it is an unlikely marriage of the very different disciplines of network administration and human resource management (HRM). With a little forethought, however, it becomes straightforward and very effective. The following are five steps aimed at balancing the needs of network integrity and your organization’s need to cover its back legally with the recognition that the Internet is part of employees’ everyday life.
Agree on Your Philosophy
Step No. 1: Agree on your philosophy
Before writing the policy, first determine your goals and company philosophy for content control and acceptable Internet behavior. At a minimum, you need to keep malware and inappropriate content off your network.
This generally entails blocking access to Websites that are both inappropriate and a common source for malware (such as pornographic Websites). The thinking here is that, if blocked, no reasonable employee is going to raise his hand in a company meeting to ask why he can no longer access Playboy.com.
This type of company with minimal restrictions is coined “Big Family.” The philosophy can be summed up as follows: “We consider our employees to be part of one big family. We trust them to manage their own time and commitments. We grant them a lot of latitude in how they meet their objectives.”
On the other extreme of the continuum is what’s termed “Big Brother.” This company blocks all Websites except for those work-related sites explicitly approved and added to the pass list. The philosophy is: “Our employees are being paid to do a job, and we expect them to be productive at work. We do not want to see them staying late because they did not accomplish their tasks during the day. We definitely do not want to pay overtime because they were surfing the Internet for personal reasons.”
Between Big Family and Big Brother, there is a broad spectrum across which companies establish acceptable and unacceptable network use. Two common practices are to provide wider access based on time of day, such as during lunch, or by category of worker. In a law firm, for example, lawyers and research associates often need more access to the Web for research than do administrative staff.
Implement Monitoring and Website Filtering
Step No. 2: Implement monitoring and Website filtering
Once you have agreed on the extent of your policy, you need to identify a technology that will support your philosophy and business requirements. Management and network administrators need to address and agree on the following:
1. Will everyone fall under the same policy or do some employees require broader access to the Internet than others?
2. Do policies need to be adjusted at different times of the day?
3. Is filtering HTTPS (HTTP Secure) traffic, a common Web filter workaround, important?
4. In addition to Web filtering, do restrictions need to be put on peer-to-peer applications such as IM?
5. Is there a need to integrate with Active Directory?
6. Do any of our computers that are shared by multiple users require different policies based on log-in?
Bear in mind, Web filtering must take into account the extent to which employees need to use the Web for work purposes. Essentially, it’s important to decide whether restrictions should be implemented by using a system of blacklisting (that is, employees can visit all Websites except those specifically banned by name or by predefined category) or whitelisting (that is, all sites are banned except for a few that are useful for work), as might be the case in a retail or clerical environment. There are tools available to enable the network administrator to adapt filter and blocking depending on requirements.
Once your organization’s specific business policies regarding Web filtering are settled, you should put a monitoring process in place. When it comes to monitoring the Web access and behavior of employees, one of the most efficient strategies is to regularly review reports of network users’ online activity, in a random order.
Write a Policy
Step No. 3: Write a policy
Once you have decided what is and isn’t acceptable use, the creation of a written policy is fairly straightforward. However, there are three best practices to keep in mind:
1. Use clear and nontechnical language
Nontechnical users, for example, are often unaware of how their activities impact bandwidth, how attachments over Web mail might bypass corporate virus scanning, and how downloading a free screen saver can infect their computer with malware.
2. Keep it short
The shorter the policy, the greater the chance that it will be read, understood and referred in the future.
3. Stress the spirit of the law
Base your policy on simple, inviolable principles that can be seen as reasonable by both technical and nontechnical staff members. At a minimum, those principles should include the following: assessing Websites that are inappropriate (for example, violent, pornographic or hate Websites), assessing what amount of time is acceptable for personal Internet use, noting that the posting of confidential material is prohibited, defining Websites that should be avoided because of security risk or excessive demand of network bandwidth, and clearly stating what activities from which employees should refrain.
Keep in mind that the Internet is changing rapidly and it would be tedious to rewrite the policy every time a new technology or phenomenon such as Facebook presents itself as a threat. But by clearly articulating a small set of guiding principles, you will avoid having to constantly revisit and rewrite.
Step No. 4: Educate employees
Staff members who are aware of Internet threats and network security are more likely to accept and comply with company policies, make intelligent decisions when surfing the Web, and avoid malware traps. Unsophisticated users may not understand that having multiple IM tools or downloading videos from YouTube can dramatically impact bandwidth.
Although it is often undesirable to overplay the “Big Brother” hand, you will usually find that notifying employees that their online actions are subject to monitoring will prevent the vast majority of incidents.
Step No. 5: Manage incidents
Along with a clear policy, it’s important to have a plan for dealing with incidents. You should experience fewer problems if everyone understands the policy and the consequences for breaking the rules.
I recommend having various levels of discipline to manage contravention of the policy. When a potential problem is noted, the administrator should take steps to monitor that user’s activity more intensively over a set period of time. More serious infringements should attract a written, documented warning or, in cases such as illegal pornography, this needs to be dealt with immediately. If it’s not, it can result in litigation should the employee resign or be dismissed. The importance of employee awareness of the exact disciplinary structure and the necessity of maintaining documentation cannot be stressed enough.
Finally, it’s vital to remember that technology and the Internet are evolving rapidly. Given the increasingly social nature of the Web, network managers need to stay on top of trends, monitor network activity, and be prepared to adjust the policy when new threats emerge. I recommend that the policy is reviewed at least biannually to address emerging challenges.
Implementing Web content control can be straightforward and does not need to take much time. By putting these measures in place, companies greatly decrease the odds of their networks being compromised, reduce their liability and improve employee productivity.
Bob Walters is President and CEO of Untangle. Bob began his career landing F/A-18 Hornet fighter aircraft on aircraft carriers. Today, Bob leads Untangle. Most recently, Bob landed Teros, his application security startup, at Citrix Systems via acquisition. Along the way, Bob has contributed in executive and general management positions at a number of top startup and public companies including Securant Technologies (now part of RSA Security), Linuxcare, Informix Software and Red Brick Systems. Bob is a published expert and invited speaker in Internet security, data warehousing and data mining, entrepreneurship and leadership. He is an honors graduate of the U.S. Naval Academy in Annapolis and was a Guggenheim Fellow at Princeton University. He can be reached at firstname.lastname@example.org.