acm-header
Sign In

Communications of the ACM

Internet abuse in the workplace

Aligning Internet Usage with Business Priorities


It is becoming increasingly clear the Internet is now a critical component of the 21st century business landscape. Using the Internet can create many desirable organizational outcomes—lowering the cost of communication, meeting customer needs, supply chain management, and improving business practices and integration [3]. However, using the Internet can also generate undesirable outcomes—loss of intellectual property, sexual harassment lawsuits, productivity losses due to excessive Web surfing, security threats, and network bandwidth overload. Hence, employers have an obligation to proactively manage the Internet-connected workplace, maintaining a middle ground between "no access" and "unrestricted access" to benefit both the organization and the employees. This aligning process—Internet policy management (IPM) [2]—is the regulation of Internet activities so that targeted outcomes remain within acceptable limits. The essential components of IPM are:

  • An explicit and clearly communicated Internet usage policy (IUP);
  • Tools for monitoring and recording Internet and email usage;
  • End-user training; and
  • Application of discipline measures.

Many people assert that Internet monitoring should be avoided because it fosters a "Big Brother" environment and is an invasion of privacy. Others take the position that the best way to manage the Internet is to have either no usage or severely limited usage. However, either too much or too little Internet management can be dysfunctional for an organization. For instance, optimal outcomes will be achieved when businesses restrict usage by policy and check the policy by monitoring/filtering software. At one end of the spectrum, if there is no access or if access is severely limited, organizational outcomes may suffer. Blocking is problematic because it is difficult to keep updated and easier to get around. At the other end of the spectrum, vague, not monitored/enforced, or no policies expose the organization to a number of legal, financial, and operational risks such as losses of confidential information, network congestion, threats to network integrity, diversion of employee attention, and increased legal liability [4].


In a recent survey of 200 U.S. business executives, 82% said Internet usage should be monitored at their companies, but only 34% said they have already instituted such a program.


An IUP defines appropriate behavior when using company Internet resources and outlines the ramifications for violations. An effective IUP can even allow for personal surfing and email. Policy templates can be found by searching for "Internet policies" with any search engine [6] and at Elron Software [2]. Once a draft IUP is written, an organization's management and legal staff should review it and widely publicize it through seminars, performance reviews, and informal discussion sessions. It should be given to all new employees.

An IUP isn't sufficient to reduce excessive surfing, viewing sexually explicit material, confidential data leaks, viruses, or viewing violent content. Many companies do little more than ask their employees for compliance to a formal usage policy; for a growing number of businesses, this just isn't enough. There's increasing sentiment among executives that a more hands-on approach to Internet management is needed. In a recent Dataquest survey of 200 U.S. business executives, 82% said Internet usage should be monitored at their companies, but only 34% said they have already instituted such a program. Web monitoring is expected to jump from 34% in 1999 to 66% by the end of 2001 [1].

Employers must be honest about monitoring, announcing when the monitoring will happen, and why and how it will be done. Monitoring should not be put in place to catch people but to reinforce the business usage of the Internet and the responsibilities that employees have to use this resource properly. The technical aspects of monitoring are not a major hindrance in IPM. There are many monitoring and blocking solutions available. For example, many routers allow ports to be disabled, denying specific Internet traffic. Blocking servers are popular alternatives, with many of these products combined with firewalls and proxy servers. There are several NT-based proxy alternatives; proxy servers can be configured to permit specific traffic to pass through to the network [6]. However, for more optimal alignment of usage with business priorities, a full service provider of Internet management solutions such as SurfWatch Software, a Los Gatos, California-based division of Spyglass Inc. and Elron Software Inc., a Burlington, Massachussetts-based division of Elron Electronic Industries, should be considered [5].

The monitoring function of the IPM should be more than the technology [2]. It should include:

  • Periodic (weekly, monthly, bimonthly) generation of Internet usage reports to allow feedback on policy compliance;
  • Discussion of these reports at appropriate levels of the organization;
  • Actions taken against those who violate policy, per action steps established in the IUP;
  • Addition of Web sites identified in usage reports as inappropriate to the filtering feature of the monitoring tool; and
  • Periodic review and update of the IUP.

We explore how eight organizations manage usage by policy and enforce the policy by monitoring/filtering software, thus enhancing alignment of individual Internet usage with organizational priorities.

