The argument that is always heard in regards to this month's topic is that it is too Orwellian, that monitoring internal electronic information is an invasion of one's privacy. I couldn't agree more, but that argument is only valid in my opinion, when you are on your home or private internet segment, not the one your employer pays for.
It is estimated that employee Internet misuse and abuse causes over four billion dollars in lost work productivity. Several surveys reveal that 1 in 5 employees view online adult sites at work and that 70% of adult web sites are hit between the hours of 9am-5pm. Not only do employees surf sex sites but they also visit sport sites like espn.com, bid on ebay.com,trade stocks on etrade.com, shop online at avon.com or just send tasteless jokes to their coworkers. This type of misuse not only hurts employee job performance but increases threats to information security and drains valuable network and corporate resources. Corporations can also be held liable for harassment due to sexually or racially discriminatory email sent through corporate Intranets.
To prevent such abuses, companies have instituted proper use policies, and have actively written both filters and firewall rules(egress filtering) that block Net access to certain web sites.
Note: Too find out more about ingress/egress filtering rules and how they work, go to the URL: GIAC Enterprises goes cyber!.
Monitoring along with a properly implemented policy also creates a new set of management dilemmas:
1. How does the company enforce Internet use policies?
2. Are all employees including senior management monitored?
3. How will companies deal with employee privacy and morale?
Consider these recent findings of a Vault.com survey:
37.1 % said they surf the Web "constantly" at work
31.9 % said they surf a few times a day
21.3 % said they surf a few times a week
9.7 % said they never surf at work
Note: Vault.com, is a job-hunting Internet company, that surveyed 1,004 employees in what it called the first comprehensive survey of e-mail behavior in the workplace.
Other internet use statistics can be found at Websense
Findings like those have prompted more employers to monitor Internet use and to use a more stringent security policy guideline for proper use. Employees should be encouraged to use the Internet as a tool of their employment, but that repeated visits to Web sites that offer gambling, adult sites, or high volume's of personal e-mail, can lead to a reprimand or termination. Internet abuse has created a booming business for software security companies as well as businesses that develop and sell security gateway appliances. Sales have soared as businesses and government agencies have scrambled to put policies and software in place to solve the problem. Despite employer awareness and security software, statistics show Internet abuse is growing.
A 2002 survey of companies, institutions and government agencies by the Computer Security Institute (CSI) and the FBI revealed two eye opening findings:
80 % acknowledged financial losses due to computer security breaches (primarily through theft of proprietary information or fraud).
78 % had Internet abuse by employees, such as downloading adult sites or inappropriate use of e-mail.
Companies also report that they are disciplining more employees for Internet abuse. A survey this year, by American Management Association has found:
54 % of major U.S. companies check their employees' Internet usage
26 % have given workers formal reprimands for misusing the Internet
20 % have issued informal warnings
17 % have fired employees for misusing the Internet.
I have not found one CIO or CSO yet that hasn't told me that this is a constant struggle. Businesses and agencies all say they still have to discipline, dismiss or suspend employees for abuse of the Internet, in order to keep a balance between allowing legitimate use and preventing abuse of it.
Most companies that I have dealt with will tolerate employees using the Internet for brief, personal research or communication, but high volumes of e-mails or frequent visits to certain Web sites will trigger monitoring tools. What companies have to do is regard their Internet use policy as an internal security issue. Security awareness training for new employees and written guidelines on Internet use at work should be provided to all employees. Policies should be well written and clearly spell out, that employees should not expect privacy when they access the Internet at work.
Like I said at the start of this article, some view this approach as Orwellian, I tend to lean towards diligence.
Got something to add? Send me email.
More Articles by Michael Desrosiers © 2013-02-07 Michael Desrosiers
It is the the duty of a Webmaster to allocate URIs which you will be able to stand by in 2 years, in 20 years, in 200 years. (Tim Berners-Lee)