Sensible Surfing

IS THE INTERNET STARTING to feel like the worldwide resource drain? That’s how it seemed for the city of Topeka, Kan., when too many of its 1,200 wired employees began streaming music from Web sites while they worked.

This seemingly benign activity gobbled up enough network bandwidth to slow access to work applications. When the city installed Internet filtering software to block access to music sites, its Internet usage dropped by 50 percent.

“We got a lot of complaints from people who said they were just listening to classical music,” recalls Steve Tallen, director of information technology. “We had to say that’s not what this technology is for. When we asked people if they wanted to pay for more bandwidth, the complaints went away pretty quickly.”

Reining in IT resource drains is just one reason why state and local agencies block access to some Web sites. Filters have become a key tool in the larger effort to protect agencies from hackers and Internet-borne viruses, while also increasing employee productivity and reducing risks of workplace liability claims.

Delaware decided Web filters were “the right thing to do,” according to Elayne Starkey, chief technology officer in the state’s department of technology and information, in Dover. Filters “protect our networks and the huge investment the state has made in the computer infrastructure,” she says.

Regardless of motivation, agencies often can’t avoid pushback from staffers who complain about Big Brother surveillance. Fortunately, best practices for devising and implementing acceptable-use policies are maturing, along with the technologies that make the Internet a safer place.

PRUDENT PROTECTION

According to the 2005 Electronic Monitoring and Surveillance Survey, cosponsored by the American Management Association in New York and the ePolicy Institute in Columbus, Ohio, 65 percent of organizations that participated in the survey use software to block connections to certain Web sites — a 27 percent jump from 2001. Companies monitor computer use in other ways, too: Thirty-six percent of employers in the survey said they track content keystrokes and time spent at the keyboard. In addition, 26 percent of respondents said they have terminated employees for misusing the Internet.

At the core of filtering software is a custom database of Internet URLs of Web sites deemed acceptable or undesirable by the organization. The master list includes addresses compiled and updated by the program’s vendor, as well as sites specified by the organizations using the software.

The cost associated with filtering software at large organizations averages about $5 per user per year, according to Peter Firstbrook, research director for Gartner, a technology research firm in Stamford, Conn. Additional administrative overhead to maintain the systems, hone usage policies and manage the data being collected boost the annual cost to about $10 per user, he adds.

Blocked sites typically include those that publish sexual, violent or hate-oriented content, and those known to be sources of viruses and adware programs.

Workplace liability is another concern. “When a workplace lawsuit is filed, whether it’s for sexual harassment or racial discrimination, computer forensic investigators will look at the history of Internet surfing,” explains Nancy Flynn, executive director of ePolicy. “It’s the electronic equivalent of DNA evidence.”

Employers may be able to avoid liability for an employee’s illegal behavior if the organization demonstrates due diligence in enforcing adequate Internet usage policies and using technology to filter inappropriate material. Topeka, for example, blocks access to pornographic and gambling sites, along with music destinations. It also blacklisted certain Webmail sites because of their high risk as virus distributors.

In Delaware, Starkey’s department logs every employee’s Internet activities into a central database. A manager can request IT to pull an Internet activity report from the log if a performance problem emerges with an individual.

Topeka takes a similar tack. “We don’t look at individuals per se,” says Tallen, “but if a department head has a productivity problem, we can see exactly what that employee has been doing on the Internet.”

TECHNOLOGY CHOICES

Filtering technology comes in two broad categories: standalone software that is installed on a local area network (LAN) server or software that’s bundled within a filtering “appliance,” a special server dedicated to the task.

Delaware installed an appliance because that made it easier to modify and update URL lists. “We found them to be a bit more flexible,” Starkey says. “As soon as you start filtering, you find you’ve blocked sites users believe shouldn’t be blocked, or the opposite happens. We get eight to 10 e-mails a day with requests” to make adjustments. Appliances give Starkey’s staff an efficient way to update the master list centrally.

When choosing an alternative, buyers should evaluate the software’s reporting capabilities. “The number-one complaint we hear is that managers can’t get the reports they need from their filtering software,” Gartner’s Firstbrook says. When built-in reporting capabilities are inadequate, organizations often must export usage data to a separate database and use a commercial reporting program, which adds more technology and expense.

COMMUNICATION IS KEY

Successful Web filtering isn’t just about technology. Agencies also must devise workable acceptable-use policies and ensure that employees recognize their importance.

When policy problems crop up, it’s often because the guidelines are too vague. The rules must be comprehensive, addressing everything from problem content to specific time limits for personal surfing to the use of new communication tools, such as blogging and sending text messages and photos via cell phones. Make sure employees understand that all the organization’s formal policies on harassment, discrimination, ethics and conduct apply whenever they’re using any electronic tools, ePolicy’s Flynn says.

A combination of IT, human resources, the legal staff and department heads should devise usage policies. When problems occur, it should be up to HR and direct managers to confront employees — not IT.

Each year, Delaware requires agency heads to verify that their employees have signed an acknowledgment that they’ve read the state’s acceptable-use policy. To augment this, Starkey is trying an unusual way of spreading the word: The state is rolling out the “latrine poster campaign.” It will place in restrooms posters that highlight specific Internet policies and the reasons why they’re important.

“A peer tried to put posters in conference rooms and other traditional places, but didn’t get a lot of mileage out of them,” Starkey explains. “When the posters were moved into the restrooms, people finally noticed them.”