Personal web-surfing at work: Is any amount acceptable?
August 29, 2016 5:41 AM   Subscribe

I’d like to get opinions from MeFites, particularly if you work in HR or IT: What do you think is a reasonable policy for personal web-surfing from work computers?

I’m the IT director at a mid-sized company. Our organizational culture has traditionally been fairly lax and easy-going. The employee handbook allows personal web-surfing but limits it to breaks and lunch time. (The handbook does explicitly ban visiting sites that are offensive, pornographic, etc.). This section of the handbook was last revised about four years ago.

My opinion is that we should change the handbook and prohibit any personal use of the Internet, under any circumstances. My main concern here is not productivity but rather security risks. I’m especially worried about the recent epidemic of ransomware infections.

I’ve already started publicizing my new rule that prohibits any personal Internet use. However, I’ve been getting some push-back from employees who claim that my new policy is inconsistent with the employee handbook (the employees do have a point here). The HR director is sympathetic to my arguments, but she seems skeptical that we need an outright ban. She wants to do more research before revising the handbook.

I should also note that we have a wireless network that is completely isolated from the wired network (the wireless uses a different Internet connection and different networking gear). I have explicitly told people that I don’t care what they do on their smartphones, and I’ve also configured three desktop PCs that are available for any staff member to use for personal purposes (within reason).

I’m interested in people’s opinions, particularly if you work in HR and IT.

What would also be really helpful is links to recent articles, blog posts, etc. in HR-related outlets, so that I can provide those references to our HR director.
posted by alex1965 to Computers & Internet (70 answers total) 11 users marked this as a favorite
 
You realize you're posting this at a time when most US people will be responding from work? :) I'm not in IT or HR, but I don't think your security risk worry holds water. I frequently need the internet to do my job, and often am landing on sites that I really don't know that much about to do my research. I suspect it might be similar for many of your employees. I try my best to be a savvy web user, but everyone winds up on fishy looking sites once in a while.

Also, I would probably revolt if my IT department put such a policy in place. A quick browse through twitter or the news headlines is an vital way for me to clear my head cobwebs after an hour of dull legal memos. I really think it makes me more productive.
posted by backwards compatible at 5:52 AM on August 29, 2016 [51 favorites]


I think it's unreasonable to completely restrict personal internet use. In 2016 checking your email during the day is equivalent to taking a personal phone call. It's easy to do one or two personal things on your computer during the day (pay a bill, for example) and still perform your job. A flexible policy lets your employees know you think of them as responsible adults who are capable of balancing personal and professional demands. I would personally roll my eyes if I went in for a job interview and found out that the company had the policy you are suggesting. (For what it's worth, I am a 31 year old working in the software industry.)
posted by deathpanels at 5:54 AM on August 29, 2016 [48 favorites]


"I frequently need the internet to do my job, and often am landing on sites that I really don't know that much about to do my research."

That would be fine, under my proposed rules. As long as your surfing is related to your job, there wouldn't be any restrictions on which sites you could visit.

Also, as I said, you could visit Twitter, etc. on your smartphone or iPad or whatever device you want to connect to the wireless network.
posted by alex1965 at 5:55 AM on August 29, 2016 [1 favorite]


It will not be tenable to block all personal web use. People often use the internet for legitimate quasi-personal quasi-work things: to check facts, find out how to do something with their software, look at a weather site or scan the news, quickly look at an email from a family member for reassurance.

We are now people who are always connected to the outside world by these means. To shut people down for eight hours a day is to ask them to become robots and be satisfied with the information the company supplies only. But to be an effective worker, a person often has to make use of the internet to supply information. Do not discount this value.
posted by zadcat at 5:55 AM on August 29, 2016 [37 favorites]


This is pretty much tin-pot dictator territory, and exactly the sort of thing for which employees loathe their IT departments.
posted by Sternmeyer at 5:56 AM on August 29, 2016 [160 favorites]


IT manager here. Unless you implement a stringent web filter to prevent web browsing. Or are closely monitoring usage and are willing to follow through with write ups and terminations. Changing your policy isn't to change the end users behavior.

You'd be better off to focus on security measures to prevent ransomware infections.
posted by zinon at 5:57 AM on August 29, 2016 [47 favorites]


Even disregarding the human element, this doesn't seem like the best solution to the technical problem. Ransomware is easily thwarted by a good backup system.
posted by panic at 5:58 AM on August 29, 2016 [4 favorites]


The poster is not saying he will shut down all personal internet during the day. In fact, he is actually trying to facilitate it with the wireless network/ wifi and the pc stations.

Having said that, I think it is a mistake to try to eliminate it. I think the burden should be on you with better security and better education. Also, push the wireless through in house advertisements (memos).
posted by AugustWest at 6:00 AM on August 29, 2016 [1 favorite]


This may depend somewhat on your industry and existing company culture. At my somewhat technical company I suspect this policy would result in many of the engineers leaving.
posted by phil at 6:03 AM on August 29, 2016 [8 favorites]


What industry is this? Cultural norms differ a lot between industries (and based on their need to deal with sensitive information, such as in health care). If you can tie it back to a very specific need (e.g. "we have people's medical records on these computers, so we're only going to use them for medical recordy things, but you can use your phones and these workstations for whatever you want anytime"), people may be more receptive. If it's just "IT policy," you're asking for a revolt.

