There's no shortage of tools to monitor and filter employees' use of the Internet and IT resources. But can blocking really save you the outrageous sums of money the vendors claim? And is cyberbludging an issue of technology or management?
Just as technology makes it easier for people to do their work, it also makes it easier for managers to keep track of what their staff are doing.
GPS-based systems might simplify navigation for delivery drivers, but they can also be used to report the vehicle's location every few minutes.
Recordings made at call centres "for quality assurance purposes" could be used to teach agents how best to handle an irate customer, but they can also be misused for disciplinary purposes if an agent puts customer service ahead of call duration benchmarks.
In the IT world, monitoring products can be used to ensure that sufficient bandwidth is available for mission-critical applications or to alert a user's manager if they attempt to download a music file.
They can prevent employees' mailboxes from being overloaded with spam, or they can prevent the use of e-mail for private purposes. They can protect users from shady Web site operators who get their traffic by using domain names that match common typos when entering popular domains, or they can log every site someone visits and the amount of time they spend there.
In this special feature, we look at some of the products available, and the tradeoffs between managing IT infrastructure, employee relations, and security.
What can they do?
Broadly speaking, monitoring products fall into four categories: Web monitors/filters, e-mail monitors/filters, keystroke and usage monitors, and traffic shapers.
"The last statistic we saw was that there are three million new Web pages a month," says Adam Barnard, head of sales and marketing at Tel.Net Media.
While Tel.Net's Internet Sheriff filtering tool incorporates a blacklist-including the Australian Broadcasting Authority's list—it performs real-time content analysis to categorise material. The software uses Bayesian statistical techniques to classify unknown content in 46 preset categories plus any custom categories.
"We've done things a bit smarter than our competitors," he says, "we're using some of the clever stuff that's been developed in Australia." Barnard estimates that this dynamic modelling method takes the place of around 300 people working to classify material.
Administrators can set thresholds for action, such as blocking content if there is a 10 percent or greater chance that it is pornographic. Blocked URLs are automatically forwarded to Tel.Net for human review, and if necessary they are added to the blacklist.
Bayes' theorem describes "how the conditional probability of each of a set of possible causes, given an observed outcome, can be computed from knowledge of the probability of each cause and of the conditional probability of the outcome, given each cause" (from the Infoplease Dictionary).
This provides a way of determining the likelihood that a particular Web page fits into a certain category by combining information such as the occurrence of certain indicative words or phrases, the ratio of such words or phrases to the remaining text, the presence of links to sites known to be in that category, and the ratio of graphical to total content.
Further efficiency is gained by not sending the entire blacklist to each client site. Instead, only portions relevant to local surfing patterns are transmitted.
Any entry that remains unused for six weeks is dropped from the local list. "There's no Internet management tool that is 100 percent foolproof, but ours is about 98 percent," says Bernard.
"It's completely self-funding," he added, suggesting that each year customers can save 10 times the original cost of Internet Sheriff in reduced bandwidth consumption.
Stephen Goodwin, Tel.Net's technical sales and support manager, says the product has been under development since 1998. Around 200 sites in each of Internet Sheriff's categories were analysed in order to identify common features that can be used to identify each type.
Other approaches are available to address the problem of dynamic classification. "Neural networks imitate the brain's ability to sort out patterns and learn from trial and error, discerning and extracting the relationships that underlie the data with which it is presented . . . neural networks excel at recognising shapes or patterns, learning from experience, or sorting relevant data from irrelevant," (from the Infoplease Encyclopaedia).
SurfControl is one example of software that uses neural networks. "It has become critical to develop intelligent technologies that can interpret and understand information, that's why we've invested significant R&D resources into neural network technologies to deliver products that contain Adaptive Reasoning Technology components.
Today, any Web filtering solution without neural networks is really only half a solution," says Steve Purdham, CEO of SurfControl. He's probably overstating the case, but it is reasonable to say that you can't rely on blacklists and whitelists to enforce or monitor appropriate use policies.
Actually, Bayesian methods and neural networks aren't mutually exclusive, as the former can be used within the latter. Some approaches to monitoring focus on individual PCs rather than the network backbone.
"There are numerous keystroke monitoring technologies but these are rarely used in the enterprise. They are sometimes installed on very sensitive data stores," says Tim Smith, security consultant at Dimension Data Australia.
Keystroke logging is of questionable value in discouraging cyberbludging. It's probably most suited to situations calling for the specific surveillance of an individual or location arising from particular suspicions rather than routine monitoring.
