February 2012 IT Business Consulting Newsletter

If Your Employees Continue To Abuse the Internet – Some Options

By Tom K

I received a lot of interesting feedback concerning last month’s article on creating "Employee IT Use and Abuse Policies". Several folks asked for pointers on developing their company IT Abuse Policy, but I was most asked, “If they just don’t listen/comply, how can we regulate employee abuse of the Company Internet?”

There are several options available, running from simple to complex, and from free (but cumbersome) to pricy (but elegant).

In this month’s newsletter I discuss various options that are available to shut down employee abuse of your company’s Internet circuits and the resultant lost productivity.

Staff Understanding and Compliance

This is the simplest, the least expensive, and the solution that is used and works in the majority of my client companies.

We educate the employees as to how critical the IT resources are to the success of the Company, and how abusing those resources can negatively affect performance in many different areas. If you recall last month’s article, "Employee IT Use and Abuse Policies", I advised that the first purpose of the Policy was to educate your staff.

Then we educate the employees concerning compliance, and ensure they understand that the Company WILL enforce the non-compliance terms as detailed in the IT Use and Abuse policy, which should clearly include termination.

Firewall Internet Filtering

If you do find the need to block access to specific websites, most firewalls can block access to specific web sites. This is part of the basic functionality of a firewall, so it is included in the device’s base feature set. (Of course you DO have a firewall protecting your environment from the Internet, right?)

Unfortunately, it is a process that requires manual configuration, and the config needs to be re-edited for every added web-site. Also, the config is based on firewall rules and policies, so it is not at all granular in terms of which users are affected. It is most often an all or nothing proposition.

We do have a few clients who use this option to block just a few sites (ie Facebook and eBay), but it does get a bit complex when you have the atypical exception, like “Andrea needs to get to Facebook because she takes care of our Social Networking” and “John needs to sell some old Company property on eBay”. This can be configured, but the configuration is time-consuming.

Firewall Content Filtering Plug-Ins

The next step up the Internet Content Filtering food chain is the Firewall Content Filtering Plug-In. This is a subscription service that is available on many firewalls. The service lives on the firewall and it consumes firewall resources, so the firewall typically needs to be a more robust model in the product line or it needs to have the capacity to accept an optional “booster card” to increase the firewalls processing/memory resources.

These application/services are quite nice for the price, although the subscription cost varies radically across the major firewall vendors. These services enhance the basic firewall filtering capabilities by providing filtering by URL as well as by IP address, and they provide a limited level of granularity in terms of users affected by the filtering rules. The key advantage is provided by the subscription. The service maintains and updates filtering categories that can be applied to your filter as you see fit. The categories include such things as adult, intimate apparel, on-line shopping, gambling, brokerage and trading, auctions, drugs, etc. There are literally hundreds of categories you can choose to use, or not, depending on your needs. Note that some vendors market various service levels, i.e. the basic level might offer 20 categories, while the premium level offers much more flexibility with 100 categories and 80 sub-categories.

All vendors’ products of this type have some capability to monitor which users are being affected by the filters, and can provide reports.

Software Content Filtering Products

This product type is similar in functionality to the Firewall Plug-Ins but it gets installed on a server within your environment, and all outbound internet traffic is routed through this server/application filter. We haven’t worked with this option in a few years, as we encountered a lot of operational and performance issues in the past. In our experience, we have found that the Firewall Plug-ins are generally well designed, easy to manage, and when using a properly sized device, doesn’t impact performance or Internet traffic flow. Not so with the Software Content Filtering Products.

Internet Content Filtering Appliances

If you have a large environment, or you require/desire a large filtering feature set, the Content Filtering Appliance may be your solution. They are the most expensive option, as they involve a capital expense for the appliance as well as the annual category subscription, but they have the richest feature sets.

The Content Filtering Appliances have all the features included with the Firewall Content Filtering Plug-Ins, and then add more granular filtering, enhanced monitoring and reporting, and much more granular application of rules to users. The Appliances are typically easier to set up and manage, as the user interfaces are usually very well developed. In most instances, the Appliances interface directly to the Windows Network user management system (Active Directory) to provide exceptional user filtering controls.

Internet Content Filtering Services

The Internet Content Filtering Services are very similar to the Appliances, because they ARE Appliances, but they are hosted in “the Cloud”. Functionally, they are much the same as the Appliances, and many of the Appliance vendors offer access to their products as a Service in the “cloud”.

As with anything else, there are up-sides and down-sides. There is no capital expense and no annual subscription fee, but there is a monthly per user fee. Since you don’t own the device, you don’t have to maintain it, but you do have full access to manage how it is configured for your environment. All of your outbound Internet traffic has to travel to the hosted filter before it is sent on to the Internet, so there might be some noticeable latency.

It really comes down to cost. If you need the high end functionality of a full featured Appliance, the Service model (annual fee/user X number of users X 3 yrs) is typically less expensive for a small number of users, while the Appliance model (capital cost X 3 yr subscription fee, unlimited users) is less expensive if you have a large number of users .

But Smart Phones Can Access the Internet!

Unfortunately, while these technical options can reduce or eliminate abuse via your company network, they won’t prevent your staff from using the Internet via their personal Smart Phones. So let’s go back to our first option... Employee Understanding and Compliance!

If you have any questions or comments concerning this article, or would like assistance deploying any of the options I covered, I’d be happy to discuss this with you at your convenience. Feel free to contact me at TomK@TomKConsulting.com, or via my cell 443.310.5110.

Next month I promise I’ll get back to discussing the concerns IT should have relating to departing employees, the steps we recommend to properly deal with security and auditing, and different processes used when the departing employee is leaving with blessings or in handcuffs. See "Departing Employee? How to Process them Gracefully and Securely".