It seems this policy wouldn't really stop ransomware, as users could still open suspicious email attachments and/or ignore the policy and get infected. If you're still vulnerable anyway, the policy could give you a false sense of security.
posted by zachlipton at 6:04 AM on August 29, 2016 [3 favorites]


"What industry is this?"

We're a non-profit that has donor data and processes a lot of credit-card transactions.
posted by alex1965 at 6:08 AM on August 29, 2016


What would also be really helpful is links to recent articles, blog posts, etc. in HR-related outlets, so that I can provide those references to our HR director.

Only 1% of ransomware attacks come from web surfing, as opposed to email attachments. Source: the article you linked. Why don't you start with the evidence and develop policy, rather than searching for evidence to justify your sure-to-be-unpopular policy?
posted by Homeboy Trouble at 6:10 AM on August 29, 2016 [44 favorites]


If you've got people who need to use the web as part of their jobs (say, Googling things and clicking on unknown links or receiving email on their work accounts from anywhere outside the company) then banning personal web browsing will not solve your potential ransomware problem. You'd be further ahead by providing education sessions on how to effectively use the web without running into problems -- how to read URLs to see that you're going where you think you're going, verifying who sent an email before clicking links, checking for security certificates, etc. That would help your employees both at work and at home and likely do more to combat a problem
posted by jacquilynne at 6:13 AM on August 29, 2016 [8 favorites]


i work in IT, banning personal web surfing at work is ridiculous.

if it's a security issue please use the various tools you have to secure systems (taking away user admin rights, using a centralized tool to push software updates). training is another huge aspect of security.

if it's a productivity issue then it's an issue between the employee and their manager and not an IT issue.
posted by noloveforned at 6:17 AM on August 29, 2016 [54 favorites]


I think you really need to look at what other organizations in your industry do in this area, if you're hoping for any backup here, because perhaps there are specific areas where this is a reasonable thing to do. But speaking generally, your suggestion would be a non-starter anywhere I've worked at. In my experience, most people expect to be able to do a reasonable amount of personal use of the internet during the day on their own computers where they do not have to worry about things like "this site I need works like crap on a mobile browser so my phone isn't going to cut it" or "what if I forget to log out of my bank's website on a shared computer and someone comes along after me and use the same computer and sees my personal banking information" or "what was that URL anyway, since I can't just have it bookmarked on a shared computer" or "I need X browser/display settings because I have poor vision / migraines and so I need to spend five minutes resetting everything on the shared computer anytime I want to use it."

I think you would probably lose employees or at least have employee morale issues if they feel they're being micromanaged and distrusted. Maybe that's fine with you, but I'd do the research to figure out what the risks really are and whether they're worth employee dissatisfaction or difficulty retaining employees. Perhaps you can manage your risk better with some of the other things suggested here.
posted by Stacey at 6:30 AM on August 29, 2016 [4 favorites]


That would be fine, under my proposed rules. As long as your surfing is related to your job, there wouldn't be any restrictions on which sites you could visit.

Who is going to look at logs and issue rulings on this? Because when I'm in the break room talking about how the organization should recalibrate its priorities to match its actual mission, it's useful to have a particularly good example of what needs to go away.

We're a non-profit that has donor data and processes a lot of credit-card transactions.

Maybe evaluate your concerns from a PCI compliance angle instead?
posted by gnomeloaf at 6:32 AM on August 29, 2016 [2 favorites]


I would not work for a company with such a policy.

I'm not in HR or IT, but I've been the assistant to C-level execs for my entire career and I can tell you even they use the internet frequently throughout the day for personal reasons. It is not reasonable in 2016 to expect people not to do this.
posted by something something at 6:32 AM on August 29, 2016 [33 favorites]


I'd immediately start looking for another job anywhere that rolled out this policy. On your time, and your network, even though I'm usually a pretty productive employee.

The only circumstance in which I'd maybe be ok with such a policy is if you had an equally stringent policy on doing absolutely no work outside of the work site: no email checking in the evenings, no expecting people to respond while on vacation or home sick, etc.
posted by deludingmyself at 6:39 AM on August 29, 2016 [25 favorites]


I once worked at a place with a no-personal-internet-use-whatsoever rule, and I left it as soon as I found another job, maybe four months later. The internet policy certainly wasn't the sole reason I left, but it's the first thing I mention when I talk about how ridiculous that place was. Nobody has ever responded with "oh, but that seems like a reasonable policy."

If you implement this rule, be prepared to enforce it, be prepared to lose employees, and if you rely on referrals for hiring be prepared to lose those too.
posted by Metroid Baby at 6:42 AM on August 29, 2016 [16 favorites]


I work for an organization that has this rule, and here I am. I expect people's responses would be something like, "IT has made their decision; now let them enforce it."

I know everything I am doing is tracked, and I don't care. I have never, ever heard of someone being disciplined for personal web use -- it would be truly impossible. A ton of sites are blocked (gmail, social networking, lots of random sites), but I manage to find plenty of ways to surf the web. I do a lot of work-related research online, but I also read a lot of NYTimes, pay my power bill, etc.