The relatively low cost of software products in this category may make them attractive to micro-businesses that actively suspect some wrongdoing, but a moderately skilled user may be able to work around them. But as we'll see later, surreptitious use may have legal implications.
Software that logs keystrokes often has other features that provide additional information that is more useful to the suspicious employer, such as the amount of time spent using various applications and documents.
If someone outside your HR department is spending a lot of time on www.monster.com.au or frequently opens a Word document called Resume.doc, you probably have a staffing problem.
Similar information is also collected—perhaps more accurately—by Scalable Software's Survey. A Survey agent is installed on each PC, and this records the amount of time spent actively using applications or Web sites.
Note the word "actively": Survey ignores idle time and focuses on interactions such as typing, clicking, and scrolling. Records from across the organisation are aggregated in a database, which is then used to generate a variety of reports.
"Survey provides a clear picture of the entire client—the PC and PC user—so that management can understand trends in software usage, workplace habits and ongoing changes in how people use PCs," says Don Graves, managing director of Survey distributor Express Software.
Various insights can be gained from these reports. An organisation might find that less than half of its employees are using one of the applications it has selected as part of its standard PC environment, that a particular area of its intranet deserves more attention, or that some employees need additional training in the use of a new application.
Traffic shapers are hardware devices that sit between an organisation's network and its connection to the Internet. They examine the contents of data packets and the protocols used in order to classify the traffic, and then prioritise different classes according to administrator-defined policies.
For example, business-critical applications can be guaranteed the bandwidth they require, while a non-essential use such as MP3 downloading can be limited to a trickle.
Products such as the Packeteer PacketShaper can also maximise the useful throughput of a link-or as Bob Jones, Packeteer's territory manager for Australia and New Zealand puts it, the "goodput"—by exploiting features of TCP to smooth bursty traffic into a steady stream.
I fought the law and the law won
One of the most pressing reasons for installing monitoring or control products is to minimise exposure to legal liability.
According to Leif Gamertsfelder, head of the E-Security Group at leading international law firm Deacons, an organisation could face liability under a range of laws as a result of a misuse of its information systems by an employee.
For example, liability for sexual harassment or racial vilification could arise where the conduct complained of offends other employees. This could happen if pornographic material was distributed around the workplace via e-mail, for example.
In one case, a US corporation was fined US$2 million in a sexual harassment case due to the fact that pornographic material had been distributed internally using its e-mail system.
Gamertsfelder says other areas of potential liability include the Trade Practices Act, contract law, negligence law, the Corporations Act and the ASX Listing Rules.
Such liability may arise for instance where the conduct of an employee results in a breach of IT security causing a denial of service. This in turn leads to the organisation or its trading partners suffering loss or damage because they cannot operate normally.
This loss or damage could be in the form of increased security expenditure for remediation purposes or lost profits. Steve White, principal of White SW Computer Law, concurred that the potential liability arising from misuse by employees is very wide.
"A company is vicariously liable for the acts of its employees done within the scope of their employment. This could include discrimination issues all the way through to defamation and trade practices issues," he says.
Losing an unfair dismissal case can be expensive for an employer, says Barnard, so you need good records to support sacking someone for accessing pornographic or other unacceptable material at work.
Monitoring software can help prove an employee's claim of mistyping a URL or accessing a domain that previously presented innocuous material, or reveal a pattern of inappropriate behaviour.
"You don't have a leg to stand on if you are a company director and you don't have a[n Internet access] policy or you haven't tried to enforce it," says Chy Chuawiwat, General Manager Asia Pacific, MIMEsweeper Group, Baltimore Technologies (Asia Pacific).
"The loss of reputation in losing intellectual property . . . is a big damage," he warns. The disclosure of intellectual property by e-mail, whether inadvertent or deliberate, is a real problem, especially where disgruntled employees are concerned.
Apart from the loss of value, the company's reputation suffers, just as it does if it is the victim of a hacker attack or a major virus infection.
Talking of viruses, scanning all outgoing mail for unintended payloads may also help preserve your reputation. Scanning for viruses and confidential or inappropriate content can be done simultaneously by some products.
Apart from avoiding legal liabilities, an important objective is to reduce the amount of bandwidth being consumed by non-business uses of the Internet.
Doing so can postpone the need for bandwidth upgrades, reduce volume charges, improve the performance and predictability of key business applications, and free up existing resources for new applications such as voice over IP (VoIP).
Jones pointed out that users in other countries tend not to face volume charges, but it is a significant issue here. Australian businesses can pay "a huge amount of money" for unauthorised use.
