Proper Employee Monitoring: Best Practices for Doing It Right -- Redmondmag.com

Proper Employee Monitoring: Best Practices for Doing It Right

Some companies demand that IT track Web use or go even deeper into user behavior. Here are some tips on how to do it right and what tools to use.

By Derek Schauland
05/01/2012

Several years ago a friend asked what could happen if her company tracked Internet use. While this might sound a bit naïve today, back then monitoring wasn't so commonplace.

Depending on your industry and the norms that apply (or your company's particular values and policies), your monitoring might be worlds different from the level at the company just up the street. Regardless of the level of intrusion, all content or usage tracking should be disclosed to users. Your company should have a clear policy, let employees know what it says, and monitor only in a way that matches that policy. Your shop might own the equipment and the Internet pipe and all of that, but employees still assume some level of privacy or least full disclosure of when and how they're being observed or tracked.

Internet usage monitoring isn't packet capture. Sure, the packets sent out through a firewall or other device when you browse the Internet to visit the Disney Store Web site are logged by the firewall, and the IP address or maybe even the URL is contained within the packet and can be seen by someone designated to sift through those logs. This is typically used to troubleshoot network issues or at the network level. General Internet usage monitoring is much simpler.

With general Internet usage monitoring, an application is installed on the computers within an organization or on an appliance sitting between company computers and the Internet where all the Internet traffic passes through. When it passes through and onto the appliance, the details are logged and the traffic goes on its merry way.

Monitor Usage and Block Content
There are devices and software packages available that can not only monitor traffic, but also allow for certain Web sites or categories of sites to be blocked (see "Internet Usage Monitoring Solutions"). This does a few things. First, it prevents content that an organization deems inappropriate from being viewed on company resources. Second, some of these products perform tasks that users actually appreciate, such as blocking advertisements on Web pages -- especially those ads that are considered unacceptable. Because many of these ads are sourced at domains such as doubleclick.net, they can be singled out, which definitely improves the Internet experience.

Web Monitoring Tips

Inform employees you're tracking their Internet usage. It will deter them from going to inappropriate sites, improve productivity and let them know exactly where the company stands.
Decide if you need to track sites visited or go a step further and block access to certain URLs.
Some tools track keystrokes and capture passwords. Decide if you need those, but in many cases they're excessive.
In addition to making users more productive and keeping them off inappropriate sites, Web monitoring is also useful for blocking sites that produce malware.

There are different levels of monitoring, and these should be considered before jumping into a solution. General monitoring for Internet use only is pretty normal today, where surfing is logged. Other products are much more user-level or granular in what they log. Trapping passwords and keystrokes on your corporate network takes monitoring a tad too far, one could argue, but those products exist as well.

As mentioned, it makes sense to have an acceptable use policy, let all employees know, then advise them you're running a Web monitoring program. If you're planning to block traffic you should certainly tell them that as well. If they know Internet use is being looked at, they'll naturally cut down on non-work-related Internet usage. You'll also likely cut down on help desk calls over certain pages coming up with administrator blocked notifications or errors.

My company monitors Internet usage and blocks some traffic, which seems to work pretty well. It's definitely nice to have fewer online ads. However, the fact that most appliances create filters by group or category is interesting. Alcohol, tobacco and firearms categories are usually lumped together, which in most cases is great. But I work for a company that produces ingredients for beer. Almost immediately after deploying a Web monitoring appliance, we had to create rules to make sure we weren't cut off from our customers' Web sites. That problem has mostly been addressed, but it was certainly no fun undoing a good chunk of a blacklist. The biggest lesson is to know what filter/monitor drives are on for filtering. This way you can make adjustments quickly with as little impact to the user as possible.

[Click on image for larger view.]

Keystroke and Web traffic recording with Spector CNE Investigator.

Helpful for Both Sides
I've heard of companies wanting to protect the "privacy" of their employees and feeling they could trust their employees to do the work they were paid to do. This is probably true for most companies; I believe people are generally good spirited. But there are times when things get out of control and something needs to be done to protect the company.

Suppose someone was constantly surfing the Internet and disrupting those around him, either by talking incessantly about things he saw or leaving stuff playing on the computer screen and shuffling off to another area. If an organization wanted to take action against this behavior, it might not have a leg to stand on without monitoring.

Monitoring can help employees, too. Imagine an employee working the late shift. There aren't many people around and it's a slow night, so he decides to surf the 'Net and gets hit with malware. Malware is bad enough, but this one comes in the form of pop-ups exposing all kinds of filth. A manager seeing this later, with a different user at the PC's helm, might think that user was the one irresponsibly surfing. Here monitoring might help pinpoint the user who was actually logged on rather than the one assumed to be the cause of the problem.

