Boost Security With A Web-Usage Policy

Managing internet access is essential for all businesses--especially with today's increasing regulatory requirements. The good news is that software and hardware systems to block, monitor, or otherwise control employee Internet access never have been better, but they must be balanced with legal, ethical, and employee morale issues. This is a tightrope that IT must walk.

Employees spend an incredible amount of time on the Internet--and often what they're doing is unrelated to their jobs. Jose Negron, technical director of Layton Technology Inc., a developer of IT-auditing and help-desk software, cites a recent study by Salary.com and America Online that found that employees squander an average of two hours of company time per day online, at an annual cost of $759 billion.

Productivity isn't the only Net-access issue; unsupervised employees are a prime target for spyware. Spyware costs companies $265 per user annually, says Frank Cabri, VP of marketing at security provider FaceTime Communications Inc.

Employees also can download and install a growing variety of applications, including instant messaging, peer-to-peer file sharing, IP telephony, and anonymizing, without IT approval, all of which pose risk and some of which are malicious. Such programs often evade network defenses using techniques such as port agility (jumping around among open ports) and encryption, Cabri says. Users often don't realize their computers are being hijacked, and a malicious app may be downloaded via a seemingly harmless site, he says.

Finally, uncontrolled Net access lets employees view objectionable content that can create a hostile environment for other workers and increase your company's legal liability. Massive streaming of audio and video files also can put a strain on network resources.Setting A Usage Policy
The solution to the Net-access conundrum lies in establishing a policy and enforcing it through monitoring or other controls. Such methods may raise the specter of Big Brother. "Most enterprises aren't interested in being 'network nannies,' just as most employees aren't excited about being baby-sat," says JoAnne Vedati, senior product market manager at security appliance maker Blue Coat Systems Inc. But because of the hidden dangers of uncontrolled Internet access, and employers' rights and responsibilities, business has the ultimate responsibility for monitoring and control.

When setting Internet policy, "an organization shouldn't treat employees as children," says Kurt Shedenhelm, president and CEO of network-security vendor Palisade Systems Inc. Many companies permit access to certain categories of Web sites, such as shopping or sports sites, during lunch breaks or after closing. Soliciting and embracing employee input, as well as educating users about your Internet policy, is key to reducing the perception of Big Brother.

Find The Right Technology
Web-blocking software prevents employees from visiting Web sites deemed harmful or offensive. Web-monitoring software, on the other hand, lets the employer monitor Net use without barring access to sites. Together, these systems often are referred to as Web-filtering or Web-control software.

The blocking-versus-monitoring question is hotly debated. Monitoring software doesn't bar employees from visiting undesirable sites, but productivity tends to improve when they know they're being monitored. Giving employees the option to voluntarily adhere to an Internet policy lets employers act against abusers without penalizing others.Blocking software takes a more active role in helping employees avoid undesirable sites, but it can require more setup work than monitoring software. For example, you'll need to determine what content you want to block. You'll also likely need to determine different policies for different users. And employee productivity can be affected if essential sites are inadvertently blocked.

Monitoring software is less costly than blocking software, at least initially. But don't forget to factor in follow-up costs, such as IT time to analyze and prepare reports of improper Internet activities, as well as the potential morale and legal issues when those activities pop up on displays around the company.Monitoring versus blocking isn't necessarily an either/or situation. The best solution may be to combine the two methods: Block sites that clearly are against corporate policy and monitor other Internet usage to better define that policy or to take action against employees who abuse their privileges.

Savvy workers can use encryption to fool Web-blocking software, says Sanjay Raja, senior project manager for network-security vendor Arbor Networks. "Most blocking apps either look at the content or block based on port. Encrypted traffic is difficult to stop, since the content or the request for a URL is hidden and applications can use different ports to access the Internet."

Blue Coat's Vedati concurs: "Many solutions simply sniff Web traffic and terminate an unauthorized request. But because these deployments allow the request, they must send a reset message to the requesting client before the destination response reaches the client. Web-blocking software may be unable to keep up, allowing undesirable sites to be viewed." She adds, "Some software-based Web-blocking solutions tie authentication information to a specific IP address, which can easily be impersonated."

Not surprisingly, many vendors tout their own products as being more difficult to circumvent. Palisade's Shedenhelm advocates appliances installed at the network gateway, like what his company offers. Passive appliances, unlike firewalls, are difficult to detect, so there's really nothing for employees to circumvent, he says.

Other experts note that employees can simply use third-party, anonymous proxy servers, which redirect requests to a destination and can bypass Web-blocked destinations and obfuscate the reports of Web-filtering alternatives. Another tactic is to set up dial-up network connections to bypass the business network. Others might wrangle privilege levels that forestall company policy. If there's a ray of sunshine in such exploits, it's that almost anything employees do can be traced back to them. But that may be too little, too late.When Employees Go Astray
You must be prepared to deal with employees who stray into unwanted Internet territory. The first and most important step is carefully crafting and communicating policies, including penalties for infractions.

Displaying a simple "access denied" screen in response to blocked destinations can be a big help, some experts say. Such screens should identify users by name and provide details about the blocked site, including the reason for site denial, Blue Coat's Vedati says. If monitored employees do break the rules, first give them the opportunity to explain why they visited the sites in question. For continued violations, traditional remedies for infractions are appropriate.

The majority of businesses can't deny workers access to the Internet. The trick is to implement measures that protect the company while keeping workers satisfied. Establishing and communicating a comprehensive Internet-use policy, backed by Web-filtering controls, provides the most productive and safest use of your employees' Internet time.

Illustration courtesy of Getty Images