One customer (the local operation of a multinational company) purchased a single Packeteer PacketShaper for around AU$20,000 and based on its initial experience expects to save AU$650,000 per year in volume charges.
It turned out that the recreational use of the Internet was five times higher than the company had estimated, so it is tempting to speculate that a significant amount of staff time has also been redirected to company business.
"A lot of organisations think they've covered [usage levels] with firewall or proxy logs," says Barnard, but they probably only analyse the logs once a quarter and even then only examine a subset of the information. "The horse has already bolted then," he says, but "Internet Sheriff stops the horse from bolting." The same observation can be made about products that provide realtime analysis, such as WebSpy Live.
Gaining an understanding of the way bandwidth is being used is also high on Smith's list. It allows costs to be controlled, and packet-shaping technology can be applied "so access to applications is not limited by non-business activity chewing up bandwidth".
You don't necessarily need to install extra software for this phase of the process. Some network management products will collect the information you need.
For example, the Traffic Accountant module of Concord Communications' eHealth Suite "analyses traffic generated by nodes and applications to provide information that allows you to solve network problems, as well as understand how IT resources are being used," says Tony Edwards, product manager at distributor LAN Systems.
"The primary focus of the software is predicting faults, managing performance," he says, but it can report on the most active nodes, the protocols and applications being used, and the Web sites being visited.
Some tools—Internet Sheriff is just one example—can generate bill-back reports, allowing various departments or even individual users to be charged for Internet use. If managers don't like the figures they see each month, that can act as a trigger for changing the acceptable use policy.
Smith also points to the advantage of using e-mail—scanning technology to detect viruses in attachments before they reach the mail server, let alone individual PCs. A product that can scan for viruses and inappropriate content in a single pass is probably more efficient than having to treat the two classes separately.
Jack Andrys, CEO of Perth-based WebSpy, believes companies knew there was a problem surrounding unauthorised Internet use, but didn't have the information necessary to make decisions and take appropriate action.
According to Andrys, his company's tools provide that information, and once companies know exactly what's going on, they can decide if employee behaviour really is a problem for them.
Potential time-wasters include Internet shopping, banking and investing, personal e-mail, watching streaming videos, and browsing news and sports sites. Other bandwidth killers include downloading large files for personal use, including music, video, and software.
In a white paper, Andrys claims "Research has shown that the cost of employees accessing the Internet for personal use during work hours is costing Australian organisations in the order of AU$1 billion per year in lost productivity" and that "Some 40 percent of all Internet traffic between 9am and 5pm is believed to be non-business related."
No sources for these assertions are quoted, although Andrys says the company has taken figures from various studies over the last few years as well as data from the Australian Bureau of Statistics.
Smith suggested things might be even worse than that, citing a report by Internet research company Red Sheriff. "Using Australian Bureau of Statistics data, and two surveys, the researchers found employees who did not have Internet at home were 'wasting' about 3.6 hours a week each on the Internet.
Or, in other words, each worker was spending 72 hours annually online for personal use, a 70 percent increase on 1997," he says. "In a year, that is [costing Australian businesses] AU$22.5 billion."
A Gallup Poll conducted last year found US workers were averaging 75 minutes a day on non work-related Internet use. In an Australian context, that's equivalent to 300 hours a year—or about four times Smith's figure.
Tel.Net's marketing materials include a variety of statistics from a range of sources. One that might have managers particularly concerned is that a Vault.com survey that found 24.3 percent of employees says they take precautionary measures to avoid detection when using the Web.
That's actually a figure from 1999. Vault's 2000 survey found the proportion had increased to 27.8 percent. Interestingly, that survey also showed employers were almost equally divided on the issue of whether surfing non-work related sites affects employee productivity.
Some companies appear to take research findings out of context or otherwise misinterpret them. For example, the Spectorsoft Web site—aimed at concerned spouses and parents as well as employers—proclaims "38 percent of people have engaged in explicit online sexual conversation," citing a study by Greenfield and Rivet. However, a paper written by Greenfield (www.virtual-addiction.com/internetaddiction.htm) indicates that it should be "38 percent of Internet addicts have engaged . . .", which is a different matter.
Furthermore, the respondents to this survey were far from representative of the general population, and while that doesn't invalidate Greenfield's conclusions, it does make Spectorsoft's claim even less believable.
