Look Who's Watching: Employee Monitoring Becoming Standard Practice

Employee monitoring tools aren't just about increasing worker productivity or banning pornography from the office. Midmarket CIOs now use them to secure their networks from malware and bandwidth hogs.

Midmarket CIOs are increasingly monitoring employee Internet use and blocking Web sites. Where are they drawing the line?

Every morning a report lands on Tony Bisulca's desk with information he needs but wishes he didn't have to know. As he takes a sip of Earl Grey tea, he opens the multi-page document full of networking traffic stats from the previous day. He knows who the top bandwidth users were, the top surfers and chatters, where they went and when, what they downloaded and how long they stayed. This particular morning, he discovers that a co-worker, who is also a friend, tried to access a white supremacy site the previous night.

Editor's Note
To view our complete multimedia package, visit our risk management supercast.

Bisulca's routine underscores what is increasingly no secret: When it comes to workplace computer use, someone is watching, and it's probably the CIO.

But as furtive as employee monitoring sounds, as paranoid as employees might feel about being watched, as covert as employers might think they're being (and no matter that everyone knows someone who knows someone who got fired for surfing porn), the fact is, watching what employees do is now standard practice, even at many midmarket companies.

But that doesn't mean CIOs are entirely comfortable with it. In fact, many are finding themselves at the center of a cultural shift as they fine-tune a monitoring middle ground that suits their organizations. Where do they draw the line when it comes to determining what's blocked or who's monitored?

Today, more than three-fourths of organizations are monitoring workers' Internet usage, up 27% since 2001, according to the American Management Association (AMA). Sixty-five percent use software to block connections to inappropriate Web sites, a practice called URL filtering. Experts say that by 2010, everyone will use some combination of blocking and monitoring.

Indeed, there is little reason not to. Tools (primarily software, but some appliances and hosted services) are relatively inexpensive ($10,000 a year for a company with 500 employees). It's pretty easy to sell upper management on the purchase given the risks associated with inappropriate computer use and the potential legal costs if you're sued for having a hostile working environment because someone came across a computer screen with images not fit for the workplace. And the real dirty work of confronting errant employees is (or should be) done by human resources, not the CIO.

Among companies with between $50 million and $1 billion in revenue, about half monitor employee Web use today, according to a CIO Decisions magazine survey of 394 subscribers in September 2006. That usage is largely a result of security concerns; the chief reason that businesses begin monitoring is the need to block access to Web sites that spread spyware and other forms of malware, says Gartner analyst Lawrence Orans.

"It took a while to convince [midsized companies] that they needed this tool; this was never about liability for them," says Paul Myer, president and COO of 8e6 Technologies, an Internet filtering, monitoring and reporting firm based in Orange, Calif. "The single biggest growth area [for monitoring and filtering tools] is the midmarket."

Most midmarket organizations have policies outlining Internet usage; that gives employees little leverage to argue when they've been caught surfing inappropriately. It doesn't mean every employer does a great job of getting the word out, however, says Jeff Stanton, associate professor in the School of Information Studies at Syracuse University and co-author of The Visible Employee. Employees are not always aware they're being monitored, and even if they are, the lines demarcating what is considered acceptable content to view at work or on work computers are blurred. But Stanton admits, "There's no shortage of stupidity anywhere in our country."

True, there are employees running escort services from their desks, but that's still pretty rare, experts say. Even vendors admit it, although they do love to spill details about the most outlandish abuses. One company even conducts a yearly contest and awards prizes for the best stories.

At one company, for example, an employee tried to get into a porn site 72 times in one day. At another, an employee was on a porn site eight hours a day. He was caught not just looking at porn, but actually running a call girl service from his desk.

A Monitoring Tool Primer
The term monitoring is synonymous with surveillance and can be categorized as URL filtering (or blocking) and Web site reporting (or monitoring). Here is a rundown on the differences between the two forms of surveillance as well as the primary vendors offering these tools, the price range, and what's next for midmarket companies in terms of monitoring.

URL filtering, or blocking. Most tools block access to a list of predefined sites or categories of sites. Want to block sports sites? Check. Porn sites? Check. Shopping sites? Check. Vendors, not CIO customers, manage updates and cull thousands of sites routinely. Any updating is transparent to customers. Customers generally have the flexibility to make exceptions to specific sites. While some sites are universally acknowledged as inappropriate and can be categorically blocked, thousands of others fall into a nebulous middle ground, such as sites that can be used for legitimate purposes at work but can also be abused, such as eBay and other shopping sites.

