The Case for Blocking Facebook, IM & Webmail

The probem is the implementation!

 In an era of shrinking budgets, zero job security, and the disapperance of the annual raise, incidental use of the Internet from work is a cheap and easy perc for employees.  I believe that internet access can be granted to staff in a safe manner and eliminate potential morale issues.

Hey David,

What is your take on this method by Zappos to have a twitter application that show what their 400 employees are doing at any given time? Since it's difficult to implement such measures of blocking social media in the workplace, businesses are devicing novel ways of incorporating the positives that comes form employees interacting with social media.

How about that of Google intitiative of giving their engineers 20% of work time in order to do what they feel personate about? 

I can't go along with this.  What's being proposed creates an environment in which the user is guilty until proven innocent, and the enforcement system itself has the potential to disrupt productivity.  How do you know when the use of any site has a valid business reason or not?  Consulting web developers might have a reason to go to any web site at all (I support a lot of those).  IM might be a way to communicate with clients, and it might be critical for some users to be highly available to clients.  These are just examples.  I could provide many more. 

People don't like to work in places where they feel they are not trusted.  They're not all dumb.  They understand when we're doing things to protect the internal network, but equally, it's not hard for the average person to recognize when things are being done because they are not trusted.  This can lead to dissatisfaction, which has it's own security perils and impacts on productivity.  It can also lead to higher turnover rates, which can be very expensive.  It can also lead to problems in hiring good people, and retaining them.

A lot of people these days blur the lines between office and home.  People who keep working after hours are going to resent not being able to attend to their personal lives while at work.  In such environments, it behooves the Security team to understand that overall productivity may depend upon this.

We in the information security business have a job to do.  To do it well, we have to recognize many realities and cope with them to the best of our ability.  We must strive to minimize the impact of our endeavours on the business.  The solutions being discussed herein might do that in some cases, but I think not in most.  Becoming enforcers for HR is certainly a role that I don't want - it's certainly not for everyone.

Productivity problems should be fairly apparent to any decent manager.  I have seen managers go on "witch hunts", in which they are trying to build a case against an unproductive employee, by bothering the Security team with requests for monitoring Internet usage for that employee.  The answer to the "witch hunts" was, this is a matter between the manager, the employee, and HR.  Productivity problems should not have to be proven by monitoring of Internet usage (which is very expensive).  A few times in the last twenty years, HR came to me in such a dispute and asked me to examine some data for evidence of severe abuse, but this kind of problem is usually solved without resorting to data-diving.

Obviously, there must be an acceptable use policy, and there should be an effort to educate users as to the risks of the various uses of the Internet.  However, one should consider very carefully the pros and cons of restricting access to websites in the workplace.

I have worked for numerous network support/integrators over the last 15 yrs.

About 5 years ago, I started installing a number of UTM appliances that are capable of blocking spyware and virus at the gateway, which was a big plus. One thing I quickly learned.. talk to your client (the owner, not the in-premise IT guy) about working together ans show the client how you can help make their business more profitable. We monitored internet usage for a month, listed the top 10 users. They were shocked, the ones who should be tops on the list didn't even rate! We monitored the top ten sites.. only 1 was business related.

 With that in mind, we prepared a 'usage policy' for everyone to sign. That coupled with a brief explanation, cut abuse significantly. Then we monitored and reported each month to the client about the health of his network. Each month we reported to the owner directly, who were the top 10 users, and the top 10 sites for each of those users.. We would point out what sites may be business related, and which ones were not, and recommened appropriate action. A few times our recommendations were not accepted, but overall, the client agreed.

At the end of the year, EVERY customer, but one renewed their 'content filter' service.. because we could show them that after a yr, most of the internet usage was business related!  Now, when I make recommendations, they listen!

I'm glad you've finally get a "damascus experience" and many thanks to David for bringing about this transformation!! I really did not have any prior knowledge about the security side on this issue but i was just arguing from an ethical perspective that it wasn't right. Now that these facebook maniacs employees know that their actions can cause a security problem for the companies's networks.

I also agreed with you that journalists should be exempted from this no-nonsense approach!!!! 

David: Your last post below finally changed my thinking about giving folk more leeway than Gideon would allow. On reflection, social sites (which I check regularly for work) do cause problems, if only in slowing things down with spyware.

I am now in favor of the no-nonsense approach -- except for journalists. ;>

I was involved in a decision to block MySpace and Facebook but it was not about productivity, it was about security.  We tracked that the majority (almost 70%) of the spyware and viruses that our filters caught were coming in via just two sites - MySpace and Facebook. 

Given the odds, at some point the anti-virus software would miss something and we would be fighting a virus on our network - all for the benefit of employees to do some socializing on their free time. 

Given the productivity issue AND the security issue we blocked the sites.   After spending several hours yesterday getting spyware of my kids PC, the reasoning seemed stronger than ever.

Hey Gideon,

You are absolutely right,about the Policy of Blocking everything first and then allowing Users to access something based on their need.Its a policy that works like a charm in SMBs and then it does'nt.Till last year I used to work for such a firm with about 500 users and after watching the IT Admin keep getting overwhelmed with Malware and Spyware infected PCs I instituted just such a policy blocking Social Networks and WebMail.It worked very well for about two-three months.Then the boss(The founder and a hardcore DIY man) started to get cranky and asked the Network Admin to remove those protections for himself(He was missing his poker mates on Facebook...),then slowly,slowly more such requests started reaching the Admin,eventually they were back to Square One(effectively).

As for large-sized Firms (1000 employees or more),particularly Public Listed ones ,the Admin has a lot more  power to enforce Policy and he tries to keep a tight leash on things.But then here too,employees start to backlash and try different things to circumvent restrictions.

But Gaja also raises a valid point,if  you enforce such restrictions in place entirely,employees will not be willing to work extra-time or afterhours(which is what we need in today's adverse market conditions where you need employees to put in those extra hours,make those extra sales,Increase Productivity,etc,etc).

But still some very valid points raised in this discussion.

Regards

Ashish.

If my work life balance allows me not to carry my laptop/blackberry to my home and work on weeknights and weekends.  I have seen worker productivity only increasing my opening the network.  We dont allow sex, gambling, email, youtube, social networking, etc., website traffic inside our network.  Most of the web traffic that goes from our network are probably related to our work, where we research information that is availbale in the www to accomplish some of our tasks.  Ofcourse, we do read some news, sports, movie reviews, buy flowers for my wife, etc., but hey, if I go late to my home, let me better go with restaurant reservation, movie tickets, etc.,  I sorry Gideon, you have missed the boat on this one.  The more companies want to increase the productivity by limiting what we can browse, the more employees will stick to 9-5 job.

{ Gaja; }

I think there are good points made for both sides of the fence. 

There are a couple issues here...

    Productivity and Security

From a security perspective, I like the idea of the quiet network.  This would aid in internal intrusion detection efforts.

My biggest concern on this end is the use of the product.  It should be "set it and forget it."  Well, that is if you can keep up with the public proxies that allow you to get around such blocking technologies.  I'm not at all concerned with who is attempting to hit what site.  I don't want to pay someone to monitor these attempts.

From a productivity perspective, I think that is a manager's role.  As the boss, if I'm not getting 8 hours of work from an individual in the 8 hours they're spending in the office, I should be able to handle that.  I don't care if it is because they are on the Internet checking Facebook or reading a novel, that's not what they get paid to do on company time.

As for the comment about hiring people you can trust, well, I'm not sure how you guarantee that.  I think a manager may be able to trust their employees, but the security department is not. It's not realistic and not safe.