Striking the right balance between necessary internet monitoring and respecting the individual’s right to privacy can be a formidable challenge. Angus Kidman examines how two businesses have successfully forged collaborations between HR executives, the IT department and the overall business to tackle such issues
Striking the right balance between necessary internet monitoring and respecting the individual’s right to privacy can be a formidable challenge. Angus Kidman examines how two businesses have successfully forged collaborations between HR executives, the IT department and the overall business to tackle such issues
The growing business importance of internet-based applications such as web surfing, email and instant messaging has also created a new business challenge: setting appropriate policies for those applications and developing suitable ways of monitoring them.
More than 200 workers in Australia have been dismissed and a further 900 suspended as a result of internet misuse since 1998, according to ongoing monitoring by the software company SurfControl. Most of the well-publicised cases have centred on accessing pornographic content via web sites or forwarding inappropriate emails, but concerns over lost productivity through personal use of office technology are also common.
While the scope of the problem is clear, determining who is responsible for setting and enforcing company policy is much more difficult. According to SurfControl’s recent white paper on internet policy, “confusion exists between HR and IT about who should be training employees, while employees are unsure who to turn to about internet misuse”.
Staff can also be touchy about heavy-handed monitoring of personal usage of the internet. One survey of workers by WebSense found that 57 per cent believed that using the web for personal tasks didn’t impact their productivity, while 27 per cent argued that it actually improved their overall productivity.
Anecdotal evidence suggests the most effective solution is for IT and HR executives to collaborate on identifying problems and developing policies.
“To deal with internet abuse, IT and HR departments must focus on both the policy and effective technology which will help them to monitor and ensure proper employee internet use,” said Saran Gopalakrishnan, senior product manager for WebSense.
The actual deployment of technology is likely to remain a core IT responsibility, and the frequently reactive nature of many businesses to such problems and the nature of the solutions means that ongoing monitoring also often remains an IT role.
However, such strategies will only be effective if the company policy is effectively communicated to all employees. This is where HR has a crucial role to play.
“The more you expose policy and the more you expose statistics gathered from monitoring, the more people are aware of what’s going on,” said Jack Andrys, head of WebSpy. Sometimes measures such as these have direct relevance to the business. Something is obviously wrong, for example, in a sales department that has more incoming email from customers than outgoing mail from staff.
From security to policy
For leading insurance and financial services provider QBE Insurance Group, the initial impetus for implementing a solution to help control incoming email was a simple and pragmatic one – making sure that viruses did not spread across the company network.
“We had good anti-virus solutions running on the desktops and servers, but the biggest threat comes from email,” explained group information security manager Murray Laracy.
Malicious computer viruses often spread rapidly via email before the latest updates and patches that protect against them have time to be deployed. To deal with that problem, QBE rolled out a managed service solution from MessageLabs, which scans all incoming email before it arrives at the company and identifies new viruses using predictive techniques to identify virus-like behaviour. Laracy said the initial implementation on 5,000 desktops in the Australian organisation three years ago was something of a “leap of faith”. However, the solution had already been used successfully in QBE’s London office, and it has since proved effective in controlling the spread of viruses here.
With that problem conquered, Laracy’s attention turned to a related area which MessageLabs’technology could help conquer: spam email. “Our initial priority was definitely viruses,” he said. “We were aware that spam was a problem, and what has happened is that the volume of spam has increased exponentially.”
Currently, QBE blocks around 100,000 unwanted spam messages each week, up from 10,000 a week when the anti-spam component of the solution was first implemented.
Anti-spam and virus control were both initiatives centralised in QBE’s IT department, but when it came to image and content filtering, which is also an option with the MessageLabs solution, the picture become more complicated. QBE uses the image filter to restrict the forwarding of jokes, pornography and other unsuitable content. Developing the policies surrounding content filtering requires careful thought, planning and consultation.
“There are some obvious candidates for things you should block, such as large files and video, but there are also a lot of grey areas,” Laracy said. “Every business is different, and organisations have to decide how intrusive they need to be. We didn’t want to go down the path of invading privacy and being overly intrusive. We have found we have been able to design policies which allow us to block malicious or inappropriate mail with confidence. We have avoided the need to open messages to check if they should be allowed. This protects individuals’ privacy but also reduces cost.”
Coming up with a suitable policy required involvement from multiple areas of the business. “The discussion needs to happen between IT and HR departments, and you also need to engage within the business so they have input to what is happening and why,” Laracy said.
After the policy has been developed, it is the HR team’s job to communicate the policy to employees. “You need to be very clear about what it is you are trying to achieve with the technology,” Laracy said. At QBE, staff have readily accepted the policy, indicating that the right notes had been hit. “We have found very little resistance to it,” Laracy noted.
For other businesses considering this kind of content control solution, Laracy emphasises the importance of striking a balance between a comprehensive policy and needlessly expanding the workload in the IT and HR departments. “If you set up a lot of complicated rules, there’s going to be some administrative overhead,” he said.
Property and rights
IP Australia’s policy towards internet usage in the workplace is summed up very simply by IT security advisor Fred Schelb: “Zero personal use, plus a bit.”
The company, which manages a range of intellectual property rights across Australia and handles tasks such as granting patents and registering trademarks, has seen its internet policy evolve since the early days of the technology when staff access was unlimited. “We had to go from a very organic type of culture to one that was more controlled,”Schelb explains. “We needed a tool to control and manage use as much as possible. We also needed to block accidental links.”
Initially, IP Australia gathered raw data on the sites visited by its employees using a tool called Squid and analysed it using an Excel spreadsheet. However, the sheer volume of data collected each month – more than 65 gigabytes – meant that Excel often crashed during the analysis process. The company was forced to focus on the 20 staff with the highest volume of downloading but then found that some of those users were carrying out legitimate business tasks and were rightly offended by constant questioning over their usage.
Eighteen months ago, IP Australia replaced Squid and WebSpy with a program called ContentKeeper, which automatically analysed and categorised data, providing a detailed picture of the internet usage of all 850 employees and identifying potential areas of concern or patterns that might indicate excessive personal usage. Because patents and trademarks are granted in a wide range of fields, blanket policies blocking entire categories aren’t always appropriate.
“Our examiners roam far and wide on the internet, and need to look at a variety of sites for business purposes,” Schelb said. For instance, while IP Australia has a general block on accessing adult sites, that policy occasionally needs to be lifted for specific staff so they can examine trademark applications relating to the adult industry.
Ensuring staff acceptance was also important. “We initiated a large-scale awareness program,”Schelb said. The process was driven by the IT security team, in line with existing general policies on electronic resource usage. New employees joining the organisation now sign an individual agreement on appropriate usage, in line with the “zero plus a bit” policy.
How exactly does the “plus a bit” side work? During the devastating Canberra bushfires, Schelb says, staff were allowed to access web-based email accounts, if they had no other means of communicating. “That’s an example of the organisation supporting its employees,” he said. And so far, that approach has been very successful. “Our business usage ratio has gone up substantially.”
