Expert advice on controlling employee’s web surfing activities

An organisation that fails to publish and enforce an acceptable policy for Internet use potentially exposes itself to significant liability and loss. Eliminating the opportunity for non-work related surfing can reduce liability and public relations headaches by preventing users from accessing content that is offensive or otherwise harmful; improve employee productivity; recover misused Internet bandwidth; and reduce the likelihood of the enterprise contracting a virus or other malicious bugs. But while controlling employee’s web surfing activities is arguably a necessity, no company should leap into deploying URL filtering products without first giving due consideration to other factors, including culture, liability, and the effectiveness of available control mechanisms.

Suppliers of web/URL filtering products, such as Websense, SurfControl, Secure Computing, Elron Software, 8e6 Technologies and Symantec, claim that their tools limit liability (by preventing one user from downloading content that is considered offensive to another user) and improve productivity (by blocking access to non-business-related web sites).

In general, the Meta Group agrees with these propositions, but also contends that the issues and counter-measures are not as clear-cut as suppliers would have the market believe. Prospective users should ask: Are URL filtering products even necessary for my organisation, or is an acceptable usage policy sufficient to limit liability? Do such products really lead to increased employee productivity? Certainly, consideration must be given to numerous factors:

  • Liability This is an area that should ultimately be referred to legal counsel. It is possible that simply having a policy that clearly defines appropriate usage of Internet resources by employees is sufficient to avoid legal liability. However, it is more likely that the policy will need to be accompanied by an enforcement mechanism.

    Users must not fall into the trap of assuming that a URL filtering product is the only solution – or even a sufficient one. Without associated processes (for example, for product maintenance or addressing policy violations), liability could still be an issue. Furthermore, processes alone could be viewed as a valid enforcement mechanism (for example, auditing logs, setting thresholds for bandwidth consumption, using scripts to closely monitor suspected abusers, and formally confronting policy violators).

  • Productivity There is scarce proof that blocking non-work related usage improves user productivity. After all, it is human nature to invest inordinate amounts of time and effort overcoming perceived obstacles. Indeed, outright blocking may prove counter-productive, either as a result of fostering employee dissatisfaction (particularly if the corporate culture has previously been more liberal), or by causing time-consuming ‘workarounds’ (for example, an employee spends 30 minutes to physically visit a bank rather than conducting a five-minute electronic transaction).

  • Limitations Another consideration is the potential effectiveness of available controls, given that the number of ‘channels’ to the Internet is growing (for example, via personal digital assistants). Then there are the shortcomings of web filtering products themselves, which base their blocking capabilities on the proposition of being able to conveniently categorise accessible content. Granted, 100% effectiveness is not needed to achieve value. However, the exponential growth of Internet content and increasing globalisation of business certainly suggests that both pre- and on-the-fly categorisation will forever be an uphill battle. Furthermore, most of the available products lack robust, scalable management capabilities necessary for large-enterprise deployments.

  • Cost At $5 to $15 or more per user, per year, filtering products are not inexpensive. Indeed, this seems at odds with the limitations, alternatives, and value propositions previously described.

  • Completeness All organisations will find some degree of value from web/URL filtering products. The challenge is weighing this against the various shortcomings and alternatives. The case is certainly more clear if limiting liability is a corporate hot spot, or if abuse of Internet resources is a rampant problem.

    Regardless of the outcome, any control of Internet usage must have two prerequisite components. First, an Internet usage policy must be created and published, and should include the following areas: disclaimer; general principles and allowances; limitations; prohibitions; and expectation of no employee privacy. Second, organisations should establish a process for addressing policy violations that includes identifying all individuals or departments involved such as HR, legal counsel and IT employees.

    Finally, if a web/URL filtering product is deployed, users should consider starting out by running it in monitor-only mode. This will help to determine the extent of misuse and to tune the degree of filtering to better match the appropriate usage policy and the administrative capacity to deal with violations.

  • Avatar photo

    Ben Rossi

    Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

    Related Topics