The argument that is always heard in regards to this month's
topic is that it is too Orwellian, that monitoring internal
electronic information is an invasion of one's privacy. I couldn't
agree more, but that argument is only valid in my opinion, when you
are on your home or private internet segment, not the one your
employer pays for.
It is estimated that employee Internet misuse and abuse causes
over four billion dollars in lost work productivity. Several
surveys reveal that 1 in 5 employees view online adult sites at
work and that 70% of adult web sites are hit between the hours of
9am-5pm. Not only do employees surf sex sites but they also visit
sport sites like espn.com, bid on ebay.com,trade stocks on
etrade.com, shop online at avon.com or just send tasteless jokes to
their coworkers. This type of misuse not only hurts employee job
performance but increases threats to information security and
drains valuable network and corporate resources. Corporations can
also be held liable for harassment due to sexually or racially
discriminatory email sent through corporate Intranets.
To prevent such abuses, companies have instituted proper use
policies, and have actively written both filters and firewall
rules(egress filtering) that block Net access to certain web
Monitoring along with a properly implemented policy also creates
a new set of management dilemmas:
1. How does the company enforce Internet use policies?
2. Are all employees including senior management monitored?
3. How will companies deal with employee privacy and morale?
Consider these recent findings of a Vault.com survey:
37.1 % said they surf the Web "constantly" at work
31.9 % said they surf a few times a day
21.3 % said they surf a few times a week
9.7 % said they never surf at work
Note: Vault.com, is a job-hunting Internet company, that
surveyed 1,004 employees in what it called the first comprehensive
survey of e-mail behavior in the workplace.
Other internet use statistics can be found at Websense
Findings like those have prompted more employers to monitor
Internet use and to use a more stringent security policy guideline
for proper use. Employees should be encouraged to use the Internet
as a tool of their employment, but that repeated visits to Web
sites that offer gambling, adult sites, or high volume's of
personal e-mail, can lead to a reprimand or termination. Internet
abuse has created a booming business for software security
companies as well as businesses that develop and sell security
gateway appliances. Sales have soared as businesses and government
agencies have scrambled to put policies and software in place to
solve the problem. Despite employer awareness and security
software, statistics show Internet abuse is growing.
A 2002 survey of companies, institutions and government agencies
by the Computer Security Institute (CSI) and the FBI revealed two
eye opening findings:
80 % acknowledged financial losses due to computer security
breaches (primarily through theft of proprietary information or
78 % had Internet abuse by employees, such as downloading
adult sites or inappropriate use of e-mail.
Companies also report that they are disciplining more employees
for Internet abuse. A survey this year, by American Management
Association has found:
54 % of major U.S. companies check their employees' Internet
26 % have given workers formal reprimands for misusing the
20 % have issued informal warnings
17 % have fired employees for misusing the Internet.
I have not found one CIO or CSO yet that hasn't told me that
this is a constant struggle. Businesses and agencies all say they
still have to discipline, dismiss or suspend employees for abuse of
the Internet, in order to keep a balance between allowing
legitimate use and preventing abuse of it.
Most companies that I have dealt with will tolerate employees
using the Internet for brief, personal research or communication,
but high volumes of e-mails or frequent visits to certain Web sites
will trigger monitoring tools. What companies have to do is regard
their Internet use policy as an internal security issue. Security
awareness training for new employees and written guidelines on
Internet use at work should be provided to all employees. Policies
should be well written and clearly spell out, that employees should
not expect privacy when they access the Internet at work.
Like I said at the start of this article, some view this
approach as Orwellian, I tend to lean towards diligence.