Were it to be an issue, IT would have to talk to my manager; I can't imagine he would take the time to say anything assuming I am exceeding his expectations of productivity. And I also can't imagine he doesn't also use the internet for "personal use".
posted by quadrilaterals at 6:48 AM on August 29, 2016 [7 favorites]


I would leave the company if this policy were implemented and I were hassled about my internet usage.
I worked at a non-profit dealing with donations and credit card transactions. We didn't have an IT department, we never had any issues at all with this kind of thing. I wasn't even allowed to buy anti-virus software for my computer.

It feels to me as if you're implementing this policy either to avoid doing your job or because you're on some weird power trip.
posted by shesbenevolent at 6:49 AM on August 29, 2016 [7 favorites]


Not sure I understand why personal web use is more likely to lead to ransomware problems than regular unfiltered business use. The ransomware site doesn't care if you're there for business or pleasure. The solution to concerns about web based malware would be a tightly locked down network with a short whitelist, no? That was the solution when I worked at a high-security employer.

Your stated reason for wanting the policy makes no sense to me.
posted by Eyebrows McGee at 6:52 AM on August 29, 2016 [22 favorites]


I work in IT. Everyone in my department, including managers, openly does web surfing sometimes. It would be ridiculous to expect them not to.

I think the issue you're trying to address (security/viruses) is better approached with user training about how to avoid questionable links.
posted by a strong female character at 6:56 AM on August 29, 2016


From The Wall Street Journal: "Web Surfing Helps at Work, Study Says"

I strongly recommend against implementing a policy like you're proposing.
posted by limeonaire at 6:56 AM on August 29, 2016 [10 favorites]


If it's truly a hardcore security issue, Nthing the chorus of "get better at protecting the system." What you are suggesting is nothing more than a band-aid. Keeping employees off the internet is a drop in the bucket when it comes to the ways and means it's possible for your data to be compromised.

If there is any element at all of wanting to restrict usage for other reasons... just know that life will find a way. Employees will just use personal devices and find other means to do what they are going to do, and what (despite handbooks and policies dictate) is just How Things Are In The Modern World.

Over time, super-restrictive policies for seemingly less-than-watertight reasons will dry up the talent pool and your company will suffer. Not that your reason is not sound from your perspective- but really, it's not coming across as such from this post. "We store credit card transactions" seems like not nearly enough reasoning to justify what (from the responses here) looks to be perceived fairly universally as a terrible idea.
posted by I_Love_Bananas at 6:59 AM on August 29, 2016 [2 favorites]


So, anecdotally, if I worked at a place with this policy, I would not have been able to read the personal email from my son at college that was basically stating that things weren't going as well as he had led us to believe and he had serious, crippling anxiety, and he thought he might be suicidal. He sent the email because it was easier for him than calling or texting us.

He didn't send it to my work email because that's not the one he uses for me. I wouldn't have been able to respond as quickly as I did had I been forced to wait until I got home or remembered to check my mail on my phone (which I never do).

If the issue is security, you need to train your people better and implement better fire walls. Don't ban internet use. That's not solving the problem, it's being Big Brother.
posted by cooker girl at 7:03 AM on August 29, 2016 [6 favorites]


If people are only able to look at dinner menus, social media, travel plans, and store inventories on their phones, those activities will take _much longer_ than they would on a computer screen. It will also take additional time if you require them to go to or wait in line for special designated computers. You'd either be effectively preventing them (through increasing the effort/time it would take) from doing these things, or making it much more cumbersome and costing the company their valuable time and focus.

I love hard, focused work. I love focusing at work, and I love not having distractions. However, preventing me from spending 10 minutes at lunch, a break, or the end of the day to do a little research to make picking up something on the way home possible is effectively handicapping my life. I can't even imagine how difficult it would be with kids or other interests.

Then you also get into enforcement issues. Sure, it might only be enforced if someone is already having low productivity or something (a terrible approach to policy), but you'd essentially be making a criminal/rule breaker out of anyone who wants to put together a group order for lunch or who wants to shop for flowers for a bereaved friend, or who wants to watch a cat video while eating lunch at her desk.

I actually think you might be _safer_ if you a) assume that you will have a breach and prepare to handle it speedily and gracefully (which will also make you an instant hero when it happens), and b) _ask_ people, politely and humbly, to avoid high-risk web activity.

You can write a really great guideline (also making you a hero), collaborating with some excellent communicators in your company (also making you a hero with leadership potential), spelling out some earmarks of high-risk sites and activities.



Also, beware unintended consequences:

There was a famous behavioral economics study of a day-care facility that showed that introducing formal penalties for late pick-ups actually made rule breaking _worse_ than before; when people were expected to be on time just for social "goodness" reasons, they were much more likely to be "good citizens" and be on time.

Also, once people start "cheating", they stop seeing themselves as rule followers and become less inhibited about more serious cheating.

By making all personal web activity illicit, you may actually introduce more risky behavior as people figure they're breaking a rule anyway by surfing the web at all.
posted by amtho at 7:03 AM on August 29, 2016 [14 favorites]


Answering at work. I work for a large company with a decently overbearing set of IT-based rules, including blockers that have actually blocked some of our own company's websites. (Granted we have a lot, but the irony was amusing). But generally, it's fine - the ones they block make sense, and the tool they use tells us why's its blocked. And gives us an escalation chain to have them unblocked if needed.