Back to Top

The Case Studies

Each of the eight organizations thoughtfully determined their policy in accordance with their overall mission, carefully communicated this policy, and then installed a monitoring solution. Elron Software collected the data for an ongoing research project involving the study of the adoption and implementation of IPM. IS professionals responsible for establishing and maintaining an Internet protection and security presence at their organizations were interviewed [2]. The cases are a cross section of organizational types, including two public companies, three nonprofits, one school, and two private firms.

bullet.gif 20th Century Fox

20th Century Fox, the largest of the organizations studied, is principally engaged in broadcasting and distribution of feature films and television programs. Although securing the Internet and email was a primary concern, the protection of company data, network, and servers was a high priority. 20th Century Fox wanted to have a powerful reporting tool without high administrative overhead or hardware cost. Jeff Uslan, the manager of information protection, said, "...we really needed a way to break down specific Internet usage traffic by employees ... to enforce our IUP." Uslan found Web-based monitoring software with full text analysis was the most efficient way to track user access. What was employee reaction to the monitoring of their Internet usage? "Being adults and being reasonable people, our employees understand we have to provide a 'safe haven'," said Uslan. Content filtering and monitoring software at 20th Century Fox makes it workable to tap the power of the Internet by providing unlimited Internet access to all employees.

bullet.gif Bard Manufacturing

Bard Manufacturing specializes in air conditioners and heat pumps. All employees have Internet access. The Internet has proven to be a tremendous resource for the company's overall business. Ray Crooks, the IS professional, was already considering an investment in more network bandwidth to compensate for increased Internet traffic, and there was also concern over other negative consequences such as Web surfing abuse by employees and liability for potential sexual harassment. Internet monitoring could not be a labor-intensive effort at Bard, so after a free, 30-day trial of Web Inspector—an Internet monitoring tool from Elron Software—Crooks was able to document several problems: visits to pornographic Web sites, incorrect network configuration, and access to personal email accounts. Crooks adopted the monitoring software and sent a company-wide email message explaining the new policies. With this monitoring, Bard was able to proactively manage Internet usage, avoiding major abuse and lost productivity.

bullet.gif JFK Medical Center

At JFK Medical Center, one of the largest hospitals in New Jersey, thousands of employees ranging from doctors and nurses to executives and staff members have Internet access. "There is a ton of valuable information our employees can access via the Internet that is critical to the efficiency and effectiveness of this institution," said Bill Thorpe, a system analyst. "However, there is a lot of garbage out there. Our concern is focused primarily on protecting JFK from legal liabilities. Saving our bandwidth and improving employee productivity are also important goals." With thousands of employees at JFK, Thorpe does not have the time or the manpower to manually monitor where people are going on the Internet. Thorpe reviewed several different filtering products and chose one that was content and context sensitive, reducing the number of false positives, and had extensive reporting capabilities, providing cost analysis and cost-per-minutes data. Thorpe worked with the human resources department to develop an IUP, configuring the monitoring software to enforce this policy. Employees know they have the freedom to use the Internet as a business tool, but usage will be monitored and comprehensive reports generated, allowing specific issues to be addressed.

bullet.gif Lake Charles Memorial Hospital

The nonprofit Lake Charles Memorial Hospital is one of the largest facilities serving Southwest Louisiana and Southeast Texas with about 1,000 employees across the hospital's six locations. "I knew we needed an email policy and a way to enforce it, otherwise we could be held liable if an employee was exposed to inappropriate Internet content," said Ron Westmoreland, the system administrator. "We wanted a solution that was accurate, flexible, and scalable." After finalizing the hospital's policy for email usage, it was communicated to current employees and is part of the orientation process for new-hires. "We explained the reasons why email shouldn't be abused and employees were informed that we now had the ability to monitor email content in order to enforce the policy," said Westmoreland. The policy also states that occasional personal use of the hospital's email system is acceptable. Employee response to the monitoring has been positive as Lake Charles allows employees some freedom to explore the Internet.

bullet.gif New Mexico Mortgage Finance Authority

The New Mexico Mortgage Finance Authority (MFA) is a housing agency for the state. "On every level of this organization we need to be organized and in control," says Doug Flint, the systems administrator. The MFA has an integrated system linking all of its systems together and all employees have Internet and intranet access. MFA did not want labor-intensive policing of the Internet, and wanted to ensure a productive and healthy environment. "We did suspect a couple of people were abusing Internet usage, but really we decided to start monitoring Internet access out of common sense—the smart thing to do," said Flint. Monitoring was a learning process at MFA. According to Flint: "At first we made the rules too strict, but over time we came to understand what kind of protection we needed and were able to find a policy that worked for us."