Web usage monitoring.Companies, which may or may not block Web sites, can monitor what sites employees go to, how long they stay and how much bandwidth they consume. More sophisticated tools allow employers to get information on what the employee viewed while accessing the Web site and determine whether that content was forwarded.

IT managers can quickly identify misuse, overuse and intent as users explore the Web. Monitoring also uncovers stealth methods to bypass filters, such as the use of on-the-fly Internet proxies, and helps organizations ensure they have closed all the gaps.

Sample vendors. Blue Coat Systems, 8e6 Technologies, Secure Computing Corp., St. Bernard Software, SurfControl, Trend Micro Inc., WebSense Inc.

Pricing. The price tag for such tools ranges from about $6.50 to more than $12 per seat per year, according to a Gartner pricing comparison for a 5,000-seat, single-year contract. Appliance vendors charge separately for their devices, and pricing varies based on the scale of the appliance and its ability to support multiple functions.

What's next. Email content monitoring and filtering for outgoing and incoming email. Driven by regulatory compliance, this is the least common practice among midmarket organizations, but it is being adopted rapidly.

-- K.E.C.

"This is the underbelly of what monitoring tools let us do: see the vices that people are satisfying at work," says Myer. "In the early days of this business, on a typical sales call we'd hear people say, 'Our people aren't like that.'"

Yet while some people clearly are "like that," monitoring tools alone don't tell the whole story. Tony Bisulca can attest to that. His supremacy-seeking employee was in fact no racist, but a part-time college student researching his thesis. Bisulca called the employee immediately after learning about the worker's Web site activity and asked for an explanation. Otherwise, "I would have been shocked," says Bisulca. The employee had been on his computer after hours but was still connected to the company's VPN, which blocked him from accessing the site. According to Bisulca, as soon as he realized he was still on the VPN, the employee logged off and finished his research. There was no need for a reprimand or warning.

Defining the Rules

Experts consider Bisulca's mix of blocking and monitoring "moderate": It's more than the minimum, but not a completely locked-down environment. Bisulca, a senior security analyst at San José, Calif.-based BEA Systems Inc., a $1.3-billion software company that builds middleware products for back-end communications, blocks only the "sinful six": pornography, gambling and hate Web sites, as well as sites whose content involves illegal activities, "tasteless material" and violent content.

"We thought we'd give different access for different jobs," says Bisulca, "But legal said, 'No. It's either all or nothing.'"

What David Lewis does at his company is considered "zealous" (although he takes issue with that classification). His front-line employees are blocked from most Web sites. Unless the site is required for work, it's blocked. No shopping, no banking, no travel planning.

"I guess I considered it a no-brainer," says Lewis, who is CIO at Deseret Mutual Benefit Administrators, a $200-million insurance firm serving the needs of members of the Church of Jesus Christ Latter-Day Saints. "That's where we've been for years. I don't believe that Internet access at work is a right."

Lewis began blocking after his network manager recommended it for productivity as well as security reasons. The company uses a filtering product from San Diego-based St. Bernard Software.

Lewis has two categories of users: those who get full access and those with limited access. Full-access users -- often those who need to do research -- have free range on the Internet except for sites falling into the sinful six categories. Those with more limited access include front-line employees who don't need the Internet to do their jobs.

Lewis also monitors on an as-needed basis. If a manager suspects an employee is overusing the Internet or that there's a bandwidth issue, Lewis "goes in and looks at reports and sees where they've been." But it's not a regular practice given how much is already blocked.

"You can't monitor someone for going to someplace that they can't get to," quips Lewis.

Despite Deseret's restrictive policy, Lewis has made an accommodation for personal Internet use by installing terminals for that purpose in the lunchroom. Lewis' operations network manager came up with the idea for this setup; he suggested kiosks as a break-time benefit where employees could take care of personal business. Although Lewis still blocks the sinful six, employees have access to shopping, banking, travel and sports sites. Deseret doesn't monitor usage on these computers. There's a standard login. When an employee finishes, the entire computer is refreshed. There is no limit on the time employees can spend online -- as long as they're on break time.