I would not work for a company that blocked casual internet access. Have the right tools in place to protect your network, but as long as people are getting their work done, the internet is as much as part of life as anything else these days.

I feel you're trying to solve a problem with a heavy-handed approach that will backfire with unintended consequences.
posted by cgg at 7:06 AM on August 29, 2016 [1 favorite]


I am working at a place with fairly draconian computer policies, and it is still understood that there will be a certain amount of personal web use. It is faster and easier for me to quickly check the directions and distance to a store to see if I can get there during lunch, than it would be for me to do the same thing on my phone or to walk down the hall to a shared computer (which feels very last-decade, I don't see those public computers anymore).

Impose necessary restrictions for security, but employee productivity seems like an issue for their managers, not IT.
posted by Dip Flash at 7:08 AM on August 29, 2016 [1 favorite]


We're a non-profit that has donor data and processes a lot of credit-card transactions.

But those aren't being processed or stored on employee's everyday work machines? Right? Right?

You're posing this as a security issue. I've worked on projects where the client was a super-paranoid government agency, and personal internet use wasn't banned (there was a light-touch content filter, that almost never fired, because people aren't idiots).

My gut feeling is that you don't have the specialist knowledge needed to assess or implement IT security, so you're doing what everyone does - dealing with the obvious problem that's right in front of you (eg low-risk facebook usage), in the obvious way, rather than the higher-risk problem that's somewhat hidden (eg spear phishing).

I imagine a well-thought-out security policy would partition sensitive data off into a separate, secure space, rather than try to fight human nature.
posted by Leon at 7:12 AM on August 29, 2016 [14 favorites]


A ridiculous policy that is unrealistic to implement and police and not at all tailored to suit the problem (banning personal surfing to evade malware does nothing to stop surfing for work reasons that also exposes the company to malware), which makes it doubly insulting to the people you work with. This is the kind of arbitrary and poorly thought through rule that makes people hate work - the petty power trips of coworkers who make irritating rules just because they can.

Furthermore, to the extent you're worried about donors, if I were a donor whose credit card info was exposed to malware, and your response was "Well, our security policy was to ban all personal (but not work-related) web surfing," I would argue you fell down on the job here. Increase security in a manner that's actually effective.
posted by sallybrown at 7:14 AM on August 29, 2016 [6 favorites]


If folks are filling their time with the web but work is still getting done on time, then they obviously need more work-- that's not your problem in IT, that's a management problem.

I think it's reasonable to block porn and gaming-- just the really compulsive stuff that also has a lot of ads and safety risks. You could consider blocking social media, but people will complain more than it's worth. The general directions/shopping/blogs/wikipedia stuff-- leave it.
posted by blnkfrnk at 7:16 AM on August 29, 2016 [1 favorite]


The HR director is sympathetic to my arguments, but she seems skeptical that we need an outright ban. She wants to do more research before revising the handbook.
From the conversations I've had with HR people in my career, I take this to mean "the HR director has zero intention of revising the handbook", FWIW. And it costs you major political capital to tell people there's a different policy than the handbook says.
posted by xueexueg at 7:17 AM on August 29, 2016 [25 favorites]


Are you worried about your donor database, something like raisers edge? If so, talk to the vendor about how to keep data secure. You can (and should) restrict which employees can see donor data. Thousands of organizations have donor data and do not restrict web use in this way. There are probably specific groups for nonprofit IT but you can also check with APRA the association of prospect researchers for advancement for advice.

I haven't worked in an office in four years and just reading your question is giving me anxiety.

I did work somewhere once where a policy like this was sort of in place. The IT guy checked occasionally to make sure no one was spending a significant amount of time on any sites. My second week my boss called me into his office to ask why my computer was showing several hours on the neopets (?) site on a Sunday afternoon. I didn't even know how to respond to that. In practice, those who were friendly with IT did whatever they wanted and those that weren't got extra scrutiny. It was not a good policy.
posted by betsybetsy at 7:18 AM on August 29, 2016


If you're not concerned with personal surfing, wouldn't it just be better and more efficient to focus on the real problem: security breaches? Educate people about how to avoid them.
posted by My Dad at 7:19 AM on August 29, 2016 [1 favorite]


I am unsure how you plan to differentiate better "work research web use", and personal web use. I am also unsure what repercussions this will have against the employee, especially in light of the HR feedback you received. You may be better suited to put your focus on developing a better security protocol, NIDS, or other defences.
posted by kellyblah at 7:22 AM on August 29, 2016 [3 favorites]


I'm also concerned about ransomware, but I know that trusting my end-users to be my security layer isn't going to be viable, they're more fallible on a technical level with falling for spoofed emails, bad links, etc, it's unfair to put that burden on them, and if they slip up and data gets locked up, I'm still going to be the one that takes that blame.

Ask yourself why ransomware scares you, and then address that problem. If Bob from Accounts get hit, why does that scare you?

