It's no secret that adult content is an Internet mainstay. While it's hard enough to keep nasty images from users' screens by vigilantly blocking pop-up windows and spam, it's even harder when users actively seek out adult websites. There are several strategies, however, that can greatly reduce adult content and the malware it brings.
Acceptable usage policy and Web content filtering
If you want your policy (you do have an official policy prohibiting accessing inappropriate content from work systems, right?) to be effective, your employees have to be aware of it. Send a reminder email or post a notice from the CEO or head of HR to the internal employee portal reminding employees of the policy. This communication should include the company's acceptable use policy, the consequences for violation of the policy, and a reminder that employee Internet usage is being monitored.
The problem with adult content extends beyond just the content itself. Due to their popularity, adult websites are often used by miscreants to distribute malware. Dealing with the malware problem that comes along with adult content involves access management; applications and users must run with the lowest necessary privileges. This strategy, though it will not eliminate malware, does greatly reduce its effect.
While Web content-filtering products can be an effective means of identifying employees who violate policy, they can be overly broad in what they consider inappropriate and ineffective in preventing a person from finding explicit content if he or she is determined. Additionally, as the workforce becomes more mobile and laptops become the standard, server-based filtering becomes increasingly unrealistic.
For best results, the issue of inappropriate content should be treated as a management problem in addition to a technology one. In reality, accessing explicit content is no different then any other potentially inappropriate behavior, whether it is reading non-work-related materials or playing hooky. Involve the suspected employee's direct manager to ensure that the employee is doing his or her work. The manager will have a better understanding of what is appropriate for the specific employee: After all, what is suitable for one person may well be too much for another.
Case in point: Recently, a peer in the IT industry explained to me that his company used Web-filtering/monitoring software, and one of the filters alerted him to an employee that was accessing adult content. The manager couldn't be found and neither could the manager's boss, so the head of the security team alerted HR and the employee was quietly terminated. When the employee came in to get his final check, it was determined that the porn sites were actually customers of the company and the employee was validating that the company's software was working appropriately. Needless to say, the employee was quickly re-added to all the systems and allowed to go back to work. An incident like this, however, is a lawsuit waiting to happen. It's always best to involve the direct manager before taking any action.
Content logging: Forensics and enforcement
A good alternative to Web filtering is logging, as it allows the security manager to perform not only forensics, but also provides the necessary data to demonstrate violation of policies when documenting the issues as part of the enforcement process. Managers should be required to get approval from the legal department or HR before accessing these logs; the log data that the security team releases should go to legal or HR so that those departments can work with the manager directly.
Involving HR and the legal team also limits the perception that IT security is the "netcops." The most effective security programs are those in which IT security partners with the business, and that is impossible in an environment where the team is also perceived as being the bad guys. Pushing the logs through appropriate channels helps avoid this perception.
Finally, don't be afraid to get creative. One such use for logs that can reduce adult content in the enterprise involves aggregating the firewall logs and finding the top 20 most-visited websites. Once the list is assembled, post it prominently to the internal employee portal. Unsurprisingly, this often causes inappropriate surfing to drop dramatically; it's a great reminder to employees that they are being monitored, and can serve as a lightweight metric for upper management to understand the company's work atmosphere. It's never a good sign when the top three sites are all job search boards.
About the author:
As CSO-in-Residence, David Mortman is responsible for Echelon One's research and analysis program. Formerly the Chief Information Security Officer for Siebel Systems, Inc., David and his team were responsible for Siebel's worldwide IT security infrastructure, both internal and external. He also worked closely with Siebel's product groups and the company's physical security team and led up Siebel's product security and privacy efforts. A CISSP, Mr. Mortman sits on a variety of advisory boards including Qualys and Applied Identity and Reflective, amongst others. He holds a BS in Chemistry from the University of Chicago.
This was first published in February 2009