"There are people at them every time I go down to the lunchroom," says Lewis.

Lewis knows that people might say he's being "draconian" but counters, "Why would you let employees go anywhere and then fire them if they went to [an inappropriate site]? Why give them the temptation?"

Monro Muffler Brake Inc. also has a strict policy. The $400-million brake and muffler company, based in Rochester, N.Y., has about 700 company-owned stores in 17 states. Its filtering software blocks the usual inappropriate sites like porn, but also sports and shopping sites, which are inaccessible between 9 a.m. and 5 p.m. to most of its office employees.

"We set a rule that sites will be blocked, but [are] accessible after 5 p.m. If they do want to do fantasy football, they can do it after work hours," says John Appleman, the company's IT director.

Appleman blocked fantasy football and other sports and gambling sites because he "thought it would be a time waster." As it turns out, he was right. After the company deployed filtering software from Sunnyvale, Calif.-based SonicWall Inc., some employees complained that the blocking was too severe. But after a bit of investigation, Appleman was seeing "a lot of attempts to get into those [sports and gambling] sites." They didn't really have much of an argument, he says. They shouldn't have been going there in the first place.

Monro Muffler already had a computer policy in place that indicated that the company monitored Internet usage. But it made no formal announcement when it started blocking websites. "When they're blocked, they get reminded," he says. Monro Muffler has customized a Web page that comes up when a user goes to a blocked site to say, "If you have questions about accessing a site, contact the help desk."

E-Policy is Prevalent
Concern over litigation and the growing role of electronic evidence in legal investigations means that more employers are implementing electronic technology policies. Among companies surveyed:

84% have policies governing personal email use.

81% have policies for personal Internet use.

42% have policies for personal instant messenger use.

34% have policies for use of personal Web sites on company time.

23% have policies for personal postings on corporate blogs.

20% have policies for use of personal blogs on company time.

n=526; source: "The 2005 Electronic Monitoring & Surveillance Survey," the American Management Association

The Need for Flexibility

While tight controls seem to work at Deseret and Monro Muffler, they aren't for every company. Strict blocking can create a backlash at companies with highly skilled or hard-to-find employees. "Let's face it," says Manny Avramidis, senior vice president for global human resources at AMA, "at some companies, Internet surfing is a perk."

"If an employer is going to draw absolute lines, you run the risk of the employee saying, 'If I can't check my travel site at eight in the morning when I'm having my coffee, then I'll come in at nine, take my lunch breaks and leave at five.' In a tough market, . . . employers have to know when to bend."

Organizations typically choose categories of sites to block; the software filtering vendor determines and updates the list of sites that fall into those categories. Besides the sinful six, categories include those that detract from worker productivity or pose security risks, such as shopping or auction sites.

Yet depending on what your business is, categorically blocking sites can be problematic. Take sites with information on breast feeding, for example, which often fall into the sinful six, because their content or URLs contain the word "breast." But at a hospital, having access to a site that mentions breasts or other anatomical parts is, for obvious reasons, absolutely necessary.

At Potomac Hospital, Tony Davis ran into this problem when he deployed eTelemetry Inc.'s software that blocks the sinful six. The manager of network systems had to turn certain sites back on so they wouldn't be blocked. "Maternal health is the exception in the firewall," he says.

Davis' decision on what sites to block was "based on the needs of the network and the hospital." The nonprofit community hospital serves three counties in Virginia with 153 patient beds; its network supports 1,200 users in a multibuilding campus environment.

Some sites are clearly off limits, but that doesn't stop particularly zealous users from doing their best to convince him otherwise. But he doesn't get many comments, because it's hard to complain about not having access to something that isn't business related.

Davis laughs, "What are they going to say, 'Hey, I can't monkey around at work'?"

Reasons for Monitoring

While blocking may be more common than monitoring among midmarket firms, CIOs are likely to monitor first, then determine if there's justification to block. "They say, 'Gee, people are doing things we didn't anticipate,'" says Myer. "If all you do is block and you don't monitor, what you're assuming is that the categorization is accurate for all your traffic. You're assuming that every gambling site is in the gambling category. For example, [users will] do a search for gambling sites, and they'll find one that's not blocked. If you're not monitoring, you don't know that they found one that's not blocked."