Are you taking X hourly backups of all user profiles? Are those backups going to segmented storage so that Bob's backup client only see's Bob's backup files? Can you limit the share access so that only the *backup* process can access it rather then all processes by the user? Are your network shares being backed up regularly? Are those backups being cycled off to an offline or cloud location?

I think of ransomware as a real-life sledgehammer-- if someone's machine does get hit, I might as well smash their machine with a sledgehammer and deal with that consequence, I'd rather that then walk into the GM's office and say... "well.. so there's this thing call bitcoin...". So, if I took a sledgehammer to Bob's computer, how quickly could I get him up and running again, how many hours of data would he lose?
posted by Static Vagabond at 7:25 AM on August 29, 2016 [7 favorites]


I became slightly more sympathetic to your question when you mentioned lots of credit card data, but on the whole it made me angry. We have almost no labor protections in this country, no job security, and something like only 20% of us take a proper lunch break. Morale matters, and that management mostly doesn't recognize this absolutely astonishes me. Work on your security issues at the back-end, and maintain a little freedom and the odd break to your workers at their discretion. It's the civilized thing to do.
posted by Violet Blue at 7:25 AM on August 29, 2016 [38 favorites]


As long as your surfing is related to your job, there wouldn't be any restrictions on which sites you could visit.

The idea here is that Some people would be allowed to surf, and Others wouldn't? Yeah, that is terrible for morale and team cohesion. Also, how are you going to decide which sites are "work related" and which aren't? You can't know in advance which info bits are going to yield fruit, either now or later, you might be blocking off info that's critical for people to do their jobs. (I know that for one job, I used to get relevant info on stakeholders in the weirdest places.)

I have explicitly told people that I don’t care what they do on their smartphones, and I’ve also configured three desktop PCs that are available for any staff member to use for personal purposes (within reason).

This

- visibly identifies people as "not working". Also terrible for morale and a great way to build resentment.

- breaks up workflow (because people can and do dip out for 5 minutes at a time). It also presumes that people are "productive" (in a very narrowly defined way) for 100% of their 7.5-8 hours. This is just not how humans operate. We aren't machines. Don't have the number off-hand, but I've read that most people are "on-task" for only 4 or so hours (if that) - the rest of the time goes to maintaining relationships with colleagues or clients, resting, pursuing info or knowledge out of curiosity (again, some of which may be helpful in some roundabout way, even for people not directly working in creative or technical roles).

You want to "prove" to your Human Resources dept that what they know about security is wrong, but from other posts, it's not clear you're going to find much evidence for your position. (In fact, I think it would help to get notes from HR on what they know about people.)
posted by cotton dress sock at 7:30 AM on August 29, 2016 [17 favorites]


My limited understanding with credit cards and non-profits is that if you're directly handling the data, you should be using software and hardware isolated and set up just for the credit cards, and that only a few authorised staff should be able to access them for security reasons (which is laborious and why so many medium and small places outsource credit card processing). So why would you need to apply the same high security reasons to the whole company that you need for just this one set of a few people (who should get to have a "non-work computer/tablet" option like a sysadmin often does for safe use) - or have you got total possible IT access to your credit card data for ALL your staff? Which is really weird and unsafe.

Blacklisting porn, hate etc sites, reminding people explicitly that facebook games are for lunch time/breaks only and setting up a reasonable use policy gives managers and people wiggle room to be sane humans. If it's productivity - before the internet, time was wasted at the office in other creative ways. Blocking access doesn't make people work, it just irritates them badly.
posted by dorothyisunderwood at 7:45 AM on August 29, 2016 [4 favorites]


For the past 3 years, I have worked at companies with VERY intense security requirements and concerns. None of them have these personal Internet use policies.

To address security concerns, my employers have approached the issue in the following manner, which address the most important vectors of risk:

No installation or reading of data from outside sources (no USB drives, no reading from DVD drives, etc)

Some go so far as only allowing access to desktops via virtual machines hosted off site.

Strict monitoring and scanning of all incoming attachments (and no executables)

Strict monitoring of emails with URLs and from unknown senders to reduce incidence of spear phishing, as well as training and policies for all users to be on the lookout for suspicious emails

No ability for users to install outside software on their desktops without the intervention of IT, and the only approved applications.

The places I have worked also restrict access to Facebook, gmail, and LinkedIn not because of the possibility of ransomware or infection, but because of legal restrictions against communicating outside of work email over the company network.

A no-personal-use policy is so far outside the norm that unless you are the IT manager of a department of defense facility or a the federal reserve trying to protect information about interest rate policy announcements that it will be hard to attract any but the most desperate employees.
posted by deanc at 7:46 AM on August 29, 2016 [10 favorites]


I'm wondering what donor database/software you are using. A lot of nonprofits try to get by with free/cheap options. Like an excel file on a shared drive. If this is what you're trying to protect, you'd honestly be better off with a handwritten list in a safe....

Donor database software is expensive but that's because years of work has gone into making the system effective and secure.
posted by betsybetsy at 7:47 AM on August 29, 2016 [6 favorites]


Our large company's official policy, in the employee handbook, states: "don't use company computers for personal gain." E.g., don't run your personal eBay store from company computers. I don't think they really enforce it, but I'm guessing they would if someone was trying to form a competitive startup or something.