Even if your staff all do the right thing, failing to control e-mail and Web traffic can still be expensive. Pete Simpson, manager of Baltimore's MIMEsweeper ThreatLab, pointed out that spam wastes employees' time, even if they immediately delete it from their inboxes.
Furthermore, inappropriate or unwanted e-mail not only takes up bandwidth, it also eats into storage space. This is a particular problem where attachments are involved.
Internet access isn't free, so Andrys suggests you should make sure that staff realise you are doing them a favour by allowing any private Internet use. Hefty volume charges mean that even if you only allow MP3 files to be downloaded during the lunch hour, that could be an expensive perk.
Ethics of surveillance
There are two main schools of thought in this area. One side takes what might be characterised as the "Big Brother is watching" stance: the assumption is that people will behave "properly" if they know they are being monitored.
Doug Fowler, president of Spectorsoft, suggested "Internet filters don't solve the problem. They fail to filter out all the bad stuff, and they prevent users from doing completely legitimate tasks by producing far too many false positives."
"Spector [Spectorsoft's monitoring software] doesn't try to stop the user from doing anything. Instead, it records their actions. That places the issue of responsibility directly on the user.
When a child or employee knows their actions may be recorded and viewed at a later point in time, they will be much more likely to avoid inappropriate activity," he adds.
Smith takes a rationalist perspective. "The employer owns the bandwidth and infrastructure—why would they not be able to monitor its usage as long as employees are made aware that they could be monitored?"
Andrys says the Internet use of everyone at WebSpy—including himself—is subject to monitoring, and reports are circulated to senior management.
However, he suggests that live monitoring is more appropriate where you have established that someone is doing the wrong thing, especially in shared environments such as libraries and classrooms. It is not appropriate for ongoing use in a large organisation, he says.
"You need to look at the company and its policies first, and only then consider how employee behaviour fits in with those policies," says Andrys. This process can reveal an absence of policies dealing with particular behaviours.
"It is good business practice to monitor Web access but it must be overtly done and in conjunction with an appropriate Internet use policy. This way everyone understands what is expected of them," he says.
"People may be undecided whether e-mail and web monitoring is OK, but almost 75 percent think monitoring with Web filtering software is acceptable if they know about it beforehand," says Charles Heunemann, managing director of SurfControl Australia, citing a survey conducted by the University of Western Sydney.
What do staff think?
Surprisingly, only 52 percent of respondents were unhappy with the idea of e-mails being monitored at work without warning, but it could be dangerous to assume this level of tacit support applied in every workplace.
Many of the people Technology & Business spoke to promoted staff involvement in policy setting. "Employers who do the right thing and involve employees in deciding what is and what isn't acceptable and responsible, and then filter inappropriate material, will have happier workers," says Heunemann.
Barnard recommends organisations step away from any discussion of free speech and the like, and focus instead on resource management. "We will provide you with a tool to manage your Internet use the way you want to manage it," he says.
"We're not about Big Brother tools . . . you've given this facility to your employees [and] in collaboration with your staff you should work out an acceptable Internet policy, and then manage it."
For example, you might permit the use of Internet banking and shopping sites during the lunch break, but forbid downloading MP3 files or watching streaming video at any time of day because of the cost of bandwidth.
He suggests users, managers with budget responsibilities, and human relations specialists should all be involved in the policy-setting process.
Baltimore talks about the "Three Es" of policy management:
- Establishing a policy
- Educating employees about the policy, and
- Enforcing the policy.
By following the Three Es and setting up an effective policy, companies have the potential of saving enormous amounts of money," says Chuawiwat.
A model acceptable use policy developed by Electronic Frontiers Australia can be found online. It is important to note that this document "does not necessarily signify EFA's views about what ought to be 'acceptable use' in workplaces; it simply addresses a range of aspects that should be considered in developing an AUP suitable for a particular workplace."
Jones points out that the PacketShaper can generate an alarm when it detects a policy breach, but it makes more sense to simply control the situation (eg, denying access to an inappropriate Web site): "things just happen, no one need be alerted, it's all under control."
He suggests alerts are appropriate when an event falls outside existing policies so that a new policy can be developed, but some organisations find such situations too confrontational and just buy more bandwidth instead.
Another approach is to limit Web access to those sites on a whitelist enforced by a Web filter or other system component. This can be a viable method where the organisation's Internet access policy disallows private use, but only where it is easy to identify a small number of relevant sites such as those operated by customers and suppliers, industry bodies and government departments.
It is unlikely to be satisfactory if employees have wide-ranging research needs, though this can be overcome by using a combination of whitelists and other filtering or monitoring techniques according to job function.
