Stop your staff from abusing the internet

In a San Francisco research department, 10 people are spending another eight-hour day looking at violent, illegal, sexually explicit and just plain frivolous internet pages.

The researchers in question aren't hackers, slackers or criminals - they work for a company called WebSense, which supplies internet filtering software. The results of their work - a list of 500,000 web addresses - are sold to scores of corporate customers across the globe who want to keep their internal networks safe. From their own employees.

It's a safeguard that seems to be genuinely required, if recent figures from media researcher Nielsen are anything to go by. It found that the online edition of Penthouse magazine was recently called up more than 5000 times by employees at IBM, AT&T and Hewlett Packard.

Personal surfing - whether it's just for a holiday, or for more venal purposes - costs US companies as much as $200m a year, according to the American Management Association. It can also clog networks, and increase the risk of private information sneaking out through the firewall or potentially actionable material sneaking in.

Non-business surfing
When internet stockbroker Charles Schwab first launched its web services, the company chose not to implement employee monitoring, wishing to treat its workers as adults. That ideal lasted as long as the pilot project - during which the company noticed that a significant proportion of network traffic was for non-business surfing.

"Given the potential bandwidth risks and the growing number of people in the company with web access, we needed more structure," says Dawn Lepore, the company's chief information officer.

The company bought the Smartfilter proxy server software, which not only monitors the volume of network traffic but can also identify the internal internet protocol address from which traffic originates, the web addresses accessed from there, and the time spent browsing. This allows managers to identify abusers of the system, notify them and, if necessary, alert their managers.

As soon as employees heard of the new measures, the US firm achieved its desired result. "We have yielded a substantial decrease in the volume of non-business browsing on the system," says Lepore.

The percentage of UK companies monitoring employee internet activity has jumped from 17 per cent to more than 45 per cent in the past three years, according to the Institute of Personnel.

Thomas Cook Holidays is one recent convert. Last month it rolled out Surfcontrol, which allows it to pull up weekly reports detailing every site visited by each employee in the company.

Salacious content is actively blocked, but most content is merely monitored, with information then passed on to department managers. "We don't want to be too Draconian," says Russell Goodman, the company's network service engineer. "It's up to the individual manager to decide how lenient to be."

But even blocking technology can make a mistake, as Goodman discovered. "This morning we found a hotel website that was flagged as pornography by the software," he says. If actively blocked, that kind of mistake could cause real problems for the company.

Although Thomas Cook has not experienced major problems with downloaded porn, there have been instances of time-wasting. "We did see one of the managers looking at the S Club 7 website this morning," he says.

Other companies have had more serious problems than staff with a penchant for teen band websites.

US-based Citibank was sued for $2m over employees downloading pornography from the internet, while three other major US companies have faced lawsuits for racial harassment in similar circumstances.

It's not just internet surfing that needs monitoring. Email can also be a real headache for businesses. At UK supermarket chain Asda, an internal email suggesting that a policeman who complained about a faulty product was lying resulted in court action.

In the US, petrol company Chevron paid out £1.3m after being sued for sexual harassment by a female employee who found sexist jokes on the company email system.

How to avoid such problems
Discovering such material in your organisation is possible through the use of internet access control systems. These tools can be installed on individual desktops, monitoring every keystroke, or on a server, where they track network usage, searching for traffic that meets pre-defined conditions - including forbidden web addresses, a file type or specific text within an email.

Spending on such software is growing by 53 per cent annually, according to researcher IDC. It predicts that corporate spending on internet access control technology will reach $260m in 2003, compared with $31m in 1998.

"Corporations will increasingly use these products to block and filter access to improve productivity, conserve network bandwidth, and limit legal liability," says analyst Chris Christiansen.

Most corporate lawyers believe the trend is a good one, because employers can be held liable both for the emails employees send to one another and for their outbound messages.

"Companies are daft if they give someone an expensive piece of equipment and then don't monitor what it's used for," says Heather Rowe, a partner with law firm Lovell White Durrant.

"Where an employee carries out illegal activity on a company network, the company is equally liable. Employers must take reasonable steps to prevent such activity to limit their own liability."

Companies should begin by drawing up a code of practice covering internet and email communications. "If companies have any sense, they will make the code part of the contract of employment," she says.

This does not remove the need for active monitoring, however, which Rowe believes should be a given in today's business world. "I cannot believe that any employee would be cretinous enough to think that they're not being monitored," she adds.

Monitoring internet use
Many companies, however, are still unsure about exactly which product to use or its potential. "Clients are all talking about wanting and needing to monitor internet use," says Bruce Guptill, ecommerce research director at analyst Gartner. "But too many companies still don't know how to deal with it."

