• Home
• Network Support
• IT Services
• Web Development
• Contact Us

SecureComputing Smart Filter

This white paper examines the potential legal, security, and human resource problems associated with employee Internet access. Also examined are various approaches to the potential problems associated with employee Internet access including Internet use policies, filtering software, and monitoring software.

The IT and Communications Company is a SecureComputing partner.  This white paper highlights best practices for monitoring and filtering Internet access in the workplace.  Also of interest may be additional materials from SecureComputing:

• Best Practices for Monitoring and Filtering Internet Access in the Workplace (this document in PDF format)
• Protecting HTTP Traffic: Why Web Filtering Should be Your First Line of Defense (PDF)
• SmartFilter and SafeWord Solutions for Cisco (PDF)

Why Should Employers Be Concerned about Employee Internet Use?

Limiting Potential Liability

Corporate email and the Internet are powerful tools for business, but if use is not managed correctly, inappropriate, offensive and illegal content—as well as malware—may be just one click away. According to a survey from the American Management Association, 26 percent of employers have fired workers for misusing the Internet, and 25 percent have terminated employees for misusing email.

Clearly, usage of the Internet by almost every member of the organization has become essential, and it is in the best interest of the enterprise to encourage its use. But at the same time, organizations that ignore the potential for liability created by workplace Internet abuse can pay a steep price. In August 2003, the Minneapolis Public Library paid $435,000 to settle a sexual harassment claim filed by 12 librarians who said that patrons accessing sexually explicit material had created a hostile work environment. There is even a possibility that a company could be held liable for workers’ exposure to pornographic spam, if inadequate spam filtering technology has not been implemented.

Another potential source of employer liability is copyright infringement. The liability concerns associated with file-sharing programs in the workplace are not hypothetical.

The Recording Industry Association of America (RIAA) has long held a policy against illegal downloading of music on the Internet. The RIAA and the Motion Picture Association of America (MPAA) recently sent a letter to all of the FORTUNE 1000 companies warning of “injunctions, damages, costs and possible criminal sanctions”, for trading illegal files. The RIAA has already pursued legal action against an Arizona company, winning a $1 million settlement after employees were found to have downloaded thousands of music files on company computers. The RIAA has taken the policy down to the individual level, winning hundreds of judgments against individuals for downloading music on the Internet illegally. In January 2006, the RIAA continued its strategy with a new round of infringement lawsuits against 750 individuals who shared music through unauthorized P2P services. If those individuals download music illegally on a company computer, the employer may also be subject to prosecution.

The perils of Internet misuse in the workplace are not limited to these risks, however. Inappropriate Web sites are notorious for hosting spyware, viruses, Trojans, and other types of malware. There is a very real threat of infection from a drive-by download, and at the same time, a risk of data leakage that results from a Trojan implanting itself for the purpose of stealing data.

The Cost of Cybercrime and Other Attacks

Prevention of cybercrime and other types of attacks requires a multi-layered strategy, simply because there are so many different types of attack vectors. But Internet monitoring and filtering can prevent many types of attacks, by spotting unusual activity, and preventing access to Web sites that may serve as a launching pad for attacks. The costs involved in implementing a strong, multi-layered security architecture are small when compared with the potential for loss.

The 2006 CSI/FBI Computer Crime and Security Survey showed that losses are on the increase as attacks become more focused and targeted. The survey showed a total of over $52 million in losses for the year, for a total of 313 respondents, or $167,713 for each respondent. The top categories of attack were, in order: virus contamination, unauthorized access to information, laptop or mobile hardware theft, theft of proprietary information, denial of service, financial fraud, and insider abuse of Internet access or email.

To further underscore the importance of monitoring internal use of the Internet, the report showed that 39 percent of respondents said that more than 20 percent of their losses could be attributed to insiders.

In addition to lost revenues from downed networks, fines, penalties, and possible legal liabilities, there is the matter of cleaning up after the attack has taken place. According to a study by Forrester Research, malware cleanup costs are running between $15 and $30 per user, per year. Forty-six percent of the companies surveyed reported that they spent more than $25,000 in the last fiscal year for malware cleanup exclusively.