Other than that, yeah, we have a lot of web filters here. They block Facebook and Craigslist, but not eBay for some reason (probably because we need to see if our products are being sold there by third parties). They block anything remotely related to sex, gambling, guns, violence, and games, presumably based on keywords in the targeted site. One year we had a new filtering vendor and it went bananas, blocking everything in its path, including the New York Times and Metafilter. People were furious, and the old vendor was quickly restored. This was several years ago.

And yes, I can have all the sex and gambling I want on my phone. But unlike Metafilter, that would be a real distraction, and HR would discipline me for not getting my work done. As some folks above have said, it's more of an HR issue than an IT issue.

Best of luck to you. I know how infuriating it is to have decision makers in your company who are 10+ years behind the times.
posted by Melismata at 7:54 AM on August 29, 2016 [1 favorite]


I work for a government agency that handles sensitive information; we are subject to significant exceptions from our state's open records law that keep our files and information confidential. Our office allows personal internet surfing subject to a web filter.

I think a no personal surfing policy is a terrible idea for the reasons others have stated above.
posted by craven_morhead at 7:54 AM on August 29, 2016


I work in a non-profit where we do a lot of transactions on our website, both donor and purchase. This policy sounds crazy to me. Not only is a lot of non-profit work often based around knowledge and networking, which makes the internet a pretty important tool for just about everyone (accounting needs to look up a contact number for an invoice, development needs to see pictures of donors, client services need to recommend other resources, etc. etc. etc.) but where the heck is your data being stored that you're worried about a desktop issue?

I think you'll be issuing so many 'passes' for work use of the Internet that you'll be in the same position as if you allowed personal use. Also, the people most likely to have super sensitive data will be the same people who will overrule the rule for themselves right away. You need a better backup/protection system in general.
posted by warriorqueen at 8:01 AM on August 29, 2016 [1 favorite]


One additional cost for employees of complying with this policy I haven't seen mentioned is the cognitive cost: Your employees have to decide every time they think about visiting a new site whether it's work or personal. Even in the simple obvious cases, just making that choice every few minutes throughout the day is significant. And I know that in the various knowledge-worker type roles I've had, there's a huge chunk of my daily browsing that falls into a grey area: not directly relevant to the work I'm doing at the moment, but generally relevant to awareness of my field in general.

If I heard that a place I worked or was considering working enacted such a policy, I would consider it a big red flag that this was the type of place where, when faced with a difficult problem, management preferred doing something visible, cheap, annoying, and ineffective to investing time and/or money into actually fixing the problem.
posted by firechicago at 8:03 AM on August 29, 2016 [9 favorites]


It's my understanding that any credit card processing needs to be done in such a way that no employee machines can access full numbers / security codes for the credit cards. If ransomware can get it, so can your employees, which means you're not complying with the rules and regulations surrounding card processing.

I'd be more concerned about that than I would be about employees dicking around on metafilter.
posted by AmandaA at 8:06 AM on August 29, 2016 [5 favorites]


Sysadmin here. I also disagree with limiting personal surfing. There are basically only two justifications given for doing so: time wasting, and security.

I'll touch on time wasting even though you didn't: it's pointless to address this by blocking websites. Users will just find un-blocked websites. Or surf on their phones. Or walk around and converse with co-workers. Read a book. Do a crossword. Take a long lunch. Leave early. It's a management/HR problem, not an IT problem.

So, security. Even if you do this — especially since it sounds like you'll be doing it on the honor system — your users will find unblocked websites, some of which may carry malware. Even websites you deliberately leave unblocked may carry malware via embedded ad providers. Then there's email - most common delivery vector for phishing and malware. And don't forget people downloading things at home and bringing them in on USB drives!

The only approach that works is having multiple layers of actual security to catch problems before they happen. You should have:
  • Centrally managed and updated anti-virus on all computers, including file servers
  • Centrally managed OS and software updates so you can ensure everyone is up-to-date (Microsoft WSUS, Ninite Pro, etc)
  • An office firewall that monitors for suspicious traffic (Security Onion, Checkpoint SMB, SonicWall TZ)
  • A good anti-spam service to prevent suspicious emails from even reaching your users
  • Users should be using non-Administrator accounts on their PCs
  • Security policy on the local PCs should disallow attaching USB storage. Users who need to access files from home should have a company-supported option like OneDrive, Dropbox, etc rather than shuffling around potentially infectable hardware.
  • Back up your files and databases regularly, and test your backups to ensure they work
The first few items should prevent you from getting hit with malware in the first place. I understand non-profit budgets can be tight, but none of this needs to be expensive. You can do everything but the backups for about $1,000/year if you have around 10-20 seats, assuming you already have a Windows server you can add WSUS to, and that you install the free SecurityOnion software on existing hardware as your firewall. Cost for file backups vary widely based on your approach, anywhere from $10/user/month for backing up files on their PC, to potentially hundreds for local client + server + database backups with offsite storage.

