Every morning a report lands on Tony Bisulca's desk with information he needs but wishes he didn't have to know. As he takes a sip of Earl Grey tea, he opens the multipage document full of networking traffic stats from the previous day. He knows who the top bandwidth users were, the top surfers and chatters, where they went and when, what they downloaded and how long they stayed. This particular morning, he discovers that a co-worker, who is also a friend, tried to access a white supremacy site the previous night.
Bisulca's routine underscores what is increasingly no secret: When it comes to workplace computer use, someone is watching, and it's probably the CIO.
But as furtive as employee monitoring sounds, as paranoid as employees might feel about being watched, as covert as employers might think they're being (and no matter that everyone knows someone who knows someone who got fired for surfing porn), the fact is, watching what employees do is now standard practice, even at many midmarket companies.
But that doesn't mean CIOs are entirely comfortable with it. In fact, many are finding themselves at the center of a cultural shift as they fine-tune a monitoring middle ground that suits their organizations. Where do they draw the line when it comes to determining what's blocked or who's monitored?
Today, more than three-fourths of organizations are monitoring employee Internet usage, up 27% since 2001, according to the American Management Association (AMA). Sixty-five percent use software to block connections to inappropriate Web sites, a practice called URL filtering.
Experts say that by 2010, everyone will use some combination of blocking and monitoring. Indeed, there is little reason not to. Tools (primarily software, but some appliances and hosted services) are relatively inexpensive ($10,000 a year for a company with 500 employees). It's pretty easy to sell upper management on the purchase given the risks associated with inappropriate computer use and the potential legal costs if you're sued for having a hostile working environment because someone came across a computer screen with images not fit for the workplace. And the real dirty work of confronting errant employees is (or should be) done by human resources, not the CIO.
Among companies with between $50 million and $1 billion in revenue, about half monitor employee Web use today, according to a CIO Decisions magazine survey of 394 subscribers in September 2006. That usage is largely a result of security concerns; the chief reason businesses begin monitoring is the need to block access to Web sites that spread spyware and other forms of malware, said Lawrence Orans, an analyst at Gartner Inc. in Stamford, Conn.
But monitoring tools alone don't tell the whole story. Bisulca can attest to that. His supremacy-seeking employee was in fact no racist, but a part-time college student researching his thesis. Bisulca called the employee immediately after learning about the Web site activity and asked for an explanation. Otherwise, "I would have been shocked," Bisulca said. The employee had been on his computer after hours but was still connected to the company's virtual private network (VPN), which blocked him from accessing the site. According to Bisulca, as soon as the employee realized he was still on the VPN, he logged off and finished his research. There was no need for a reprimand or warning.
Defining the rules
Experts consider Bisulca's mix of blocking and monitoring "moderate": It's more than the minimum, but not a completely locked-down environment. Bisulca, a senior security analyst at San Jose, Calif.-based BEA Systems Inc., a $1.3-billion software company that builds middleware products for back-end communications, blocks only the "sinful six": pornography, gambling and hate Web sites, as well as sites whose content involves illegal activities, "tasteless material" and violent content.
What David Lewis does at his company is considered "zealous" (although he takes issue with that classification). His front-line employees are blocked from most Web sites. Unless the site is required for work, it's blocked. No shopping, no banking, no travel planning.
"I guess I considered it a no-brainer," says Lewis, CIO at Deseret Mutual Benefit Administrators, a $200-million insurance firm serving the needs of members of The Church of Jesus Christ Latter-Day Saints. "That's where we've been for years. I don't believe that Internet access at work is a right."
Lewis has two categories of users: those who get full access and those with limited access. Full-access users -- often those who need to do research -- have free range on the Internet except for sites falling into the sinful six categories. Those with more limited access include front-line employees who don't need the Internet to do their jobs.
Lewis also monitors on an as-needed basis. If a manager suspects an employee is overusing the Internet or that there's a bandwidth issue, Lewis "goes in and looks at reports and sees where they've been." But it's not a regular practice given how much is already blocked.
"You can't monitor someone for going to someplace that they can't get to," quips Lewis.
Lewis knows that people might say he's being draconian but counters, "Why would you let employees go anywhere and then fire them if they went to [an inappropriate site]? Why give them the temptation?"
The need for flexibility
While tight controls seem to work at Deseret, they aren't for every company. Strict blocking can create a backlash at companies with highly skilled or hard-to-find employees. "Let's face it," said Manny Avramidis, senior vice president for global human resources at AMA, "at some companies, Internet surfing is a perk."
"If an employer is going to draw absolute lines, you run the risk of the employee saying, 'If I can't check my travel site at eight in the morning when I'm having my coffee, then I'll come in at nine, take my lunch breaks and leave at five.' In a tough market, . . . employers have to know when to bend."
Organizations typically choose categories of sites to block; the software filtering vendor determines and updates the list of sites that fall into those categories. Besides the sinful six, categories include those that detract from worker productivity or pose security risks, such as shopping or auction sites.
Before deploying a filtering product, BEA's Bisulca said he monitored about 13,000 people for some three months to determine the type of traffic on the network. Then he passed the data over to the CIO, the head of human resources and legal departments.
They were "shocked" by some of the content, Bisulca said. "We wanted them to have a level of awareness. We actually just showed them the data, the types of sites that people were going to and the amount of time." Then it was a group decision to implement blocking.
"I would say there were 5% of the people that were going to sites that were completely unacceptable, and 20% were going to sites that were questionable," he said.
Yet while monitoring can help find bandwidth hogs and determine Web site abusers, some IT executives get prickly at the suggestion that they're "monitoring" employees.
The city of Glenwood Springs' IS group monitors Web site usage at both the city offices and the public Internet.
"It was easy for me to decide what to block," said Bruce Munroe, the city's director of information systems. "I knew what sites posed threats. It was a natural to go ahead and install against spyware and porn sites."
But Munroe is quick to note -- and adamant -- that this isn't about employee monitoring. "Our primary objective was stopping malware," he explained.
Not only was the city losing valuable time to employees browsing the Web during work hours, but the task of repairing computers due to spyware and malware attacks was also overtaking the IT department.
"We really don't want to monitor our users. It makes interesting copy, but it's not the problem," he said. "It's about stopping crap from coming into your system. These people [who write malware] are getting smarter. They can take down the organization. That's the new frontier."
Bisulca agreed. "We've actually seen a reduction in viruses and worms" since deploying filtering tools.
When it comes to confronting people who are misusing the Internet, CIOs leave that job to the hiring manager, human resources or the legal department -- or even the police.
While in the middle of testing his new blocking and monitoring system, Munroe helped nab a suspected pedophile who was using the public Internet lab. An off-duty police officer who was at the community center using the gym equipment happened to glance over toward the computers and saw a man looking at adult porn. Through a remote-view feature, Munroe was able to capture the image being viewed. The police officer confronted the perpetrator.
While Munroe is glad the guy is off the street and out of his community center, catching pedophiles wasn't -- and still isn't -- his objective. CIOs don't want to be the Internet traffic cop, he said.
Let us know what you think about the story; email: Kate Evans-Correia, News Director