Productivity

In addition to expensive liability, inappropriate use of the Internet in the workplace can also cost employers in terms of lost productivity. A 2005 study conducted by AOL and Salary.com showed that personal Web surfing is the largest time-wasting activity.

Employee termination may solve the problem, at least temporarily, but that may cause other problems, as terminated employees challenge the defensibility of the termination. Even without a lawsuit, the expense involved in termination, hiring and training replacements is immense. Yet, it is often seen as a necessary step.

Spam is another notorious time-waster, and while in this case, insiders are usually not to blame, filtering solutions will nonetheless prove useful in preventing spam. Besides direct spam-filtering technologies applied to email, Web filtering will also indirectly diminish the impacts of any spam present. By prohibiting access to certain categories of Web sites, the IT manager will be able to eliminate possibilities of spyware downloads, which may harvest email addresses and other data, and eliminate access to Web sites advertised by the spam emails that may be host to viruses and other forms of malware. Spyware is often downloaded unwittingly when employees surf onto a spyware-carrying Web site. Although it is possible for any site to carry spyware, certain categories of sites are more likely than others to carry it; the best URL filters will include a category specifically for preventing access to known spyware sites.

Why Should IT Be Concerned about Employee Misuse of the Internet?

Managing Internal Internet Usage Is Good Security Policy

It is well known that the majority of network security problems are internal. As noted above, the 2006 CSI/FBI study showed that 39 percent of respondents attributed more than 20 percent of their losses to insider attacks.

Disgruntled employees have easy access to many hacker Web sites containing hacking tips and tools, which can be used to cause serious damage to company resources. A 2006 report from the Carnegie Mellon Software Engineering Institute offers several observations regarding internal attacks of sabotage or espionage, noting that technical actions taken by insider attackers could have alerted the organization to their intent to cause harm. However, lack of access controls often facilitate IT sabotage and espionage, and in many cases, organizations either ignore, or fail to take action to detect rule violations.

Employee misuse of the Internet is not always malicious, however. Regulation of internal use through monitoring and filtering will prevent unintended consequences that frequently occur. For example, an employee may innocently download a Trojan in the form of an apparently useful desktop utility, and unintentionally introduce spyware into the network. By the same token, in a company that has no policy against access to peer-to-peer file sharing networks, an employee may believe themselves to be downloading nothing more than their favorite pop song—but there could be (and often is) a far more dangerous payload riding piggyback on that tune.

Malware Propagation through File-Sharing Programs

The widespread use of file-sharing peer-to-peer programs has serious implications for IT managers. Besides the fact that the files shared through these programs are often infected with viruses or other malware, file-sharing applications are often used to trade copyrighted materials as previously discussed, and can lead to expensive liability for companies, as well as create security problems by opening up employee hard drives to outsiders.

Risks of P2P software systems are outlined in a special staff report prepared by the United States House of Representatives Committee on Government Reform, which noted three major risks. Besides the introduction of spyware and adware, and the possibility of spreading viruses and other malicious files, users of these file-sharing programs also may inadvertently make personal, sensitive information available to others. The committee investigators discovered file-sharing programs could be used to obtain tax records, medical records, attorney-client communications, and personal correspondence. One P2P network in particular revealed 2,500 Microsoft Money backup files available for public download, which contained the user’s personal financial records.

Another problem is “malware”, short for malicious software, which are unwanted programs designed to disrupt a computer’s operations. Adware, rogue applications, and spyware all fall into this category, and the effects of each can range from annoying to destructive. Free programs available for downloading on the Internet, such as password-helper applications often appear on employee’s computers after they visit certain Web sites, where the software will immediately offer to install itself in what some security experts call a “drive-by download”. Some innocuous-sounding “browser toolbar” programs take the “drive-by download” one step further and actually take control of Internet browsers in what security experts call “browser hijacking”.