Most importantly, though, you should be doing all of this anyway. Otherwise it's a matter of time before you get slammed with a cryptolocker variant and have to figure out how to buy $500+ worth of bitcoin to get your company's data back.
posted by CrayDrygu at 8:08 AM on August 29, 2016 [17 favorites]


Oh man. I've worked for IT in government, education, non-profits, and huge financial service companies. Not only would I not allow such a policy, I'd seriously question the judgement of any employee who suggested it under those terms.
posted by snickerdoodle at 8:10 AM on August 29, 2016 [8 favorites]


If I were in your shoes, I'd be far less worried about this policy seeming draconian to the rank and file, and more about it suggesting to fellow managers that the policy is coming from a place of ignorance and deeply misguided priorities. Essentially, if your job relies in any way on your coworkers trusting your judgment and knowledge regarding infosec issues, this policy would cripple that trust.
posted by a box and a stick and a string and a bear at 8:12 AM on August 29, 2016 [18 favorites]


HR here. First, don't do this. I work for a HUGE corporation, hold people accountable for internet use infractions, and have never ever seen a ransomware incident. Is this some kind of rampant occurrence at your workplace? If not, don't enact this policy. Not least of all, you will not be able to distinguish between personal use and visiting sites that could be for personal use, for work-related purposes. Second, personal use of the web is an employee benefit/necessity at times. And frankly, employee benefits ARE necessities. Are you seriously telling us that YOU have never, ever, ever used the web for personal use? If you say yes, I won't believe you.

If you NEED to do this, just get a filter to block some sites. Ours only blocks inappropriate content - I can access some but not all Tumblr sites, for instance.

Also to throw this out there to the crowd: employee handbooks aren't the law, and they're not a contract. Your employer can make 5,900 policies that aren't in the handbook and they're still enforceable. We don't even have a handbook, just a website with access to our policies (that are intentionally vague).

Don't do this. The costs do not come close to offsetting the benefit.
posted by good lorneing at 8:14 AM on August 29, 2016 [7 favorites]


Writing from work to nth the chorus of "i'd start looking for a new job, stat".

And so happy to see that there IS a chorus, even if metafilter isn't quite a random sample.
posted by sazerac at 8:16 AM on August 29, 2016


At my workplace (a testing center), we are allowed zero personal internet usage. While our situation won't be an exact match to yours, it might give you another data point about how counterproductive this situation can be.

First of all, I can't tell you how many work-related problems our company's internet policy causes on a daily basis. Often, a candidate needs information that we could look up in five seconds on Google, but instead we spend ten minutes on hold with the call center or IT - because our company doesn't think we rate being treated like adults. That wastes everyone's time. Including the test candidates, who are paying hundreds or even thousands of dollars on their exams. Some of us will use our personal cell phone data to look up information for these candidates, and it's inexcusable that we should have to do this.

Everyone spends excessive time on their phones. Not just a little bit of time here and there. Everything is complicated by the fact that we can't use our personal email accounts on our work computers. More time is wasted, more resentment is fostered.

And no matter how important or innocent your usage, people get weird if they think you spend too much time looking at your phone. If you can just click to another window of your computer to get to your personal email, it is less visually disruptive than having to whip out your phone. Forcing people to only use their phones for personal internet access, can force them to look unprofessional even when they aren't doing anything inappropriate.

Every one of us views this policy as infantilizing and demoralizing. People don't work at this testing center a moment longer than they absolutely must. The working conditions ensure that only desperate or incompetent people work there.

TL;DR - You can't treat people like robots and expect good employee outcomes.
posted by Coatlicue at 8:21 AM on August 29, 2016 [34 favorites]


If people are only able to look at dinner menus, social media, travel plans, and store inventories on their phones, those activities will take _much longer_ than they would on a computer screen.

I left out a key point: these activities, the processes by which people have their social and material needs met, are actually critical for making them effective workers, too. Being able to shop, plan, and feed ones self efficiently means having the ability to relax and sleep a full night AND be happy and well-adjusted, all of which leads to better decisions at work and in life, and more productivity.

For most people, there isn't enough time to do everything they really need to do. That's even ignoring the additional time and attention that good child-rearing takes, and you, and everyone in your company, do want people to raise children well and to contribute to the communities they live in.
posted by amtho at 8:23 AM on August 29, 2016 [8 favorites]


I know I'm chiming in the same as everyone else, but a couple anecdotes and observations:

-- I was terminated from a job, with the stated reason being too much personal internet usage. The truth is: I wasn't doing my work because I hated the job. I should have quit on my own years before, when the company restructured and put me in that position to avoid having to pay me severance, and I wasn't good at the job, didn't like the work or coworkers. The point is: Look at personal internet use as a symptom, not the problem. Like someone upstream mentioned: maybe it's a sign of being overstaffed, or disinterest in work, or someone needs something to do but hasn't asked, or has asked and got an insufficient answer.

-- At my current job, we have a Barracuda device which does content filtering, blacklisting, deep-packet inspections for viruses, etc. We haven't had a problem internally, while only slightly impacting use. The old IT guy had a LOT of stuff blacklisted, which was causing people problem because every so oftena genuinely useful website and even Google would be blocked because the IP address was in a weird block. When he left, a lot of that stuff got turned off and things still work without the worse for wear. We also have centrally-administered antivirus.

