Stop your staff from abusing the internet

Companies are spending more on staff monitoring. We look at the trends, the software - and the implications.

Sally Whittle, Computing

In a San Francisco research department, 10 people are spending another eight-hour day looking at violent, illegal, sexually explicit and just plain frivolous internet pages.

The researchers in question aren't hackers, slackers or criminals - they work for a company called WebSense, which supplies internet filtering software. The results of their work - a list of 500,000 web addresses - are sold to scores of corporate customers across the globe who want to keep their internal networks safe. From their own employees.


It's a safeguard that seems to be genuinely required, if recent figures from media researcher Nielsen are anything to go by. It found that the online edition of Penthouse magazine was recently called up more than 5000 times by employees at IBM, AT&T and Hewlett Packard.

Personal surfing - whether it's just for a holiday, or for more venal purposes - costs US companies as much as $200m a year, according to the American Management Association. It can also clog networks, and increase the risk of private information sneaking out through the firewall or potentially actionable material sneaking in.

Non-business surfing
When internet stockbroker Charles Schwab first launched its web services, the company chose not to implement employee monitoring, wishing to treat its workers as adults. That ideal lasted as long as the pilot project - during which the company noticed that a significant proportion of network traffic was for non-business surfing.

"Given the potential bandwidth risks and the growing number of people in the company with web access, we needed more structure," says Dawn Lepore, the company's chief information officer.

The company bought the Smartfilter proxy server software, which not only monitors the volume of network traffic but can also identify the internal internet protocol address from which traffic originates, the web addresses accessed from there, and the time spent browsing. This allows managers to identify abusers of the system, notify them and, if necessary, alert their managers.

As soon as employees heard of the new measures, the US firm achieved its desired result. "We have yielded a substantial decrease in the volume of non-business browsing on the system," says Lepore.

The percentage of UK companies monitoring employee internet activity has jumped from 17 per cent to more than 45 per cent in the past three years, according to the Institute of Personnel.

Thomas Cook Holidays is one recent convert. Last month it rolled out Surfcontrol, which allows it to pull up weekly reports detailing every site visited by each employee in the company.

Salacious content is actively blocked, but most content is merely monitored, with information then passed on to department managers. "We don't want to be too Draconian," says Russell Goodman, the company's network service engineer. "It's up to the individual manager to decide how lenient to be."

But even blocking technology can make a mistake, as Goodman discovered. "This morning we found a hotel website that was flagged as pornography by the software," he says. If actively blocked, that kind of mistake could cause real problems for the company.

Although Thomas Cook has not experienced major problems with downloaded porn, there have been instances of time-wasting. "We did see one of the managers looking at the S Club 7 website this morning," he says.

Other companies have had more serious problems than staff with a penchant for teen band websites.

US-based Citibank was sued for $2m over employees downloading pornography from the internet, while three other major US companies have faced lawsuits for racial harassment in similar circumstances.

It's not just internet surfing that needs monitoring. Email can also be a real headache for businesses. At UK supermarket chain Asda, an internal email suggesting that a policeman who complained about a faulty product was lying resulted in court action.

In the US, petrol company Chevron paid out £1.3m after being sued for sexual harassment by a female employee who found sexist jokes on the company email system.

How to avoid such problems
Discovering such material in your organisation is possible through the use of internet access control systems. These tools can be installed on individual desktops, monitoring every keystroke, or on a server, where they track network usage, searching for traffic that meets pre-defined conditions - including forbidden web addresses, a file type or specific text within an email.

Spending on such software is growing by 53 per cent annually, according to researcher IDC. It predicts that corporate spending on internet access control technology will reach $260m in 2003, compared with $31m in 1998.

"Corporations will increasingly use these products to block and filter access to improve productivity, conserve network bandwidth, and limit legal liability," says analyst Chris Christiansen.

Most corporate lawyers believe the trend is a good one, because employers can be held liable both for the emails employees send to one another and for their outbound messages.

"Companies are daft if they give someone an expensive piece of equipment and then don't monitor what it's used for," says Heather Rowe, a partner with law firm Lovell White Durrant.

"Where an employee carries out illegal activity on a company network, the company is equally liable. Employers must take reasonable steps to prevent such activity to limit their own liability."

Companies should begin by drawing up a code of practice covering internet and email communications. "If companies have any sense, they will make the code part of the contract of employment," she says.

This does not remove the need for active monitoring, however, which Rowe believes should be a given in today's business world. "I cannot believe that any employee would be cretinous enough to think that they're not being monitored," she adds.

Monitoring internet use
Many companies, however, are still unsure about exactly which product to use or its potential. "Clients are all talking about wanting and needing to monitor internet use," says Bruce Guptill, ecommerce research director at analyst Gartner. "But too many companies still don't know how to deal with it."

Using surveillance software has other benefits, especially as a support tool when files inexplicably disappear. "If support staff can see exactly what was done, it removes the need for the user to understand that level of technology and the problem can be solved more quickly," says Andy Mulholland, technology markets director with consultant Cap Gemini Ernst & Young, a firm which has been using surveillance software for three years.