Gamertsfelder warns organisations considering the implementation of monitoring software need to ensure appropriate internal policies are in place so that employees the Privacy Act is not being infringed upon.
"When drafting internal policies, organisations need to consider whether employee consent is in act even required under the Privacy Act and, if so, the scope of any consent which needs to be obtained," he says.
Although the Privacy Act is driven by consent, certain activities and organisations have "carve outs" removing them from the scope of the Act. A relevant example is employee records; an organisation does not need consent to keep records of the conduct or performance of an individual.
Gamertsfelder says it is arguable that this covers monitoring, as it is implicitly related to work conduct. However, he warns "there might be a fine dividing line" so an organisation that permits personal use of IT systems would need to spell out exactly what types of personal use are permitted and get permission to monitor such use.
"The Privacy Act has important implications on the storage and retrieval of data," warns White. "Unless an exemption applies, users are entitled to know that information is being collected and the employer needs their consent for the use of such software. Users are entitled to know what information is being stored about them and amend same if inaccurate."
Andrys also believes that Australian privacy laws require disclosure of the type of information that is being collected, and employees' consent obtained because Internet usage patterns could constitute private information.
Gamertsfelder observed that there have been around 20 complaints in this area to the Federal Privacy Commissioner, but as they have generally been resolved on a confidential basis, no trends are apparent yet.
Since it is not clear at this stage whether this type of monitoring is exempt from Privacy Act provisions, it would seem prudent—as well as good employee relations practice—to discuss any proposed implementation with staff and obtain their explicit consent.
Some of the products mentioned in this article seek to minimise cyberbludging and other misuse of resources by blocking or restricting certain traffic rather than drawing attention to incidents of abuse, but you may need to collect data in order to identify that traffic.
If the software used for that purpose was developed with a different privacy regime in mind, it's possible that it might not dovetail with Australian requirements.
According to Gamertsfelder, the New South Wales government is contemplating new surveillance laws that would go far beyond the provisions of current privacy laws and would require employers to gain the express consent of employees before conducting any electronic surveillance of them, including monitoring e-mail and Web use.
"This would be an extraordinary outcome as it would impact adversely on an organisation's ability to maintain security and effectively deal with its own property, i.e. its information systems, in a manner which it and its employees determine," he says.
"Security is a huge issue that you don't want to be interfered with by privacy or industrial relations laws," says Gamertsfelder. "The Privacy Act is fairly balanced and doesn't present a threat to security," he added, but the proposed surveillance laws "get into troubled waters."
There are other legal considerations arising from monitoring and surveillance systems. "Organisations need to be particularly careful that any surveillance or monitoring actions do not breach offence provisions in Telecommunications laws," Gamertsfelder advises.
These provisions prohibit the interception of telecommunications, and in some circumstances e-mail or other Internet monitoring or surveillance could possibly constitute an offence under these laws.
Chuawiwat suggests that if an organisation permits the use of e-mail for private purposes, employees should be instructed to put the word "private" in the first line of the message, and MIMEsweeper set to ignore the content of such messages and merely add an appropriate disclaimer to outgoing messages.
"We only stop the [messages] that the policy says to stop and hold," he says. While this provides a greater degree of privacy, it also provides a hole through which confidential material can leak.
10 ways to minimise cyberbludging
- Develop an acceptable use policy in consultation with staff and obtain every employee's explicit permission to monitor their compliance with that policy.
- Focus on the productive use of organisational resources rather than getting into moral or ethical debates.
- Protect your organisation from legal liability by prohibiting the display or transfer of materials that could constitute sexual harassment, racial vilification, etc. Consider technological measures to enforce this policy-prevention is better than cure.
- If you don't understand the current pattern of usage, you won't know where to concentrate your efforts.
- Tools are available to monitor or control various aspects of computer use, including Web, e-mail, application, and document use.
- If you do monitor, be sure to follow up any inappropriate activities that it uncovers.
- Guard against defamation, the inadvertent or deliberate leakage of your intellectual property, the spread of viruses or the use of your systems to launch denial of service attacks by filtering all outbound traffic. If personal use of the organisation's e-mail server is permitted, add a suitable disclaimer to all outgoing personal messages.
- Using technological means to severely limit the bandwidth available to certain non-business applications may be as effective as blocking them completely, but less confrontational.
- If personal use is permitted, make it clear that it is a privilege, not a right.
- Don't expect technology to solve all your problems in this area. Ultimately, it's a management issue, not an IT issue.