Web Filtering to Support HR Policies
Web filtering is an unfortunate necessity at many businesses. Ideally, employees would use their browsers responsibly and keep their personal use down to an acceptable level. Often, though, otherwise good employees make inappropriate use of the Web, and HR departments call for filtering to keep it under control.
Benefits and risks of filtering
There are several goals HR may have:
- Reduction in wasted employee time. Some sites are huge time-wasters; people spend hours on them without realizing it. (Or so they say.)
- Keeping malware from getting into computers. Employees who click on any link in their email can download harmful software. Blocking access to known rogue sites can reduce the chances of this.
- Reducing bandwidth consumption. Video and gaming sites can eat up a lot of the local network’s capacity, slowing down work-related access.
- Avoiding employee discomfort and conflicts. Some employees are uncomfortable about seeing inappropriate content on other people’s screens. This could lead to a harassment complaint.
- Preventing illegal activity, such as gambling and copyright violation.
Filtering carries risks, as well.
- It annoys people and makes them feel untrusted.
- It can block harmless material by accident.
- It can block material which employees need to do their jobs.
- It can create overconfidence that harmful pages can’t get through.
- Clever employees can use proxies or other tricks to circumvent filtering. If the proxy is untrustworthy, this may create more risk than directly accessing the site.
HR departments specify categories of material to block, but it’s up to the technical people to create the filters. This gives them a serious responsibility, but also the opportunity to do it in a way that best achieves the goals and minimizes the risks.
How filtering works
The two main approaches to filtering are by URL and by content. Filtering by URL blocks entire sites. It has the advantage of clarity and predictability. If the company network blocks Facebook or YouTube, it’s obvious what it’s doing.
Filtering by content tries to target objectionable material more precisely, but it’s error-prone. The same words can raise red flags in one context and be harmless in another. URL filtering is generally preferable for finding objectionable material.
Catching malicious sites works differently. A filtering service will keep and update a list of known malicious sites and block them. In addition, it will check the content for signs of bad intent. This isn’t a matter of what words are on it, but whether it’s using trickery to get the user to download something. For instance, files ending in a double extension, like “file.pdf.exe”, are almost certainly hostile and need to be blocked.
The best software allows a lot of flexibility. It can apply different rules to different people. The general rule might be to block sites that regularly carry information about how to break into computers, but security people will need to read these sites to know what the latest threats are. People who post for the business to social media accounts need to access them, even if the general policy is to block them. Different rules can apply at different times, such as lunch hour and after normal hours.
A filtering system should let the administrator override any filter. There can be reasons why an employee needs to access a site that’s normally blocked.
Test the system after every change in the rules. Make sure that it’s blocking a sampling of the blocked sites and allowing other sites. If an error blocks or allows everything, you want to catch it before the employees notice. The software vendor may provide test pages to help verify that filtering is working as intended.
Filter management is a complicated task. At BWS Technologies, we can recommend and set up the filtering system that will best meet your business’s requirements. Contact us to find out how.