bullet.gif Irvington High School

Irvington High School, with a student body of 1,600 students, is located about 40 miles southeast of San Francisco. Bill Stanley, the technology coordinator said, "In a school setting, Internet access is fraught with many hazards." By "hazards," Stanley refers to surfing abuse by students and faculty. "We want to encourage students to perform online research and gain a larger worldview, but teenagers often have a tendency to move outside the educational constraints," he said. Stanley decided a tool to filter and monitor Internet usage was needed to allow user-customization of keywords for blocking, but more importantly emphasized monitoring and reporting. It is impossible to block all the current and potential content-offensive sites, but with the development of an IUP and monitoring software, the school is able to use the Internet to enrich the curriculum.

bullet.gif Bricker and Eckler

Bricker and Eckler is one of Ohio's leading law firms. "We have lots of attorneys that work from home," said Eric Schmidt, chief information officer. "We want them to each have efficient access to all of our resources. We told every employee they are being monitored because I really think it is important to let them know up front." Utilizing an authentication program provided by the company firewall and a high-speed Internet connection, the attorneys are able to securely conduct client research and transmit confidential data over the Internet. Prior to rolling out the Internet resource throughout the firm, however, Schmidt and the firm's managing partner developed and clearly communicated a policy for Internet usage.

bullet.gif Davis and Kuelthau, S.C.

Davis and Kuelthau, a full-service law firm with five offices throughout Wisconsin, is dedicated to "educating its clients about the law to ensure they have the tools necessary to identify legal problems and minimize the risk of legal consequences." According to Brian Drier, the firm's IS manager, "Organizations look to us as experts in advising how to protect themselves from these kinds of Internet problems, so we lead by example and take the same precautions within our own company. Our position is that the Internet is a fantastic resource," said Drier. "We wanted to open up this resource to all employees for personal and professional use, but we knew it needed to be managed properly. Our biggest concerns were legal liabilities and productivity." By using monitoring software, Davis and Kuelthau was able to preserve investment in critical Internet resources and make intelligent planning and forecasting decisions with flexibility and customizability.

Back to Top

Conclusion

While these eight organizations have many differences, there is a common goal—to use the communication and productivity enhancing power of the Internet while minimizing risks and costs and maximizing employee freedom and privacy. To accomplish this, they chose to adopt IPM, integrating policies and monitoring. Filtering and monitoring software is increasing in popularity; the International Data Corporation, a leading market research firm, estimates 3.9 million businesses will implement Web-filtering software by 2003, and 80% of large companies will purchase Web-filtering software in the next 12–24 months [2]. The organizations in this discussion found flexibility and customizability, low maintenance, a high degree of accuracy, multiple features, ease of use, and integration with current technologies in monitoring software. They deployed the latest Internet technologies to streamline business processes, trim costs, and offer customers and suppliers the ease of electronic communication while protecting organizational information and resources, and respecting employee rights. In short, the eight organizations leveraged the power of the Internet while responsibly and proactively managing its use. To companies that are hesitant about providing Internet access, IPM offers a way to reduce the risks, and as these cases demonstrate, it is not only large companies that can benefit from IPM.

Back to Top

References

1. D'Antoni, H. Web surfers beware: Someone's watching. Info. Week 772 (Feb. 7, 2000), 167–168.

2. Elron Software, Inc (Mar. 2001); www.elronsw.com.

3. Mandel, M.J. and Hof, R.D. Rethinking the Internet. Bus. Week (Mar. 26, 2001), 117–141.

4. Ohlhorst, F.J. Filtering software blocks headaches, litigation. Computer Reseller News 926 (Jan. 1, 2001), 53–54.

5. Roberts, B. Filtering software blocks employees' Web abuses. HRMagazine 44, 9 (Sept. 1999), 114–120.

6. Wonnacott, L. Policing the Internet: If your users can't surf responsibly, you may have to monitor them. InfoWorld 21, 13 (Mar. 29, 1999), 13–14.

Back to Top

Author

Claire A. Simmers ([email protected]) is an assistant professor in the Management and Information Systems Department in the Erivan K. Haub School of Business at Saint Joseph's University, Philadelphia.


©2002 ACM  0002-0782/02/0100  $5.00

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.

The Digital Library is published by the Association for Computing Machinery. Copyright © 2002 ACM, Inc.


 

No entries found

Sign In for Full Access
» Forgot Password? » Create an ACM Web Account
Article Contents: