Butterfly effect

For some reason or another each company I had contact with reaches a point where it ponders about blocking websites, filtering the internet and other behaviors that would be frowned upon by anyone who believes in freedom of speech and the liberty of information.

While the first argument is always “this is a work place not an internet cafe”, I found that the situation is always more complex than that. From a human point of view I’ve found that such a decision is always met with great resentment by all employees (making the already unpopular IT-employee drop further in the charts) which is actually understandable. The internet is not only a waste of time; it is an important source of information. It does not matter if the information is work related or not, human beings crave information and removing the access to it will only make them worry, be less productive and frustrated.

But let’s ignore the human element and office politics for a while and let’s explore the typical approach to internet filtering that many companies have attempted and what are the usual effects.

A. Blocking top traffic websites

Your usual run of the mill IT admin will identify a few months into his job that the internet links are saturated, He will figure it out either by himself or following complaints from top management about the slowness of the internet. Since we’re dealing with a seasoned individual he will quickly run a report only to discover that most bandwidth is spent on facebook, youtube, myspace, msn and so on. Running upstairs to management a quick decision is reached that those websites have no business value and should be blocked. Everybody is happy that this will save the company 30-70% of the internet bandwidth.

Blocking only these websites also sounds like a sensible approach, no? Yes and no. These websites are popular because they fill a need of the employees. If this need will not be further satisfied employees will spend extra time to find surrogates to fill their needs.

Let’s examine just a bit:

• Facebook is used to keep in touch with friends and usually with family also. It might be a silly place but keeping in touch prevents you from missing social events and news and helps you maintain the impression of a normal life.  Blocking it will cause pain and anguish and employees will use alternatives methods for keeping in touch, like the phone. Using the phone will not only up the company’s bill quite a bit but will also annoy the hell out of everybody who’s hearing the frequent conversations. How about the photos? Well, if it’s an important one it will be sent to the employee by email. A photo sent by email is A LOT more expensive to the company’s IT then a photo on facebook. Usually it’s sent in the wrong resolution (much larger size), since its email it will be stored on the email server for a significant amount of time where it’s under the effect of the backup policy, retention policy and might be audited at some point. Maybe it contains some objectionable material in the light of the given audit? A photo sent by email is really expensive, don’t block facebook.
• Youtube is used to share and watch videos. Most companies can’t find a good reason not to block this website and to tell you the truth I don’t spend that much time on youtube myself. However youtube does contain some interesting training materials and explanations. A picture is worth a thousand words? Then a video is worth a few million words and whether it’s a video showing how to create tables in Word or a training video for health and safety you will find it on youtube and employees will benefit from watching them. On the other hand keep in mind that videos can be shared on email also and youtube is not the only site hosting videos. It’s the most popular one but your employees will find alternative sites to watch those videos.
• News sites. Blocking news sites is the prerogative of an oppressive government. Your employees will subscribe to news from home and receive them by email. See above.

As you see, this is not a sensible approach and it will not work long term. Where IT will think it’ saving money it will discover that the storage and backup costs will outweigh the benefits besides making everybody in the IT department feel like a pariah. Keep in mind, employees will not only be annoyed by the internet filtering but they will also be convinced that the IT department has full unrestricted access.

B. Filter by keyword

When businesses discover that method A does not really bring any advantages and that internet bandwidth consumption after a few months is back to the original levels they set out on a futile quest to find the magic bullet of internet filtering, filtering by keyword. The logic behind it is simple: inappropriate web pages will contain some inappropriate keywords, right? Wrong.

Filtering by keyword completely disregards the complexity of the human languages, multiculturalism and medical websites. Think about it this way: if I really want to search for pornography and the word “breast” is filtered I might as well look on websites in German or Romanian, they have different words in those languages. But how about a concerned employee that is looking for something on “breast cancer“? Most likely this employee is not ill intentioned and it would be wrong to deny access to a resource that would reassure, calm or warn the employee.

Internet filtering by keyword is obsolete and does not work. Besides it will filter the wrong pages, it will require extra administration and it will not scale for larger organizations.

