Passive Attack

By Karen J. Bannan

So instead Cothern, director of information technology for Mabry & McClelland LLP, a law firm in Atlanta, simply blocks them. A program from Telemate Software lets his company’s 45 employees do research that they need for cases but keeps them from wasting time on frivolous pursuits such as gambling or games. Another program blocks all outgoing data other than e-mail.’It wasn’t a huge problem, but we do have two or three people who were surfing too much,’ Cothern says. After the program was installed, employees simply couldn’t get to sites that waste time.

According to an April 2001 survey by the American Management Association (AMA), more than 77 percent of companies record and review employee communications and activities including e-mails, Web logs, and computer files. When other types of monitoring methods such as videotaping and tracking employee calls via phone logs are included in the mix, a whopping 82 percent of companies reported keeping a close eye, or ear, on their employees, something Eric Rolfe Greenberg, director of management studies for the AMA, says isn’t as bad as it sounds. ‘It sounds like Big Brother’ but it’s not,’ Greenberg says. ‘It’s simply the modern 21st century equivalent of supervision.’

But monitoring employees isn’t just a technological decision; it also involves making judgments about legal consequences, explaining policies to workers, and being aware of their reactions. ‘One of the reasons people don’t stay with a company is if they feel over-controlled,’ says Dr. Andrew DuBrin, Ph.D., an industrial psychologist and professor of management at the Rochester Institute of Technology.

What, Me Monitor?

The impetus for monitoring stems from worries about three distinct problems, says Bill Gassman, a senior research analyst with Stamford, Conn.-based Gartner Group, a technology research firm. Companies are concerned about their legal liability from sexual harassment or hostile workplace claims, but they are also worried about theft of company properties, intellectual or actual, as well as productivity issues. The result is employers who check phone logs looking for 900-number access, scrutinize Web usage, and monitor incoming and outgoing e-mails.

Monitoring traffic usually happens at the firewall, where company information-technology managers or human-resource managers can match domain names with employee Internet Protocol (IP) addresses to see where people have been, what they are looking at, and how long they stick around. There are several problems with this technique. For one thing, poring over Web logs can be time- and labor-intensive, not to mention the fact that the only people who can do it are those who know their way around a firewall. In addition, if a company shares machines or has floating IP addresses (that is, addresses that aren’t assigned to a specific workstation or server), the Web logs are virtually meaningless. Besides, if an employee is offended by a site that’s up on a neighbor’s monitor, there’s little an employer can do after the fact.

A better option, say analysts, is to block access to specific sites or site categories such as pornography, gambling, or hate groups. Blocking is done by software or hardware that uses one of three methods. The most common method involves matching page requests against preexisting lists of URLs, which are usually categorized. When the software or hardware detects a request for a blocked site, the user gets a message saying that access is denied. A second method involves dynamic filtering, which checks incoming Web pages for keywords or patterns of words. Dynamic filtering can also be done on image files by checking for flesh tones and gradients to block potential nudity. Of course there isn’t any product that can completely block every site. For one thing, new sites pop up on an hourly basis. Most vendors categorize sites on a daily or weekly basis, but there’s always a lag. Plus, savvy Web site developers can often hide content by using innocuous image-naming techniques or by switching URLs. Even the users have gotten sneakier, using proxy sites to get around the blocks.

Many companies that choose to block Web traffic rather than monitor actually end up seeing it pay off in as little as a week. Aside from the fact that the company is protected from employees who surf inappropriately, in many cases there is also a reduction in bandwidth costs, says Farley Stewart, vice president of appliance products for St. Bernard Software, a filtering hardware manufacturer. ‘Some people who are not ill-intentioned can chew up quite a bit of bandwidth listening to Internet radio stations and downloading streaming video,’ Stewart explains. ‘When you block high-bandwidth sites, you can reduce the amount of bandwidth you need,’ he says.

What the Law Requires

Because the employer owns the telecom equipment, owns the premises on which the work is done, and, in fact, owns the job (the employee merely occupies it), courts have upheld employers’ broad rights to watch and review what employees are doing with their equipment.

Of course there are a few limitations. Companies can’t go on unreasonable fishing excursions, and they can’t infringe on an employee’s personal privacy. For example, a company can’t listen in on a public pay phone in its lobby or a private call coming in on a company line. In addition, they usually can’t spy on employees once they leave the office. Surprisingly, it’s perfectly legal to place cameras in break rooms or even restrooms, as long as the cameras aren’t focused on the inside of a stall.

‘Employee monitoring is okay as long as there’s some type of reasonable expectation of monitoring and the monitoring itself doesn’t unduly interfere with employee privacy,’ says Paul Schachter, a lawyer with Reinhardt & Schachter PC, a Belleville, N.J. law firm that specializes in employee rights. ‘Where monitoring has happened for no reason, employers have been successfully sued.’

The best way for a company to avoid such a fate is to put everything in writing and create a company policy. The first step, of course, is to identify threats to a company’s bottom line. Is the company worried about lost productivity? Have phone bills spiraled out of control in recent months?

