Which Approach Is Right For Your SME?
In its “2007 Wasting Time Survey,” Salary.com found that employees squander about 20% of their workday on personal Web surfing, chatting, gaming, and downloading content. For both small to midsized enterprises and larger organizations, that’s a lot of their money being spent on Fantasy Football, MySpace, and YouTube.
The rise of personal Internet usage at work can be traced back to when home users typically had slower dial-up connections at home and lightning-fast Ethernet at the office. Even as personal broadband services, such as DSL and cable, are becoming ubiquitous, employees still download music, chat with their friends, and conduct personal business using company assets while on the clock.
The initial solution was to simply block access to offensive URLs, especially ones that served pornography, hate speech, and gambling. Still, financial, news, and shopping sites continued to sap employee productivity. As the Web has matured, the number of interactive sites and applications has exploded, leaving employees spending hours updating their Facebook pages or chatting away on instant messaging when they should be working.
Block Or Buffer
To regain control over employees’ online time, many organizations have locked down their networks with Web filtering and blocking solutions from Barracuda Networks (888/268-4772; www.barracudanetworks.com), Websense (www.websense.com), and Secure Computing (www.securecomputing.com). But the pervasiveness of the Web into daily business has left many of the solutions—based upon whitelists, blacklists, and keywords—hampering legitimate business when their filtering solutions return false positives, thus limiting employees’ ability to do their jobs.
The next step toward reining in Web usage at work has been to buffer employees’ Internet access. Products such as BeAware Corporate Edition from Ascentive (www.ascentive.com) allow organizations to monitor employees’ surfing and Web-based application usage in real time, has a screen-capturing ability, and provides detailed reporting regarding employees’ online activities, as well as their application usage. Similarly, software packages such as Echo from Pearl Software (www.pearlsw.com) and CyberPatrol (www.cyberpatrol.com) offer SMEs tools to monitor employees’ computer usage, whether it be accessing illicit Web sites or misusing peer-to-peer programs.
Most enterprise Web-filtering solutions have incorporated buffering features into their products as more companies want to protect against litigation, data loss, and malware infestations while monitoring their employees’ online activities without putting the brakes on productivity. Web-filtering solutions often provide the ability to give employees access to the Internet during set times, such as lunch and nonworking hours.
Adam Schran, chief executive and founder of Ascentive, believes organizations are wise to allow employees unfettered Internet access for a limited time during the workday—for example, over lunch. He compared at-work Internet usage to taking personal telephone calls; however, unlike phone calls, it’s often hard for co-workers to “overhear” personal Web usage. “We have clients that allow their people to turn off the monitoring for 30 minutes or an hour every day so that employees can send messages to the kids or do personal stuff for a reasonable amount of time,” says Schran.
Similarly, Barracuda Networks has found that some of its customers set up their Web Filter appliances to warn employees instead of outright blocking. Instead, when employees attempt to access Web sites or applications contrary to the defined acceptable use policy, a message is displayed with a reminder that all sites visited are being logged.
“If you’re planning a business trip, it might be OK to visit a travel site, but if you are planning a vacation, maybe there should be a gentle reminder of what the corporate Internet usage policy is all about,” says Dean Drako, CEO and president of Barracuda Networks. His customers want their employees to be productive, to use the Internet, email, and instant messaging.
Chenxi Wang, principal analyst of security and risk management at Forrester Research, doesn’t think that blocking or buffering should be mutually exclusive. “Buffering is basically monitoring and reporting. The question is how much do you actively block and how much do you monitor and log?”
Big Brother
While monitoring what workers do on company time may sound ideal to employers, many view it as an invasion of privacy. “Companies obviously have the right to make sure that their employees are being productive. Blocking sites is much less invasive of employee privacy than using software to read emails or monitor where employees go online,” says Lew Maltby, president of the National Workrights Institute in Princeton, N.J.
Equally offensive to employees is the insinuation that those who manage their time effectively and complete their assigned work are somehow being dishonest by chatting with friends or shopping online with downtime during office hours. “When I’m stuck on hold, I used to pass the time mindlessly surfing the Web until I got through to a live person,” laments a customer service representative whose supervisor reprimanded him for excessive hits on nonbusiness-related sites.
Ultimately, most organizations turn to a blend of blocking and buffering to cover all the bases. “I think organizations would do themselves a disservice if they are using a buffering-only approach. It should be the case that blocking is selectively enforced and real-time, content-based filtering is absolutely necessary,” says Forrester’s Wang.
Security Factor
In addition to curbing wasted time during working hours, companies are turning to both blocking and filtering solutions to cut down on malware disseminated via the Web.
“There is a set of content out there that is clearly malicious and clearly inappropriate; organizations should always block that. There is no other way about it. Then there are sites on the Internet which are not malicious but serve no legitimate business purposes. Individual organizations can make their own decision as to whether to block those,” says Wang.
Barracuda’s Drako lists security as the top reason businesses are now routinely blocking access to social networking sites, followed by productivity, bandwidth, and legal liability.
Consider that in November, according to a Washington Post article, McAfee (www.mcafee .com) found several popular recording artists’ MySpace pages infected with spyware along with malicious MySpace friend requests that delivered a barrage of downloaders, Trojans, and a remote administration tool. While MySpace itself is a legitimate Web site, it has little control over content, including malicious code, that its users post.
Ascentive’s Schran points out that employee monitoring solutions can also reduce internal security threats in addition to Web-based threats. “If your employees are downloading files to a USB device, our software will record that action,” he says.
Maltby considers it unrealistic to expect that employees won’t do any personal Web surfing at work. “Rather than trying to prevent it altogether,” he says, “companies should use software to enforce reasonable acceptable use policies.”