C. Outsourced filtering

Companies who take internet filtering really serious will go for a commercial solution, either a software that is installed in house (but communicates with an external server for updates) or a completely outsourced service that provides internet filtering.

This approach works better than the previous two because these companies really put a lot of effort into censoring the web, but be prepared for the following:

• It will cost you an arm and a leg. These solutions do not come cheap and usually the licensing model is by user. While it might seem peanuts in the begging it will become expensive as your company grows and sooner or later you will end up asking yourself where the IT budget is going.
• You will need a part time or dedicated admin for the solution. No matter how good, these solutions will block the wrong website once in a while and somebody will need to “go in and fix it”. Websense (one of the biggest players on the market) did manage to block cisco.com at one time. Is your business willing to take the risk of having a partner website blocked while your internet filtering admin is trekking in the Himalayas?
• Smart users will find ways around it, usually by installing HotspotShield and similar software.  This piece of software act as a proxy circumventing the filtering solutions. Of course, there are fixes to this issue also but you get into an additional overhead and all this just to block the internet.
• Unknowingly you will be sponsoring oppressive governments which decided to implement Websense or similar software nationwide in order to prevent access to the “free media” outside.

If you are OK with all of the above go ahead, filter the internet.

So are there any real options?

The answer is not always simple but in short it would be: Don’t filter, manage the internet access. There are several ways to do it and like everything in this world the problem needs to be attacked from multiple angles:

• Filter the internet traffic for viruses and only viruses. This will keep the desktops just a bit cleaner especially if the employees are still using Internet Explorer. However do not neglect a desktop based antivirus engine.
• Develop readable policies in which you define what is an acceptable use of the internet. Do not write it in legalese, write it in something that people can understand and can relate to.
• Educate your users. Distribute marketing materials and hold workshops explaining users what is acceptable use of the internet and also what are the real dangers of browsing the web from a corporate machine. Don’t tell them “your computer might be infected” because they don’t care about that, the IT will fix it. Tell them that their work will be lost, business will be lost, cost for the company will increase and salaries will be cut.
• Manage the bandwidth. There are several methods to do this and all of them work.
  • Decide what is an acceptable amount of bandwidth to be spent on internet browsing and cap the web browsing traffic to that.
  • Limit bandwidth by user. This will prevent one or two users to “hog” the entire bandwidth of the company and maintain fair usage for everyone.
  • Decide what is an acceptable priority of the web browsing traffic and start prioritizing your traffic. Probably you want it some kind of low priority. This will make sure that the other traffic types are not affected by web browsing but on the other hand when the pipe is empty your users can use the maximum amount of bandwidth available.
  • Prioritize traffic by content type. The content type defines what is the media type being transmitted (text, video, sound, pdf files…). You may want the internet browsing to be fast (text and images load quickly) but you may define that the internet video will have low priority.
• Passively monitor bandwidth usage. Log how much time your users are spending on the internet and send a monthly report to the line manager of the employee (and to the employee also if you like). Give the manager the option to act on it or not. The manager should only analyze this data when a clear performance issue is being discussed with the employee. It might just be the case that the employee is a really fast worker and he just doesn’t get enough work assigned.

The above sounds like a lot of work but really it isn’t. Most of the internet gateway solutions out there can do that, Cisco, Bluecoat, Microsoft and Juniper can do it but I’m not going to talk about them since small shops may not be able to afford them and the overhead to configure and deploy them.

However any small shop can afford a tool like pfSense. The product is actually free, based on the FreeBSD operating system (just like Juniper’s JUNOS) and the interface is fully graphical and web based.  This particular product can fulfill all requirements from above and it is also suitable for very large organizations. It scales well and supports redundant configurations.

As you see, there are many options. Just don’t regard the employees as slaves and try to bring forward thinking solutions. Employees will appreciate your efforts and they will not resent you while you are keeping the IT effort and budget in check.

The internet grows on everybody and pretty soon, if not already, people will consider it as a basic right exactly like the freedom to move, right to go to the toilette and right to have a lunch break. Restricting basic right will only damage the reputation of the business and demotivate employees.

Note: In this article I use the term “internet” quite loosely, generally I am referring to internet browsing, the HTTP protocol.