Surveys indicate that more and more companies are monitoring their employees' Internet activities. Internet monitoring products have been selling briskly, even when overall I/T spending is down. Why are companies making this investment and what Internet monitoring technologies are they buying?
The companies I work with are primarily concerned about legal liability. If a company employee is looking at inappropriate Internet content at work, the company may find itself at risk. For example, if Employee "A" displays racist or pornographic material on his computer screen and Employee "B" accidentally sees it, Employee "B" could be offended and file a complaint. Employee "B" may also have sufficient grounds for a harassment suit against the company, especially if it can be shown that this was not an isolated incident.
Legal liability isn't the only thing that concerns employers. Companies may also worry that employees are leaking trade secrets or other proprietary information via email or chat sessions. In addition, some non-business Internet activities are bandwidth hogs that hurt Internet performance. MP3 audio file downloads and streaming video are two of the biggest offenders. Finally, employers generally prefer their employees to spend their time at the office working rather than surfing the Internet.
Companies are legitimately concerned about the negative impact of Internet misuse on their business and they are taking steps to protect themselves. The first step for most companies is to develop an Internet "Acceptable Use Policy" (AUP), which employees are asked to read and sign. The AUP should clearly define the types of Internet activities that are not allowed and the potential repercussions for engaging in them. The next step for many companies is to enforce their AUP.
There are two schools of thought in regard to enforcing an Internet AUP. The first is that employee Internet use should simply be monitored. Internet activity that violates the company AUP is logged and used to generate reports (which can be forwarded to the Human Resources Department). The second school of thought is that Internet activity outside the bounds of the AUP should be blocked before it can occur. The products available from network security vendors reflect these two different philosophies. An example of each approach is provided below.
One vendor has developed a network appliance for Internet monitoring that uses network packet sniffing to look inside every packet coming in or out of the Internet router. The data within each packet is analyzed by artificial intelligence algorithms designed to look for violations of the company's AUP (which can be programmed into the device). Internet activity that violates the AUP is logged and is used to generate reports. Because the product is based on sniffer technology, it can look at any Internet traffic, including Internet Relay Chat, Instant Messenger, ftp, email, and web traffic.
Internet blocking products work somewhat differently. One popular blocking tool maintains an extensive database of non-business web sites, organized by category. A company can select the web content categories it wishes to block according to its' AUP. The product works with the company's firewall to intercept all outbound web URL requests and checks them against the database to see if they violate the company AUP. If there is a violation, access to the web page is blocked.
There are several good Internet monitoring and blocking products on the market. The right product for any given company will depend its' AUP and other factors. I recommend that a company begin the process by developing a well thought-out AUP. I also recommend that employers inform their employees of the potential for Internet monitoring before it is implemented. In other words, employees should be given every opportunity to adhere voluntarily to the corporate AUP.