Preserving the Cost of Bandwidth

Despite the increase in the number of homes wired for broadband Internet access, many users rely on their employer’s high-speed connections to download streaming media files. If employees use their employer’s high-speed connections to download Internet movies, streaming media, and MP3 files, the employer’s networks could be brought to a halt by the increased traffic and bandwidth demands. Forrester’s research shows that the extensive use of Web 2.0 applications, many of which are unauthorized, consumes a very significant percentage of organizational bandwidth. The study shows that 41 percent of respondents indicated that between 30 and 50 percent of organizational bandwidth is consumed by non-business use of Web 2.0 applications; 14 percent of respondents indicated that more than half of bandwidth is consumed by these unauthorized applications.

What the Law Had to Say about Internet Policies and Practices in the Workplace

Employers who are considering implementing or who already enforce an email or Internet policy, with or without monitoring and/or filtering software, should have a sense of the legal climate surrounding these policies and practices. We will address a few of these legal concerns in this section. There are, of course, other kinds of legal claims not addressed here that may come up in this type of litigation, including the Federal Electronic Communications Privacy Act, state wiretap laws, the Communications Decency Act, and anti-spam statutes.

Privacy in the Workplace

A common legal theory regarding electronic email and Internet usage arises out of an employee’s alleged “privacy interests”. A disgruntled employee will often argue that he or she had a reasonable expectation of privacy in his or her workplace email or Internet use, and that the employer intentionally violated this reasonable expectation of privacy by accessing or monitoring the employee’s email and/or Web traffic.

A core issue in these cases is whether an employee actually had a reasonable expectation that his or her personal email messages or Web practices were private. Rarely can this be proven. Employers have so far usually won these cases, with some exceptions.

The presence or absence of company email and Internet policies has often influenced the courts in their determination of whether an employee had a legally protectable expectation of privacy. These cases, some of which are described below, underscore the value of an employer having such a policy. In some instances, however, even the lack of a policy may not be fatal to employer access.

A proposed California state law, SB 1841, was vetoed by Governor Schwarzenegger in 2004 to strengthen the prerogative of employers to monitor employee activities.16 The legislation would have required California companies to give notice to employees if email or Internet use is being monitored. It could be argued then, that an employer has the implicit right to do so, even without notification.

In the case of Restuccia v. Burk Technology,17 the employer had an email policy prohibiting excessive chatting, but lacked any provision about whether employee messages (personal or company-related), were subject to employer oversight. The employees were apparently not told that supervisors had access to their systems, and a company official read a number of employee emails over the weekend. Because the employer had no policy, the court found that there was a genuine question as to whether the employees had a reasonable expectation of privacy in their email messages under the Massachusetts privacy act. Accordingly, their privacy claim went forward to trial, but the employer eventually prevailed.

On the other hand, courts are more likely to reject employees’ privacy claims where employers have clear, disseminated email and Internet policies. In Bourke v. Nissan Motor Corp.,18 the court found that employees had no reasonable expectation of privacy where the employees were aware of and, indeed, had signed a waiver acknowledging the company policy restricting use of email to business purposes.

In another employer-friendly ruling in 1996, the Eastern District of Pennsylvania held that even if a company did not have an email policy, employees still would not have had a reasonable expectation of privacy in their work email.  Specifically, that Court stated:

“Once [the employee] communicated the alleged unprofessional comments to a second person… over an email system which was apparently utilized by the entire company, any reasonable expectation of privacy was lost. Significantly, [the company] did not require [the employee], as in the case of urinalysis or personal property search to disclose any personal information about himself. Rather, [the employee] voluntarily communicated the alleged unprofessional comments over the company email system. We find no privacy interest in such communications.”

An employee’s consent, whether explicit or implicit , may allow an employer to more easily defend against invasion of privacy and other claims.  For example, in TBG Ins. Servs. Corp. v. The Superior Court of Los Angeles County, a court held that because the employer had a written “electronic and telephone equipment policy statement” and the employee had consented in writing that his computers could be monitored by the employer, the employee had no reasonable expectation of privacy in a home computer provided by the employer.

