Dealing with staff Internet abuse

With misuse of the Net costing business £2.5m a year, firms have to act. Paul Grant considers the options

With misuse of the Net costing business £2.5m a year, firms have to act. Paul Grant considers the options

Proliferation of e-mail and the vast amount of information held on the Web has made these services a vital part of communication and information gathering for today's employees. But with such unprecedented access to information and communication comes a responsibility to use it in a way that benefits the organisation. Failure to do so costs UK businesses millions of pounds a year, according to the Chartered Institute of Personnel Development (CIPD).

A recent CIPD report found that UK companies are losing up to £2.5m each year due to non-work-related surfing. It also discovered that about 84% of employees in the UK have unlimited access to the Internet and e-mail.

Another report, from Unipalm, showed that during the 10-week run of the hugely popular Big Brother game show, UK businesses were losing £1.4m every week as employees tried to access the live-action Webcams from their workplaces.

Examples of extreme Internet abuse tend to be well documented and the legal and commercial dangers are well understood. Recent victims include Deutsche Bank and Merrill Lynch, while at Orange 45 staff were sacked for viewing pornography on the Internet at work. Such activity can result in legal action being taken from other staff or people outside the company on the grounds of sexual harassment, an area that is very damaging for any firm both financially and in terms of its reputation.

However, the issue of more general abuse - or misuse - still has to be tackled effectively. If the CIPD and Unipalm figures are to be taken at face value, UKbusinesses face a serious problem. And firms are leaving themselves open to huge liabilities, both legally and commercially.

As often happens, though, where technology creates a problem it also tries to provide the answer. Almost as soon as the issue of Internet misuse at work came along, so did tools to tackle the issue.

Many of the original Internet access control systems were developed from packages that were used to restrict children using PCs at home. While they served their purpose in blocking entry to inappropriate Web sites or unsuitable e-mails, they proved difficult to implement and administer, often preventing employees gaining access to legitimate Web sites.

As a result, technology has been developed that enables greater administration capabilities to be incorporated into applications. Thus different levels of protection can be implemented for different employees.

IDC analyst Christian Christiansen cites the advantages of policy management. "IT managers can select the various types of sites to be blocked, the time and hours by which different sites may be accessed, monitoring and reporting of actual and attempted site visits, and can customise these functions for the corporation, workgroups and individual employees."

Content Technologies, manufacturer of the Mimesweeper content security product, is a strong proponent of the policy management approach. It recommends establishing an e-mail and Internet usage policy that clarifies what the organisation considers to be acceptable and unacceptable uses of that system, including personal usage, in agreement with employees. This avoids the situation where there is a complete ban on certain URLs.

Mimesweeper is fairly representative of the early methods of controlling employee access to content, although the product itself has obviously advanced from those early days. The package comprises a suite of products that all have specific functions to perform within the network. Mailsweeper offers virus and document confidentiality protection, Pornsweeper intercepts dubious adult material, and Websweeper also provides first-line protection against dubious material coming from the Internet.

Although products such as this do provide some degree of management capability - Websweeper, for instance, offers customer-definable auditing and reporting - for true management capabilities firms must look to a new breed of products.

Websense Enterprise allows administrators to monitor, report and manage traffic from the network to the Internet. The product actually bolts on to the likes of Mimesweeper to allow greater management within these environments. It works by accessing a master database that contains about 1.5 million sites that are sectioned off into areas such as gambling, pornography and shopping. IT administrators can then select which sites to block and which ones to allow access to on an individual, group or time basis.

The increasing number of online issues that companies have to take account of could stretch policy management to the limit.

The Human Rights Act, which came into force on 2 October, has implications for how companies control employees' use of technology at work. Article 8 of the Act states, "Everyone has the right to respect for his private and family life, his home and his correspondence." The term "correspondence" is deemed to include e-mail, so employers that intercept personal e-mail, even if it is coming through the company network, could be breaking the law - despite the fact that the RIP Act permits it.

Installing advanced Internet control tools on the network is an effective measure, but the CIPD report Internet Use and Abuse at Work highlights the fact that any implementation needs to be tightly integrated with company policy.

Author of the report Clare Hogg says, "If employers don't review their policies, they could find themselves liable for anything from sexual harassment claims to being in breach of copyright laws. A survey in 1999 found that 50% of workers were using the Web to visit 'adult' sites. Clearly having such a policy is vital."

Meanwhile, an emerging and alternative approach to Internet control promises to take the sweat out of implementing complex integrated policy management products. Content aggregator Mediapps is advocating that all relevant Web information is delivered directly to each employee, enhancing a worker's productivity without them having to venture onto the Net. In essence, each individual would have their own specific information portal.

Ian Wells, managing director of Mediapps, says, "If a typical company employee, earning £18,000 per year, views six known Web pages per day, for five minutes each, they will waste an average of 96 hours a year logging onto the Web pages alone. This amounts to a cost to the company of over £1,000 per employee per year."

Mediapps' view is that Internet misuse not only includes visiting sites that are purely for personal use, but also those that do not contain the business information that users are seeking. The proliferation of the Internet has meant that an estimated two million new Web pages appear every day, making it difficult for employees to locate the exact information they need.

In terms of enhancing users' Internet experience and, therefore, the productivity gained from it, Mediapps' Net.Portal is the next step in controlling Internet misuse at work. A portal generator, it allows the administrator to create an interface that adapts to the user profile. It uses profiling technology to decide what the user needs from their Internet experience and has predefined external information sources to deliver what is required.

As long as the profile is accurate it could save surfers a great deal of time on the Web and, if used in conjunction with other content management programs, could remove the need for users to actively search for anything externally.

This is also the way that IDC analysts see the market heading. "Proactive support for users is presented to users as a knowledge portal or, in Microsoft's view, a 'digital dashboard', by which individual, workgroup and corporate-wide Web access will be optimised," explains Christiansen. "On the back-end, this capability is supported by various knowledge management, search engine and other tools that will deliver the desired information to corporate users."

However, it is worth noting that there is a downside to restricting employees to work-related Internet and e-mail usage. A report by the International Labour Organisation predicted that cases of depression and stress in the workplace will increase dramatically over the next few years as technology developments raise employees workloads. If this is to be the case, then letting workers have a certain amount of time to deal with personal communication and look at sites of personal interest may help to alleviate some of that stress.

The next generation of individual content aggregation portals may well include some personal information for the user to digest in that increasingly rare "spare moment".

Andy Meyer, vice-president of marketing at Internet management company Websense, says, "Companies need to be aware that employee Web abuse goes beyond the obvious, such as online porn, gambling and hate sites. But, at the same time, they don't need to take hard-line stances. Many of our customers have adopted a flexible, filtering solution, allowing for some personal surfing during work hours."

However, to put the problem into perspective, while CIPD estimates that surfing the Internet costs UK business £2.5m a year, the habit pales next to the £3.3bn figure that the institute has calculated alcohol abuse costs companies. Perhaps PCs with built in breathalysers are the way forward?


Business losses

UK companies are losing up to £2.5m each year due to non-work related surfing. About 84% of employees in the UK have unlimited access to the Internet and e-mail.

Source: CIPD


Big Brother

The Big Brother Channel 4 TV programme Web site was visited by between 100,000 and 150,000 unique users every day, peaking during the eviction of contestant "Nasty" Nick Bateman. Each user spent an average of 15 minutes on the site costing £2.91 each for the video stream.

Source: Office of National Statistics




Read more on IT risk management