In-Depth

Proper Employee Monitoring: Best Practices for Doing It Right

Some companies demand that IT track Web use or go even deeper into user behavior. Here are some tips on how to do it right and what tools to use.

Several years ago a friend asked what could happen if her company tracked Internet use. While this might sound a bit naïve today, back then monitoring wasn't so commonplace.

Depending on your industry and the norms that apply (or your company's particular values and policies), your monitoring might be worlds different from the level at the company just up the street. Regardless of the level of intrusion, all content or usage tracking should be disclosed to users. Your company should have a clear policy, let employees know what it says, and monitor only in a way that matches that policy. Your shop might own the equipment and the Internet pipe and all of that, but employees still assume some level of privacy or least full disclosure of when and how they're being observed or tracked.

Internet usage monitoring isn't packet capture. Sure, the packets sent out through a firewall or other device when you browse the Internet to visit the Disney Store Web site are logged by the firewall, and the IP address or maybe even the URL is contained within the packet and can be seen by someone designated to sift through those logs. This is typically used to troubleshoot network issues or at the network level. General Internet usage monitoring is much simpler.

With general Internet usage monitoring, an application is installed on the computers within an organization or on an appliance sitting between company computers and the Internet where all the Internet traffic passes through. When it passes through and onto the appliance, the details are logged and the traffic goes on its merry way.

Monitor Usage and Block Content
There are devices and software packages available that can not only monitor traffic, but also allow for certain Web sites or categories of sites to be blocked (see "Internet Usage Monitoring Solutions"). This does a few things. First, it prevents content that an organization deems inappropriate from being viewed on company resources. Second, some of these products perform tasks that users actually appreciate, such as blocking advertisements on Web pages -- especially those ads that are considered unacceptable. Because many of these ads are sourced at domains such as doubleclick.net, they can be singled out, which definitely improves the Internet experience.

There are different levels of monitoring, and these should be considered before jumping into a solution. General monitoring for Internet use only is pretty normal today, where surfing is logged. Other products are much more user-level or granular in what they log. Trapping passwords and keystrokes on your corporate network takes monitoring a tad too far, one could argue, but those products exist as well.

As mentioned, it makes sense to have an acceptable use policy, let all employees know, then advise them you're running a Web monitoring program. If you're planning to block traffic you should certainly tell them that as well. If they know Internet use is being looked at, they'll naturally cut down on non-work-related Internet usage. You'll also likely cut down on help desk calls over certain pages coming up with administrator blocked notifications or errors.

My company monitors Internet usage and blocks some traffic, which seems to work pretty well. It's definitely nice to have fewer online ads. However, the fact that most appliances create filters by group or category is interesting. Alcohol, tobacco and firearms categories are usually lumped together, which in most cases is great. But I work for a company that produces ingredients for beer. Almost immediately after deploying a Web monitoring appliance, we had to create rules to make sure we weren't cut off from our customers' Web sites. That problem has mostly been addressed, but it was certainly no fun undoing a good chunk of a blacklist. The biggest lesson is to know what filter/monitor drives are on for filtering. This way you can make adjustments quickly with as little impact to the user as possible.


[Click on image for larger view.]
Keystroke and Web traffic recording with Spector CNE Investigator.

Helpful for Both Sides
I've heard of companies wanting to protect the "privacy" of their employees and feeling they could trust their employees to do the work they were paid to do. This is probably true for most companies; I believe people are generally good spirited. But there are times when things get out of control and something needs to be done to protect the company.

Suppose someone was constantly surfing the Internet and disrupting those around him, either by talking incessantly about things he saw or leaving stuff playing on the computer screen and shuffling off to another area. If an organization wanted to take action against this behavior, it might not have a leg to stand on without monitoring.

Monitoring can help employees, too. Imagine an employee working the late shift. There aren't many people around and it's a slow night, so he decides to surf the 'Net and gets hit with malware. Malware is bad enough, but this one comes in the form of pop-ups exposing all kinds of filth. A manager seeing this later, with a different user at the PC's helm, might think that user was the one irresponsibly surfing. Here monitoring might help pinpoint the user who was actually logged on rather than the one assumed to be the cause of the problem.

When someone thinks they're being watched their behavior changes, and in some cases this justifies the monitoring policy and tracking software in the first place.


[Click on image for larger view.]
Trending and protocol monitoring using Wavecrest CyBlock.

Making Exceptions
Because many Web monitoring tools block sites that might seem (but not actually be) inappropriate, there are cases when users have legitimate needs for sites the software declares off-limits. Fortunately, just like many anti-spam applications, Web monitoring tools have whitelisting capabilities. This lets certain sites within a category stay accessible while the rest of the category is blocked. Let's say your organization sells a product to a few companies within a category, but other sites in the same category are not appropriate for browsing. The customer sites can be whitelisted, but the remaining items in the category will be blocked.

Keep in mind that most of these products (see "Internet Usage Monitoring Solutions,") will both filter and block traffic.



About the Author

Derek Schauland has worked in technology for 15 years in everything from a help desk role to Windows systems administration. He has also worked as a freelance writer for the past 10 years. He can be reached at derek@derekschauland.com.

Featured

comments powered by Disqus

Subscribe on YouTube