Finally, even if a court finds that an employee has a reasonable expectation of privacy in his or her workplace Internet or electronic mail usage, this privacy right will likely be weighed against a company’s interest in protecting itself from liability.24 For instance, if an employee claims to have been sexually harassed by a supervisor through inappropriate email messages, the company has a right and, in fact, an obligation to investigate the sexual harassment claim.

According to the AMA study, the vast majority (84 percent) of employers do have policies that govern employee email use.  The 2007 eCrime Watch Survey, conducted by CSO Magazine in cooperation with the US Secret Service, Carnegie Mellon University Software Engineering Institute’s CERT program, and Microsoft, noted that while only one percent of companies in the survey do not have a security policy in place, policies are at best inconsistent. While 80 percent of respondents indicated they have an “acceptable use policy,” only 59 percent conduct external Internet connection monitoring, and just 42 percent conduct employee monitoring. Twenty-eight percent reported that monitoring Internet connections directly resulted in the deterrence of a potential criminal, and 26 percent reported that employee monitoring did so.

In this situation or other incidents of suspected employee email or Internet misconduct, the company’s right to a limited review of the accused individual’s particular electronic mail would probably outweigh the possible right to privacy. Other laws may also come into play.

In addition to employers generally having the right to review employee email and monitor Internet usage, both monitoring usage and retaining electronic records, including emails and IM chats, may be a matter of necessity. The 2004 Workplace Email and Instant Messaging Survey, conducted by the American Management Association, discovered that 20 percent of respondents had employee email and IM subpoenaed as part of a lawsuit or regulatory investigation—more than double the number reported in 2001.  Some state anti-discrimination agencies may even require that sexual harassment investigations include a review of relevant emails, and that remedies encompass email policies and oversight, where appropriate.

Free Speech in the Workplace

In a democratic and open society, employees may feel that their work-related conduct and speech (including email, Internet usage or blogging at work) should be entitled to protection under the rubric of “free speech.” However, the First Amendment of the United States Constitution generally only prevents government restriction on public debate, not private employer restrictions. For example, the First Amendment has been used to strike down laws that are written so broadly that they prohibit protected as well as unprotected speech.

In Intel Corp. v. Hamidi, an unhappy former employee aired his grievances about the company by repeatedly flooding Intel’s email system with spam messages. Intel brought suit under a legal theory of trespass to chattels. The trial court issued an injunction, which prevented the former employee and others acting on his behalf from sending unsolicited email to any addresses on Intel’s computer systems.

The former employee appealed the injunction, arguing, in part, that by issuing the injunction the government (through the state court) had violated the First Amendment and prohibited the former employee’s free speech. The Appeals Court disagreed.

The Appeals Court stated that the First Amendment protects individuals only from government infringement of speech and, here, what was at issue was a private employer’s infringement.  The Appeals Court found that judicial enforcement of neutral laws (i.e. laws that do not abridge free speech) through an injunction did not constitute state action and, therefore, did not run afoul of the First Amendment.

This Appeals Court decision was then appealed to the highest state court in California, the California Supreme Court.  The California Supreme Court had a very different view of the matter and overturned the injunction, finding that the former employee had not committed a trespass because the computer system was not damaged nor impaired. The California Supreme Court also opined that the injunction would violate the former employee’s First Amendment rights.

The high Court found that, although a private employer’s refusal to transmit another’s electronic speech generally does not implicate the First Amendment, the use of government power, such as through a court injunction, is state action that must comply with the First Amendment. The Court described the injunction as “sweeping” and implied that a prohibition on communication to all Intel addresses was unconstitutionally broad.

The import of this case is difficult to foresee. It continues to be true, however, that private employer curtailment of employee speech generally does not involve the First Amendment. When court involvement is used to assess damages or issue injunctions, the Intel case suggests that the First Amendment may come into play.

Drafting an Employee Internet Use Policy

Employers should provide employees with a clear policy statement describing the permitted and prohibited uses of employer email and Internet systems, which include statements that email and Internet messages and traffic on company systems are not the private property of employees. This policy statement should then be enforced by implementing appropriate monitoring and filtering technology. Many employers will want to state that the employer has the right to—and will—monitor employee email and Internet use.