Once threats have been identified, write out a policy. Human-resource managers may be tempted to craft their own, but experts and other business owners alike caution against this practice. Instead, companies may want to consider a different process that starts in the company’s conference room, says Dr. Andrew DuBrin. ‘In general, employees dislike the thought that they aren’t trusted,’ he says. ‘It’s better to discuss policies out in the open by getting some employees involved in a committee so they can help create the policy. The goal should be to get people to be more productive but keep good people in the company.’ Employers who involve employees in creating policies often have an easier time implementing new them and a higher acceptance rate, Dr. DuBrin says.

When it comes to writing the policy, any corporate lawyer should be able to craft a document that includes employee input but also follows the letter of the law. ‘[For example,] laws on listening in on telephone conversations can and do vary from jurisdiction to jurisdiction. You need someone who is familiar with regulations that vary from state to state and industry to industry,’ says Reinhardt & Schachter’s Schachter. The final step is disseminating the information. Expert opinion varies when it comes to whether or not you should have employees sign off on a policy: lawyers say it’s a good idea while industrial psychologists caution against it. Employees who sign off on policies have less of a chance of winning a privacy lawsuit and are more likely to keep it in mind as they conduct their business. However, they are also more likely to feel alienated and mistrusted, which could lead to a high employee turnover rate.

Cothern says Mabry & McClelland asks employees to sign off so they understand what’s required of them and why. ‘[Our policy] protects us as a company from the employees going out and doing things that they shouldn’t be doing at work,’ Cothern says. ‘They signed for the policy, so they know what’s expected of them. They are seeing that this is what we expect.’

You Can’t Win Them All

Should employers be this concerned about what workers do on line? They certainly don’t seem so paranoid when it comes to offline behavior: The AMA’s study found that only about 12 percent of companies listen in on phone calls, and only about 15 percent videotape employees – in both cases, less than a fifth of those who filter or monitor on line. But no company can maintain around-the-clock surveillance, Gartner’s Gassman points out. Not every offending file or site can be caught, every single time. Even if they could, you can’t change human nature.

‘If people aren’t working on computers they tend to walk around and talk a lot,’ says Dr. Andrew DuBrin. ‘Employees tend not to work all the time. If employees aren’t surfing, what will they be doing?’ The AMA’s Greenberg suggests that, if employees are going to waste time somewhere, on line may be the best place for them to do it. ‘If someone is at their desk at the lunch hour, they are there to pick up the phone and respond to someone poking their head into their cube,’ he says. ‘If someone has to go out at lunchtime, they are not there responding to questions.’

How do you make sure they’ll be motivated to get back to work? That’s when a good manager is worth more than a software package.

Don’t Ask, Don’t Tell

IF everybody’s doing it, shouldn’t you? In the case of monitoring, maybe not. Fewer companies may be monitoring than the AMA’s studies firstsuggest, according to a recent report by Andrew Schulman of the Privacy Foundation.

The AMA studied its own members, which are mostly large companies, and clearly states that ‘the sample does not accurately reflect policies in the U.S. economy as a whole, where smaller firms predominate.” By looking at the total number of monitoring-software seat licenses purchased nationwide, Shulman estimated that about 15 percent of all employees are monitored and about 19 percent are under constant surveillance.

Many companies do no monitoring or blocking at all. Sports retailer REI, for instance, has enough resources to implement such technology, but has decided not to. REI is fairly lenient when it comes to personal phone calls or a quick daily visit to a news Web site. Employees can make personal phone calls and shop on line at lunchtime. ‘If you’re not looking at the competition and seeing what’s going on out there, it gives you less perspective on your own business,’ says Fred Kreitzberg, REI’s security manager.

For protection against outside threats, REI has virus scan programs installed at the client and server levels as well as heavy-duty firewalls installed, but that’s it. Plus, REI can still protect itself from liability since it can fall back on its firewall’s Web logs to prove or disprove claims of impropriety. Still, REI has an acceptable use policy that its employees are expected to follow. ‘We started as a small company that had a simple policy,’ Kreitzberg says. ‘We treat you like an adult, and we expect you to act like an adult.’

What Web Monitoring Costs

Prices for monitoring products vary from $1,000 to several million, depending on the size of the company, the number of users, and the need for any additional equipment or personnel, such as a dedicated server and someone to run it. Software programs can be installed on existing Web servers or firewalls, but some require a dedicated server, raising installation costs. Hardware products are dedicated appliances that sit in front of the company firewall, filtering content as it comes in. All of the programs allow companies to set limits with a few clicks, no programming knowledge required.

Elron Software; Web Inspector;; approximately $500 for 50 users
Pearl Software; Cyber Snoop;; $2500 for 50 users
St. Bernard Software; IPrism;; $3490 for 1-year license for 50 users
Symantec Corp; Igear;; approximately $1000 for 50 users

Karen Bannan wrote about assessing an ASP’s security in the July issue of SBC.

Small Business Computing Staff
Small Business Computing Staff
Small Business Computing addresses the technology needs of small businesses, which are defined as businesses with fewer than 500 employees and/or less than $7 million in annual sales.
Previous article
Next article

Must Read

Get the Free Newsletter!

Subscribe to Daily Tech Insider for top news, trends, and analysis.