Using surveillance software has other benefits, especially as a support tool when files inexplicably disappear. "If support staff can see exactly what was done, it removes the need for the user to understand that level of technology and the problem can be solved more quickly," says Andy Mulholland, technology markets director with consultant Cap Gemini Ernst & Young, a firm which has been using surveillance software for three years.

"With more people working remotely, it is important that the company can see when tasks are not being completed on time, so that it can help," he adds.

Employee monitoring doesn't always require companies to buy new products. Some common Lan applications such as Novell's Netware or Microsoft's Lan can easily be converted into desktop monitoring tools.

In addition, Winwatch Professional incorporates functionality that allows network administrators to view an employee's screen in real time, scan data files, analyse keystroke performance and overwrite passwords.

Wordsecure, from WorldTalk Corporation, allows the IT department to monitor the contents of all ingoing and outgoing email messages. The system is particularly popular in regulated industries such as finance, and is used by financial services firm Scottish Widows. A similar product is available from Assentor, a division of security vendor Integralis.

This uses a search engine to check outgoing traffic for specified words or phrases. Some offerings - such as Desktop Surveillance from Omniquad - offer multiple functions rolled into one.

Desktop Surveillance captures visual images from a desktop according to defined rules, such as accessing specific websites, or simply launching an internet browser. Once triggered, the employee can be warned - through a flashing eye symbol on the screen - that he is being watched, or can simply be covertly observed.

"It's like putting a policeman behind every desk," claims Daniel Sobstel, the company's managing director.

Desktop-based tools can start at as little as $400 per seat, with server-based tools ranging from $1000 to $20,000 for a network monitoring package in a medium-sized organisation.

Firms get serious
As the web monitoring industry comes of age, it is likely that more businesses will come at least to explore, if not employ, the technology. Guptill, who admits he hasn't seen a lot of monitoring or filtering in action, claims clients are getting increasingly serious.

"Companies should be concerned about the web," he says. "It's a question of employee time and resources, and it is a security risk. A little paranoia never hurts when it comes to network resources."

But users must exercise control and not fall into the trap of using the technology just because it's available. "Employers are tempted to lock down on use after the hysterical judgements meted out in some cases," says Michael Overly, lawyer and author of E-Policy: How to Develop Computer, Email and Internet Policies to Protect Your Company and its Assets.

"But given the shortage of skilled workers, companies have to make some concessions to make the workplace friendly."

Despite the clamour over employee rights in the workplace, there are at present no restrictions on monitoring or bugging employees' computer equipment, because the company owns the equipment - but it's possible this situation will change. "There are measures currently under consideration," says a Home Office spokesman.

"Following the Alison Halford case [where the bugging of a senior police officer's phone calls was judged to be a violation of her human rights], the Home Secretary commissioned a report to look at how communication on private networks can be brought under legislative control."

While the UK position has yet to be cemented in statute, in France and Germany is illegal for companies to read employees' email. Although the US has seen a number of lawsuits centered on the issue of monitoring, not one case has been won by an employee.

The bottom line for IT managers is that it's your company's network, and there is little you can't do. However, UK unions recommend that, as a form of corporate courtesy, employees should be informed that they are being monitored before technology is deployed.

Similarly, once information on employees is collated, companies are subject to data protection laws, and must make the information available to employees where appropriate.

It's a fine line to tread. Not only must you try to provide employees with a comfortable, respectful work environment, you must also administer the company's surveillance policy. Treat employees as potential criminals, and you might just find yourself sitting liability-free in a department that echoes with the sound of only two hands typing.

Staff surveillance policy:What to ban and what to look out for

Employees should not be allowed to create home pages using company resources Staff should be forbidden from using the internet to engage in activities of questionable legality that might harm the company's reputation or that might violate company policy. These include gambling, accessing adult material, and posting discriminatory, defamatory or threatening material All email should include a disclaimer stating that the information contained within is confidential to the sender and should not be used, copied or distributed by anyone other than the authorised recipient The reproduction of copyright-protected

Material for non-business related activities should be strictly forbidden Watch out for racial slurs or words such as 'sex' and 'babe' in emails - politically incorrect jokes can form the basis for costly lawsuits Look out for messages with .exe attachments, such as animated movies, or any attachments larger than a megabyte. They overload networks, slow down computers and could crash the system Subject lines with the designation 'Fwd' or 'Re' appearing several times in one message are likely to be forwarded jokes and back-and-forth chats, rather than company communication