Before deploying a filtering product, BEA's Bisulca says he monitored about 13,000 people for some three months to determine the type of traffic on the network. Then he passed the data over to the CIO, the head of human resources and legal departments.

They were "shocked" by some of the content, says Bisulca. "We wanted them to have a level of awareness. We actually just showed them the data, the types of sites that people were going to and the amount of time." Then it was a group decision to implement blocking.

"I would say there were 5% of the people that were going to sites that were completely unacceptable, and 20% were going to sites that were questionable," he says.

Yet while monitoring can help find bandwidth hogs and determine Web site abusers, some IT executives get prickly at the suggestion that they're "monitoring" employees.

On the western slope of the Rockies, an hour's drive from Aspen and Vale, is the city of Glenwood Springs. A few miles from the municipal offices is the city's community center, which houses a public Internet "lab": a bank of Internet-ready computers available to anyone, including the 30,000-plus tourists who pass through town yearly on their way to a holiday mountain retreat.

The city's IS group monitors website usage at both the city offices and the public Internet. To do so, Bruce Munroe, the city's director of information systems, uses tools from 8e6 Technologies, including a dedicated server loaded with both monitoring and filtering software.

"It was easy for me to decide what to block," he says. "I knew what sites posed threats. It was a natural to go ahead and install against spyware and porn sites." But Munroe is quick to note -- and adamant -- that this isn't about employee monitoring. "Our primary objective was stopping malware," he explains.

Not only was the city losing valuable time to employees browsing the Web during work hours, but the task of repairing computers due to spyware and malware attacks was overtaking the IT department.

"We really don't want to monitor our users. It makes interesting copy, but it's not the problem," he says. "It's about stopping crap from coming into your system. These people [who write malware] are getting smarter. They can take down the organization. That's the new frontier."

Tony Bisulca agrees. "We've actually seen a reduction in viruses and worms" since deploying filtering tools. In October 2005, Bisulca's company began using a filtering product from 8e6 Technologies and a content monitoring product from Mountain View, Calif.-based Reconnex Inc. "We've also seen a reduction in the number of hits to Web sites that are offensive," Bisulca says.

"Generally speaking, my goal is not to monitor but to be able to provide the bandwidth to do our jobs. Everything else is incidental," says Davis of Potomac Hospital. He uses eTelemetry's monitoring tool, which he refers to as a bandwidth detector tool. "We block anything that's offensive. I like that better than reporting. This is a small hospital, and we know everyone, and you don't want to run down and report people. It's best to prevent it in the first place."

Like Bisulca, Davis receives daily reports that tell him what happened on the network the previous night. And every morning, he scans the reports, hoping he doesn't see any abnormal traffic or bandwidth behavior. But if he does see a problem, he can track down the user in a minute; with the manual method he used previously, it took him 45 minutes to identify the user.

"In one case, someone was trying to download movies, and I could see, in real time, that it was causing real bandwidth issues," says Davis. "By the time I would have traced it [with the old product], they may have been off of the line."

In the case of the movie-downloading user, Davis called the guy and told him to knock it off.

Yet most of the time, when it comes to confronting people who are misusing the Internet, CIOs leave that job to the hiring manager, human resources or the legal department -- or even the police.

While in the middle of testing his new blocking and monitoring system, Glenwood Springs' Munroe helped nab a suspected pedophile who was using the public Internet lab. An off-duty police officer who was at the community center using the gym equipment happened to glance over toward the computers and saw that a man was looking at adult porn. Through a remote-view feature, Munroe was able to capture the image that was being viewed. The police officer confronted the perpetrator.

While Munroe is glad the guy is off the street and out of his community center, catching pedophiles wasn't -- and still isn't -- his objective. CIOs don't want to be the Internet traffic cop.

"It's not IT's responsibility," says Deseret's Lewis. "Nor does anyone want it to be IT's responsibility. I'm comfortable that we block the material."

Kate Evans-Correia was executive editor of SearchCIO.com and SearchCIO-Midmarket.com. To comment on this story, email searchcio-midmarket.com.

Dig Deeper on CIO strategy

Cloud Computing
Mobile Computing
Data Center
Sustainability
and ESG
Close