When someone thinks they're being watched their behavior changes, and in some cases this justifies the monitoring policy and tracking software in the first place.

[Click on image for larger view.]

Trending and protocol monitoring using Wavecrest CyBlock.

Making Exceptions
Because many Web monitoring tools block sites that might seem (but not actually be) inappropriate, there are cases when users have legitimate needs for sites the software declares off-limits. Fortunately, just like many anti-spam applications, Web monitoring tools have whitelisting capabilities. This lets certain sites within a category stay accessible while the rest of the category is blocked. Let's say your organization sells a product to a few companies within a category, but other sites in the same category are not appropriate for browsing. The customer sites can be whitelisted, but the remaining items in the category will be blocked.

Keep in mind that most of these products (see "Internet Usage Monitoring Solutions,") will both filter and block traffic.

Internet Usage Monitoring Solutions

GFI WebMonitor Priced per seat, this software can be used as a standalone monitoring tool or in conjunction with other security products such as Microsoft Forefront Threat Management Gateway. It provides statistics about where your users are headed on the Internet and how much time they spend on specific sites. The new 2012 version also monitors search keywords.
gfi.com

Websense This solution is one I consider the granddaddy of them all. It monitors Web traffic, e-mail and other items including mobile devices. Some organizations also use this product to manage and monitor content within their e-mail systems to prevent non-work-related content through that channel as well.
websense.com

Barracuda Web Filter This product is sold as an appliance that plugs in to your network, sitting between your users and the Internet. Web traffic is given one path to the Internet, passing directly through the Barracuda box. Featuring reporting and easy-to-access information down to the user level, the device is easy to get up and running. I did find that, when using this device, some noise was found for things that continually refresh, such as weather sites or other perfectly acceptable destinations. Once you've started looking at the traffic, it's pretty interesting to see which sites are most used. In addition to being available as a standalone appliance, this product is also available in virtual appliance form.
barracudanetworks.com

Spector CNE Investigator This product not only records where an employee might be headed on the Web, but also any programs used, keystrokes typed and other actions taken on the PC where it's installed. When the application is installed, it can be run in stealth mode to prevent detection or access to the software on the local system. As actions are recorded, the information is sent securely to a central location where only administrators can access it. Sessions captured can be played back to follow the actions of a user during a specific time period.
spectorcne.com

EfficientLab Work Examiner Monitors activity and provides reporting to determine where productivity could be improved and help the organization ensure resources aren't being misused while an employee is working. In addition to Web monitoring and access tracking, this application also provides tools for time tracking.
workexaminer.com

CurrentWare BrowseReporter Allows monitoring of Web access and use by employees. By capturing all URLs visited along with on-demand screen capture, BrowseReporter is designed to provide a holistic view into what's going in and out of an organization via the Internet. An interesting feature of this application is idle timeouts, which allow a browser to be deemed idle after a configured period of inactivity. If the session is idle, it can be excluded from reports to reduce the noise recorded by the application.
currentware.com

NesterSoft WorkTime Like other products listed, WorkTime records all PC activity and can be useful outside of the Web monitoring space. When it comes to monitoring the Internet, NesterSoft captures useful information about browser sessions including sites visited, URLs, start time and page titles.
nestersoft.com

Wavecrest CyBlock This monitoring product comes in many forms, including an appliance (much like the Barracuda), a plug-in to Microsoft Internet Security and Acceleration and Forefront Threat Management Gateway server products, or standalone proxy server software. It can prevent access to categories of Web sites or applications and provide real-time statistics and analysis to show administrators what employees are using on the Internet and when.
wavecrest.net

About the Author

Derek Schauland has worked in technology for 15 years in everything from a help desk role to Windows systems administration. He has also worked as a freelance writer for the past 10 years. He can be reached at [email protected].

Featured

Using Microsoft Office to Build a Network Diagram 2

Now that we've set up our process, let's dig in with the actual execution.
Microsoft Graph 'Activity Logs' Feature Goes Live

Microsoft announced the general availability of the "activity logs" capability in Microsoft Graph, giving administrators more options to track user activity and identify patterns of potential misuse.
Fallout from Microsoft's 'Midnight Blizzard' Saga Hits Feds

When the Russian attack group Midnight Blizzard successfully breached Microsoft corporate e-mail accounts late last year, it apparently managed to steal U.S. government agency e-mails, too.
PowerShell Script Used in Phishing Attack May Be AI-Generated

A PowerShell script being used in a novel malware campaign may have been created by AI, according to security researchers at Proofpoint.
Using Microsoft Office to Build a Network Diagram, Part 1

Keeping documentation is a great way to ease your future hardware refresh and have what you need for insurance purposes.