An organisation that fails to publish and enforce an acceptable policy for Internet use potentially exposes itself to significant liability and loss. Eliminating the opportunity for non-work related surfing can reduce liability and public relations headaches by preventing users from accessing content that is offensive or otherwise harmful; improve employee productivity; recover misused Internet bandwidth; and reduce the likelihood of the enterprise contracting a virus or other malicious bugs. But while controlling employee’s web surfing activities is arguably a necessity, no company should leap into deploying URL filtering products without first giving due consideration to other factors, including culture, liability, and the effectiveness of available control mechanisms.
Suppliers of web/URL filtering products, such as Websense, SurfControl, Secure Computing, Elron Software, 8e6 Technologies and Symantec, claim that their tools limit liability (by preventing one user from downloading content that is considered offensive to another user) and improve productivity (by blocking access to non-business-related web sites).
In general, the Meta Group agrees with these propositions, but also contends that the issues and counter-measures are not as clear-cut as suppliers would have the market believe. Prospective users should ask: Are URL filtering products even necessary for my organisation, or is an acceptable usage policy sufficient to limit liability? Do such products really lead to increased employee productivity? Certainly, consideration must be given to numerous factors:
Users must not fall into the trap of assuming that a URL filtering product is the only solution – or even a sufficient one. Without associated processes (for example, for product maintenance or addressing policy violations), liability could still be an issue. Furthermore, processes alone could be viewed as a valid enforcement mechanism (for example, auditing logs, setting thresholds for bandwidth consumption, using scripts to closely monitor suspected abusers, and formally confronting policy violators).
Regardless of the outcome, any control of Internet usage must have two prerequisite components. First, an Internet usage policy must be created and published, and should include the following areas: disclaimer; general principles and allowances; limitations; prohibitions; and expectation of no employee privacy. Second, organisations should establish a process for addressing policy violations that includes identifying all individuals or departments involved such as HR, legal counsel and IT employees.
Finally, if a web/URL filtering product is deployed, users should consider starting out by running it in monitor-only mode. This will help to determine the extent of misuse and to tune the degree of filtering to better match the appropriate usage policy and the administrative capacity to deal with violations.