"With more people working remotely, it is important that the company can see when tasks are not being completed on time, so that it can help," he adds.

Employee monitoring doesn't always require companies to buy new products. Some common Lan applications such as Novell's Netware or Microsoft's Lan can easily be converted into desktop monitoring tools.

In addition, Winwatch Professional incorporates functionality that allows network administrators to view an employee's screen in real time, scan data files, analyse keystroke performance and overwrite passwords.

Wordsecure, from WorldTalk Corporation, allows the IT department to monitor the contents of all ingoing and outgoing email messages. The system is particularly popular in regulated industries such as finance, and is used by financial services firm Scottish Widows. A similar product is available from Assentor, a division of security vendor Integralis.

This uses a search engine to check outgoing traffic for specified words or phrases. Some offerings - such as Desktop Surveillance from Omniquad - offer multiple functions rolled into one.

Desktop Surveillance captures visual images from a desktop according to defined rules, such as accessing specific websites, or simply launching an internet browser. Once triggered, the employee can be warned - through a flashing eye symbol on the screen - that he is being watched, or can simply be covertly observed.

"It's like putting a policeman behind every desk," claims Daniel Sobstel, the company's managing director.

Desktop-based tools can start at as little as $400 per seat, with server-based tools ranging from $1000 to $20,000 for a network monitoring package in a medium-sized organisation.

Firms get serious
As the web monitoring industry comes of age, it is likely that more businesses will come at least to explore, if not employ, the technology. Guptill, who admits he hasn't seen a lot of monitoring or filtering in action, claims clients are getting increasingly serious.

"Companies should be concerned about the web," he says. "It's a question of employee time and resources, and it is a security risk. A little paranoia never hurts when it comes to network resources."

But users must exercise control and not fall into the trap of using the technology just because it's available. "Employers are tempted to lock down on use after the hysterical judgements meted out in some cases," says Michael Overly, lawyer and author of E-Policy: How to Develop Computer, Email and Internet Policies to Protect Your Company and its Assets.

"But given the shortage of skilled workers, companies have to make some concessions to make the workplace friendly."

Despite the clamour over employee rights in the workplace, there are at present no restrictions on monitoring or bugging employees' computer equipment, because the company owns the equipment - but it's possible this situation will change. "There are measures currently under consideration," says a Home Office spokesman.

"Following the Alison Halford case [where the bugging of a senior police officer's phone calls was judged to be a violation of her human rights], the Home Secretary commissioned a report to look at how communication on private networks can be brought under legislative control."

While the UK position has yet to be cemented in statute, in France and Germany is illegal for companies to read employees' email. Although the US has seen a number of lawsuits centered on the issue of monitoring, not one case has been won by an employee.

The bottom line for IT managers is that it's your company's network, and there is little you can't do. However, UK unions recommend that, as a form of corporate courtesy, employees should be informed that they are being monitored before technology is deployed.

Similarly, once information on employees is collated, companies are subject to data protection laws, and must make the information available to employees where appropriate.

It's a fine line to tread. Not only must you try to provide employees with a comfortable, respectful work environment, you must also administer the company's surveillance policy. Treat employees as potential criminals, and you might just find yourself sitting liability-free in a department that echoes with the sound of only two hands typing.


Do you agree?

Further reading

Online staff face spectre of Big Brother

Just over 25 per cent of the global online workforce, or 27 million employees, have their internet or email use monitored by their employers.

Managers complain of email overload

Managers risk drowning in email as it becomes the by-product of a communications system that may also be hampering efficient knowledge sharing, according to a Mori report.

Web filters fail to block adult sites

Internet filtering software fails to block one in five websites considered to be objectionable, according to new research.

Porn not involved in Ford staff suspension

Ford UK said internet pornography was not behind the suspension of three staff at its plant in Dagenham, Essex who face questions over computer misuse.

Related whitepapers

Related jobs

Most watched

Acer smartphones

Video: Acer Tempo smartphones demo gets a walkthrough of new smartphone range at London launch event

Yahoo logo weekly debrief, 6 Mar 09

Yahoo's future plans, the biggest news from CeBIT and super-fast broadband speeds ahead

IT white papers

Search white papers

Top categories


Mobile content: Text message updates

Mobile content: Text message updates

Which of the following would you be most interested in receiving SMS updates on?

Previous poll results



Newsletter signup

Sign up for our range of FREE newsletters:

Existing User

Newsletter user login:

Enter email address to edit your newsletter preferences

Job of the week

Search thousands of IT jobs :

Search thousands of IT jobs:

Advanced search

Hiring now on ComputingCareers:

Related IT jobs

Search thousands of IT jobs :

Search thousands of IT jobs:

Advanced search


IT security

Bolt-on security no longer fit for purpose

Vendors must embed better security into products or services from...

Twitter users hacked again

Twitter users once again experienced the unpleasant side of Web...

Motorola MC55

Motorola ships new enterprise handheld

MC55 designed to provide workers with mobile access to applications

Top 10 recession-proof technologies

Top 10 recession-proof technologies

Industries keeping a sweet outlook during these sour times

Primary Navigation