Best Practices for Effective URL Filtering and Monitoring
Employee abuse of an organization’s Internet access -- from running outcall services to illicitly selling a company’s products on eBay -- illustrate URL filtering and monitoring issues. Enterprises cite inappropriate content, productivity concerns, and lost bandwidth as reasons to monitor their employees’ Web use.
What’s the most inappropriate thing your employees could do with network resources? To find out, a recent survey asked 400 RSA Conference attendees for their best misuse-of-computing-resources anecdote.
The winning incident involved an employee who not only used his work PC to manage an eBay store, but dedicated the store to selling his company’s inventory, illicitly. Other cringe-inducing stories included an employee who ran an outcall business from his company PC, plus an IT-savvy staffer who tasked a company server to run his gambling site. Follow-up research found the gambling site catered solely to internal employees.
Horror stories of misguided employee-entrepreneurs aside, of course, most staffers don’t abuse computing resources, flagrantly or otherwise. Most companies, however, aren’t taking any chances. According to Orange, Calif.-based 8e6 Technologies, which sells URL monitoring and filtering technology, at least 90 percent of large enterprises and 50 percent of small companies in the United States now monitor and filter their employees’ Internet access.
Monitoring technology, however, isn’t a cure-all, and if deployed carelessly can compromise corporate culture. Hence, companies need to take steps to constantly ensure that any monitoring is effective and that employees—senior executives included—know exactly what types of behavior are and aren’t allowed, no matter the filtering technology at work.
According to a survey conducted by 8e6 Technologies, the primary reasons companies use Internet filtering and monitoring are to block inappropriate content (44 percent of companies), control productivity (32 percent), and preserve network bandwidth (23 percent). Such efforts aren’t just academic: a third of IT managers say they must provide senior managers with detailed Internet usage reports, and 17 percent of IT managers generate such reports weekly.
What constitutes inappropriate content, a lack of productivity, or a poor use of network bandwidth? Answering that question comes down to answering another—“What is your firm’s character and personality?”—says David Smith, chief operating officer of Burstek, part of Burst Technology Inc. in Bonita Springs, Fla.
Another question: how much should companies disclose about any in-place controls? “Some companies are very secretive about what they do to their employees, about revealing how much filtering and what kind of filtering they do, and I think that’s wrong,” says Smith. “We here—and many firms also—have a written agreement that basically spells out the firm’s philosophy about use of the Internet, what we filter, and why we track.”
Creating a written security policy that defines acceptable use of computing resources—before filtering any Internet use—is critical. Such a policy helps employees do the right thing and protects the employer. For example, if companies don’t define what constitutes an inappropriate use of computing resources—accessing adult Web sites, for example—they may not have legal recourse to sanction an employee who inappropriately accesses such sites at work.
Forming an Acceptable-Use Committee
When writing an Internet acceptable-use policy, many factors must be weighed, since what’s appropriate for one institution may produce a productivity gridlock at another. That’s why Smith recommends forming an Internet acceptable-use committee to gather multiple, relevant viewpoints. “I’m not a big fan of committees—call it a focus group, action group, whatever,” he says, but the important thing is “to populate this group with all levels and parts of the organization.” The group then hammers out an Internet acceptable use policy.
To help the committee set policies, provide its members reports on current Internet usage so they can find problems they might not have thought about, or discount hypothetical issues. URL filtering and monitoring technology can help generate such reports.
When assembling an Internet use committee, diversity rules. For example, a committee in an educational institution might feature the principal, the head of human resources, someone from the legal team, and the head of IT. As Beverly Lambright, director of marketing at Burstek, notes, “They’re all going to have different reasons for monitoring different behaviors and blocking different sites.” For example, the IT executive may want to set a per-employee quota on allowable network resources consumed per second, to block people who hog bandwidth by streaming media. Meanwhile, the legal representative may specify exactly which types of content they want to block, while HR designates the hours it wants certain filters to be active, while also writing the policies for people who break the rules. Each group will have different concerns, yet they will need to ultimately agree on an approach.
While written policies are one part of the acceptable-use equation, automated enforcement is another. Automation is effective not just for monitoring employees but also their PCs. For example, if monitoring software sees spyware or malware attempting to phone home, it can alert administrators, the end user, or even temporarily disable the connection. Similarly, such software can also block more expert users’ attempts to run peer-to-peer software, access Web proxies to disguise their browsing, or use prohibited voice over IP services.
While filtering software can block known-bad URLs, it can also watch for other misbehavior. For example, take a not-uncommon educational problem: the user who tries to “find links to porn sites that are not blocked,” notes Paul Myer, president and chief operating officer of 8e6 Technologies. To evade filters, students often enter porn-related terms in a search engine, then click through all the resulting links to find not-yet-blocked sites. Some monitoring software can detect such behavior and assess content on unknown pages.
For unknown sites found to violate acceptable-use policies, one popular threshold is a “three strikes and you’re out” approach, resulting in disabled network access for a period of time. While that may not seem aggressive enough for corporate policymakers, it can be a realistic response for educators, especially when signaling prohibited behavior to anonymous users.
The Senior Manager Shakedown
Students aside, in the corporate realm, experts say many companies’ Web-filtering regimens have a notable weakness: the senior executives who opt out. “We have many clients coming in all the time, trying to implement the software, who say, ‘Oh I have to enable full-access use for my boss,’” notes Matt Green, director of technical services for Burstek.
In the panoply of employee-misbehavior possibilities, where are the highest risks? “The assumption is that the higher the position in the firm, the less the abuse. That’s a myth perpetrated by management,” says Smith. “If you think about it, if there’s high-level abuse in the organization, it’s a lot more costly than in the rest of the organization.”
Beyond the need for executives to be held accountable to the Internet acceptable-use policy, also don’t forget the IT department, which tends to opt itself out of automated enforcement controls. “A lot of abuse happens in IT as well—everyone from the network administrator to the help desk graveyard shift,” says Smith. “It’s human nature for people to get bored, for people’s minds to wander.”
Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.