There are many reasons for such a policy, among which are: 1) to set boundaries for appropriate employee conduct; 2) to clarify employee expectations of privacy; and 3) to foster employee consent, either direct or implied. A clear policy helps reduce legal exposure and bolster employer defenses to employee claims, including for invasion of privacy.

The IT and Communications Company can help you to prepare an Employee Internet Use Policy.

Is Internet Content Management Software Right for You?

Filtering Software

Employers are increasingly concerned about inappropriate Web surfing, and a 2005 survey showed that 65 percent of employers use software to block connections to inappropriate Web sites, a 27 percent increase over an earlier 2001 survey.  Filtering software allows employers to select specific categories of Web content to exclude from organization networks. The first generation of Internet filtering software appeared in the mid-1990s. First generation filters were relatively crude instruments that blocked entire Web pages “on the fly” when they contained certain words and phrases such as “sex” or “breast.” Consequently, these early filters inadvertently blocked a lot of innocent Web pages.

These early “word blocking” filters were quickly replaced by “list-based” or “URL-blocking” filters that provide a regularly updated database of URLs. The URLs of these list-based filters are placed into categories, such as “pornography,” “gambling,” “shopping,” “hacking tools,” etc. Employers can then select one or more of these categories to block. Most filtering solutions also offer the ability to address file-sharing or “malware” applications with categories such as “peer-to-peer” or “malicious sites” or by blocking the downloading of executable file types. The most effective URL filters also supplement the list-based systems with additional analyses that allow for the accurate and finely-tuned prevention of access to unwanted sites that have not yet made it into the database.

The Forrester study noted that, while most organizations do use some type of Web filtering/monitoring software, attacks still occur—indicating that it is not the lack of security software that is the problem, but rather, that many existing security solutions do not catch all instances of malware and do not protect users from phishing attacks.

Next-generation Web filtering: Reputation-based

Today, Web filtering protections go beyond legal liability, productivity and bandwidth. Web filtering is often implemented as a first line of defense against malware, spyware, and other Web-based threats. With the dynamic nature of malware, Web filtering solutions that only use categorized databases of URL entries cannot provide adequate protection. Next-generation filtering solutions incorporate technology that profiles in real-time millions of entities connected to the Internet worldwide and provides up-to-the minute host behavior analysis to create a “reputation score” which can be used to determine whether an email or Web connection to the enterprise network should be allowed to occur. This reputation can be used in conjunction with categories in an organization’s security policy, allowing them the ability to make the appropriate decision based on both category and reputation information.

This reputation-based approach is effective in preventing attacks that might not otherwise be detected. The alarming increase of “zombie” networks is one such example. In this type of attack, computers are taken over by an outside third party, usually through infection, and then covertly used to send out spam. Monitoring of outbound connections will be able to detect if an internal computer has been infected in such a way. A problem that occurs when a zombie network takes hold is that normally reputable senders may unknowingly become distributors of spam. The reputation system overcomes this limitation by not only ranking senders by reputation, but also by detecting variations in normal behavior.

Web Monitoring Software

Most monitoring solutions use the same technology as filtering solutions—a database of URLs grouped into categories, but instead of the URLs being blocked, access is recorded. The log files of URLs accessed are then typically organized by URL, category of URL, workstation, user, and time. This information is then used to create reports of Web access by type or often by individual. Like filtering (blocking), monitoring has also gained in popularity, with 76 percent of employers monitoring worker Web site connections. Those monitoring solutions may take different forms as to what is being monitored.  Monitoring connections serves more than the purpose of establishing a record of employees’ Web surfing behaviors; it can also detect anomalies that may result from zombie networks.

Monitor, Filter, Both,or Neither?

Employers have a variety of choices in implementing Internet content solutions. Some solutions only monitor and produce reports, some only filter, and many provide both functions. Both filtering and monitoring solutions have advantages and disadvantages that must be carefully weighed with existing corporate culture before making a decision to deploy one or both.

