When most employees think about web content filtering, all they can think about is the frustration of their favorite websites being blocked. They cannot make updates to Facebook, watch videos on YouTube, or access their Dropbox and Google Drive. What’s a security team to do? Our recommendation? Tell them to get over it.
Does that seem a bit harsh? In all honestly, it IS harsh – but justified. The Internet has united us and impacted our lives in ways that we’re only starting to understand. Not the least of these ways is the convergence of our personal and professional lives. These days, many people have a hard time finding the line between “ON” and “OFF” time. It has become blurred. Unfortunately, that means employees’ expectations have also become blurred. What they need to remember is that while the work day feels like an extension of their daily life of planning dinner, coordinating kids’ activity schedules, and even scheduling massages, there are very real reasons why a company needs to make that line as stark as possible.
- Security – It’s the job of every system administrator and security engineer to understand the data that’s entering and leaving the network. Leaving unfettered openings to social media and cloud storage sites invite large unknowns that are extremely difficult to account for when it comes to security. Clicking posts on Facebook or Twitter could lead to malicious websites that are not caught by your perimeter protection devices. Using messaging apps through social media or cloud storage could allow employees to potentially steal insider information and company secrets without the security team realizing it.
- Bandwidth – When a company determines how big of an Internet pipe it needs to have in order to accomplish business tasks, the architects must take a guess at how much traffic will be entering and exiting the environment. If the pipes are constantly serving streaming video/audio, large file uploads and downloads, and other personal employee traffic, the company has to foot the bill for it. If they don’t, there’s a very real risk of network bottlenecks and even customer impacts to externally facing services.
- Productivity – The time a user spends posting to Facebook, watching a music video on YouTube, etc., is time that they are getting paid to not do work. While mental breaks from work are shown to increase productivity, allowing unfettered access to time-wasting tools can potentially do more harm than good.
The arguments above are very real and very impactful. Remember – the company owns the network and can create the rules. It’s their right. But I just can’t help but feel like the highest level of jerk suggesting that this is the “right” way to run a network.
- Yes, social media is a time suck. But it’s also a morale boost to be able to see what’s happening in the outside world.
- Yes, YouTube is a bandwidth hog. But it’s also where you can find a lot of how-to videos to get your job done more efficiently.
- Yes, there are malicious websites out there. But… Well, there’s no but here. And this is why web content filtering is an absolute necessity. But intelligently and thoughtfully.
What Does Intelligently and Thoughtfully Mean?
Web content filtering should be a piece of a larger strategy for understanding the data entering and leaving your network. Companies should tune it to reduce the risk of whatever behaviors cannot otherwise be mitigated with other countermeasures. My recommendation is developing a configuration that could prevent most problems, while also maintaining a healthy relationship with employees.
- Implement a whitelist in your web content filter by category. Block everything that violates the company’s sensibilities. This could be porn, weapons, drugs, and/or whatever the company finds abhorrent.
- In your whitelist, do NOT allow “uncategorized” sites!
- Implement an exception policy for uncategorized sites, preferably with an easy click-through request that will give temporary access to the site while the security team evaluates accepting or denying the site permanently.
- Apply threat management to your Internet points of presence. This will drive your IPS to block known attack vectors as they become known.
- Install a full packet capture system. This is optional, but strongly recommended. With a FPC solution, you can see the past with crystal clarity. If you become aware of a vulnerability, you can look back to see if you were affected. If you suspect a user of questionable activity, you can see every interaction they had with the outside world. It can be expensive, but the power it affords cannot be overemphasized. It’s profound.
So you can see, web content filtering is a critical piece of a secure infrastructure. But it can also be controversial. A company’s policies should define how far the filter goes. It should be wielded with care and consideration for the productivity and mental state of those it affects. I’ve shown you some best practices above, but you have to decide for yourself what the best answer is for your environment.
If you need help with figuring out this or any other component of your security program, please feel free to click the “Contact Us” link above and Alpine can help you through it.