Cyber-crackdown! Internet filtering and monitoring

The internet and email have changed the way we all do business – mostly for the better. However misuse of this powerful tool can lead to lost productivity, less bandwidth and potential legal action against an employer. Teresa Russell looks at how three organisations tackled these issues

The internet and email have changed the way we all do business mostly for the better. However misuse of this powerful tool can lead to lost productivity, less bandwidth and potential legal action against an employer. Teresa Russell looks at how three organisations tackled these issues

A study of Australian, UK and US workers conducted by Australian Academic Dr Monica Whitty and commissioned by SurfControl found that 51 per cent of employees have been exposed to porn by co-workers. More than a quarter said they would take legal action if they regularly saw sexually explicit material on a co-worker’s desktop.

According to Australia’s Internet Industry Association, spam has become a problem of increasing proportions. “It’s costly and a nuisance to users, it sometimes carries viruses or offensive content, and is generally unwelcome. In short, it threatens to undermine the utility of email itself.”

Proposed worker privacy legislation in NSW and Victoria will lay down rules on how employers monitor workplace internet usage. Companies will need clear policies and processes for managing employee internet access.

Western Power

Four years ago, Western Power developed an ‘acceptable use of email’ policy, because it was aware that offensive material was coming into the organisation via email. Tony Hancock, head of information technology security, says that violation of the policy, discovered through monthly random audits, resulted in termination of access to systems, or suspension without pay for up to four weeks, or termination of employment.

“Despite the policy, we still had to take action against people every month. The problem wasn’t going away. The typical response we got when someone was caught was, ‘I knew the policy, but didn’t think you’d catch me!’” Hancock recalls. The company knew that a different approach was required and looked for a system that would quarantine all offensive email attachments. The project was technology driven with HR involved in policy development.

Western Power employs 2,500 permanent employees and 500 contractors across 50 remote offices in WA, as well as its Perth head office. All employees have access to email and 1,500 can browse the internet. Hancock wrote a business case and got permission to run a one-month trial, which then gave him the hard data to help justify purchase of a new server and licensing the software to filter all employees’ emails.

“When we first started in full production nine months ago, the quarantined emails were mostly categorised as illegal, offensive or adult material, but in the last 45 days, we have stopped 22,700 items in the health/medicine category (such as viagra ordering, body modification and sexual enhancements),” says Hancock.

He suggests a phased implementation, like the one used at Western Power. They added a few other rules to stop all executable files as well as some dictionaries. Unfortunately, this stopped some legitimate material, which included emails containing words such as “lubrication” and “grease nipples”getting through to maintenance engineers in power stations. “Phase it in slowly, trial it, modify the rules, trial some more, modify and when you think you’ve got it right, roll it out across the organisation. We did the last 900 staff in one go,” Hancock explains.

Western Power allows personal as well as business use of its email. It’s now looking at monitoring the content of outgoing email, in order to ensure that no offensive material is sent from the company. “We are not being big brother, but we have to protect the organisation from litigation that could result from someone sending offensive material,” he says.

Hancock stresses that these filtering and monitoring systems are not ‘set and forget’ type systems. They always need ongoing management to prevent false positives. “Although we are down to only being asked to release 0.5 per cent of quarantined emails, that is still 70-90 phone calls to our help desk each week,” he says.

EDS

The morning edition of crikey.com’s 14 July 2004 edition reported that EDS staff at the Commonwealth Bank of Australia (CBA) in Sydney were raided and told to “stand up and step back” from their desks and whole servers were taken away for analysis. It alleged that staff were downloading movies, porn, software and games, storing it on servers, burning it to CD and selling it.

Iain Blackall, EDS’ vice president of service delivery Asia Pacific says he is unable to comment on that incident because “an investigation’s still underway and there’s a case pending against a lot of people”. He was happy to talk about the company’s history of internet filtering and monitoring.

EDS employs 6,700 people in Australia, including technical staff, application programmers and business processing staff. All have email and internet access.

The main driver behind EDS’ email and internet policy is risk management. The company doesn’t look at it in terms of ROI because “it’s not a tangible measure unless you are looking at productivity improvements” Blackall explains. EDS has a workforce that operates on producing measured outputs (that is calls answered, mortgages processed and so on). Increased productivity is an outcome, not a goal. “Having a US parent company, we’re probably more sensitive to litigious issues than some other organisations,” he adds.

For the last five years, EDS has included its internet policy as part of its induction pack, which is sent to prospective new employees along with their letter of offer. All employees know, before joining the company, what EDS’ policy is on email and internet use. EDS bars access to certain internet sites and employs a firewall, which filters and nullifies incoming material for both itself and its customers.

Blackall sees this issue as the joint responsibility of IT and HR. “It’s HR’s responsibility to understand the foundation layers that make a workplace an attractive place to work. HR should define and design workable practices as well as understand laws about harassment and litigation. IT should be responsible for production issues,” he says.

EDS has a diversity council, which includes employees from all parts of the organisation. Blackall says it’s important to engage individuals throughout the organisation on workplace design issues, so that employees have ownership of the outcomes and understand why something is being done. Internet filtering and monitoring is one of the issues that the diversity council should handle.

Blackall also believes it’s vital to have transparent policies at the point of entry to an organisation, with no ambiguity about the outcomes if policies are breached.

Shellharbour City Council

Located in southern NSW, this local government authority has 300 full-time employees spread across an administration centre and 19 remote sites, including four branch libraries that provide public internet access.

Mike Leonard, manager of information services, says the council has been filtering emails for four years now. Productivity, rather than offensive material, was the biggest issue. “We monitored internet use for six months before we started filtering, breaking usage down into either private or business use. For 10 per cent of employees, productivity was seriously effected, while 2 per cent seemed to do nothing else,” recalls Leonard. The organisation still has little trouble with offensive sites, except on public access PCs.

Shellharbour City Council initially bought a tool to officially monitor and report on internet use, developing an internet and emailing policy at the same time. “There were two problems with the reports that it produced. Firstly, it needed intervention from IT to generate reports and secondly, it reported on time already wasted. We decided on implementing a filtering tool for both internet and email and were able to allow different profiles for different people,”explains Leonard.

Usually an organisation would automatically filter users against accessing criminal skills sites. However, the council’s community artist, who works with graffiti artists, has a specialised profile that allows him access to such sites. The council also allows time profiles. It prevents access to gambling, game and hobby sites, from 8am to 12pm and 2pm to 5pm, so that staff can still check their lotto results, but not on company time. “If someone accesses an offensive site,” Leonard says, “we use a gentle nudge, rather than a big stick approach.” A note would be sent to HR, the employee or their manager, reminding them that they are being monitored and that management knew they accessed a particular site.

Because the main driver was productivity, Leonard believes their case was a technology solution to an HR problem. ROI was measured based on time used on non-work related internet use before and since internet filtering and monitoring. “It easily paid for itself within 12 months,” Leonard believes.

“Start tight, then loosen up,” advocates Leonard who believes it’s “better getting one big dose of grief at the beginning (of a project) rather than suffering death by a thousand cuts.” Although IT consulted with HR, Leonard felt they should’ve consulted with everybody in the organisation through a consultative committee. “Eventually monitoring and filtering becomes part of the culture,” says Leonard, who jokes that staff has stopped calling him the “internet nazi”.

Like EDS and Western Power, Leonard agrees it is vital to have a well-communicated, appropriate policy to accompany any email filtering and monitoring tool.