Use of the Internet can vary widely based on industry and organizational culture, and even by department and job function within the same organization. Take for example, a hypothetical high-tech manufacturing organization with a large, mobile sales force. Shop floor employees in the organization plant have very limited, specific uses for Internet access, suggesting a policy of restricted Internet access. On the other hand, the salespeople who research prospective new customers and their competition need freer access.

Some questions an employer should ask before making a decision to purchase filtering and/or monitoring software:

• Do employees use their computers for personal use?
• How wide a variety of sites do employees need to access?
• If the organization is governmental, do state public records laws apply to Internet access logs or email?
• What procedures are there for documenting disciplinary actions?
• How flexible is the solution? Can different policies be implemented for different people, departments or locations?

Filtering Software Pros and Cons

• Pros:
  • Blocks most (but not all) inappropriate content from employees.
  • Prevents some (but not all) malware infections from occuring.
  • Identifies and/or stops some offensive practices.
  • Allows employers to identify abusers.
  • Creates a record to document cause for disciplinary action.
  • Generally does not raise privacy concerns.

• Cons:

  • Requires intervention to unblock filtering when sites are overblocked.
  • Possible perception of infringing on workers’ right to free speech.
  • Can impact employee morale.

Monitoring Software Pros and Cons

• Pros:
  • Identifies and/or stops some offensive practices.
  • Allows employer to identify abusers.
  • Creates record to document cause for disciplinary actions.
  • Does not block access.

• Cons:

  • Does not block inappropriate content from employees.
  • Does not prevent malware infections from occuring.
  • May lead to privacy issues.
  • Can impact employee morale.

What to Look for in a Filtering and Monitoring Solution

Compatibility with Existing Infrastructure

IT managers are usually very busy professionals, challenged with making a disparate collection of hardware and software operate together smoothly. Therefore, a top priority for IT managers adding new components to their networks is ensuring that the new components fit easily with existing hardware and software platforms.

Filtering solutions typically are either “natively embedded” on a networked device such as a proxy server, caching appliance, security appliance or firewall, or reside on a dedicated server or multi-function appliance running a variant of the Windows, Unix, or Linux operating systems. The most popular filtering vendors offer a variety of options for use with different networking platforms that work with the more widely used networked devices. Which choice is best depends on the individual network.

An Extensive, Frequently Updated, High-Quality Database

The heart of most filtering solutions is an extensive database of URLs sorted into categories. The most widely used filtering solutions contain millions of URLs sorted into dozens of categories.

To keep up with the changing nature of Internet content and stay ahead of emerging Web threats, database updates should be downloaded automatically and be made available multiple times per day. Frequent updates enable organizations to be protected from emerging security threats as soon as the threats is known.

Reputation-Based Filtering

While a database of URL entries provides excellent protection for sites that don’t change—change is the nature of today’s Web and Internet threats constantly appear and disappear. Reputation-based filtering provides a mechanism for determining the risk associated with receiving data from a particular Web site. This reputation can be used in conjunction with categories in an organization’s security policy, allowing them the ability to make the appropriate decision based on both category and reputation information. This reputation-based URL filtering solution needs to be global in scope and internationalized to handle Web sites in any language. This is especially true considering the global nature of the Internet security threat.

Flexible Filtering, Monitoring, and Reporting Options

In order to meet the needs of an organization, a filtering solution needs to have the flexibility to handle multiple levels of filtering for different personnel and departments.

The most widely used filtering solutions offer the ability to select individual users, groups of users, individual workstations, or groups of workstations for a specific level of filtering using a defined set of filtering categories. These filtering solutions also allow employers to combine filtering and monitoring within the same user or group of users.

The more widely used filtering solutions offer a variety of options for both monitoring and filtering. These solutions allow an administrator to select for example, filtering of pornography for all users at all times, filtering of other non-work sites during the work day for some users and, monitoring for other groups of users. The best filtering solutions build in all these options, so that employers can adjust levels of filtering and monitoring as need arises.

For More Information

To find out more about Secure Computing’s versatile filtering products and the advantages of managing your organization’s Internet access and activity, contact the IT and Communications Company today at (804) 523-4677 or visit www.it-comms.com.