-- one young, very tech savvy salesperson, while on the road and not behind our firewall, fell for ransomware, one of those "you need to call Microsoft right now" ones. She didn't realize what she had done until she had already allowed them to remote into her machine, at which point she hung up and turned off her laptop and called me. Our attitude in IT: OK, yeah, stupid move, but now we fix it -- she was told not to turn on her laptop again, she brought it back into the office and we backed up her personal folder, wiped the hard drive, reinstalled Windows and restored that folder, scanned and rescanned for viruses, and gave it back to her. We didn't give her crap, because "it happens", and the pain of having to recover things that might not have been in the personal folder, plus she had to cancel credit cards and change passwords everywhere, was pain enough for her without us piling on. The moral here: policies can't prevent every possible problem, but you have to have a policy in place to handle the problems when they happened, and without further punitive issues, otherwise people will hide that they have a problem, which keeps things broken longer than they have to. If you have a "work internet only, no personal", and somebody does personal surfing and catches a virus, they'll be more interested in covering tracks to hide the personal use than they will seek help to get it solved.
posted by AzraelBrown at 8:47 AM on August 29, 2016 [16 favorites]


Yeah, we're super locked down because we build massive infrastructure control systems. Water supply? Power grid? That's us.

We're allowed personal use as long as it doesn't interfere with our ability to do our jobs. Can't have personal devices on the network, but we're allowed to dick around within reason. We also undergo various security trainings, but most of our security is through airgapping and careful access provision.
posted by chesty_a_arthur at 8:53 AM on August 29, 2016 [1 favorite]


I work for a core processor, so my livelihood involves working with credit card information on a daily basis, and while our internet usage is restricted in that many sites are blocked by our firewall, there is not a blanket ban on personal internet usage. I think this is probably because such an action communicates to employees that they are not trusted at all, and will be treated like unruly children. Most people don't want to work at a company that treats them like they can't be trusted to do their jobs. If you want to lose the best people you have, definitely implement this policy and watch your best and brightest leave to work for employers that have more respect for their workers.
posted by palomar at 9:04 AM on August 29, 2016


If I have to switch to my phone to check my personal email, then my concentration is broken and my time is totally devoted to my personal email (and whatever else is on my phone.) I am a manager and would not want to be seen staring at my phone, nor would I want to see my group on their phones and not looking at their monitors.

Whereas if I can just tab between my work and personal email on my work computer then it's not an investment of time or concentration to check.

I would like to add that, although you say it's about security, as others have rightly pointed out, if it's anything-goes for business purposes, an unsafe site does not become more secure just because I'm looking up client info rather than goofing off. So I don't see how any employees would see this as being about anything other than controlling them.
posted by kapers at 9:15 AM on August 29, 2016 [1 favorite]


We're a non-profit that has donor data and processes a lot of credit-card transactions.

No. No way. Do not try to implement this. I have worked in the non-profit sector my whole career. One of the major reasons people work in this sector is because of that whole "collegial work environment" thing, which involves being treated like an adult in the workplace. It's a trade-off for getting paid less. Also, non-profit employees tend to be opinionated and good at internal maneuvering and rabble-rousing - I could see this as being the kind of thing that ultimately leads to an IT Director being pushed out or at least internally marginalized. Don't do this to yourself.

Surely donations are managed through a CRM if you are a mid-sized org?? If not, then as IT Director, that seems like a better use of your time, to make that happen. Or are you talking about major gifts? Even then, there are secure ways to handle that info.
posted by lunasol at 10:07 AM on August 29, 2016 [16 favorites]


Where I work web surfing is not frowned upon at all, as a matter of fact my director says "if I see my engineers goofing around on youtube during the day that means they automated the work generators and are not stressed or under the gun". Basically my director believes that we think best when we are not working 60 hours a week with every path being critical. Having time to surf means to him we are doing our jobs well and able to respond to critical issues when they happen as opposed to having critical issues queue up back to back thus creating contentions for priority.

And I think that is absolutely the right way to think about it.
posted by Annika Cicada at 11:45 AM on August 29, 2016 [8 favorites]


One more thing: I still work in the non-profit sector and am now a manager. You realize managers are the ones who would have to enforce this and most of them will think it's silly, right?

If the IT Director at my org tried to make this an official policy, I would 1. tell my division director I had no intention of enforcing it and 2. privately tell my staff not to worry about it. If IT came to me and told me an employee was using the internet for personal reasons, I would thank them and do nothing with that information. If IT tried to reprimand my staff member instead of having me do it, I would go right to my division director and HR and raise hell.

And I am a pretty low-key, non-turfy manager. I know other managers who would go to war over wasting their and their team member's time, and the damage a reprimand for something so stupid could do to a team.
posted by lunasol at 11:57 AM on August 29, 2016 [3 favorites]


Oh yeah, and FWIW, I'm a network security engineer and I work for an internet-based company. Your fear of ransomware should be from email, not the web. Which you probably allow inbound. Do you have a method in place to detect or prevent attachments from executing locally? Like say FireEye or AMP or hell even Symantec Enterprise. I looked at Cylance, it's actually pretty cool but it breaks powershell so we can't use it where I work.

Get some Palo Alto firewalls with a wildfire subscription to catch the malware and let your IT security team, legal and HR define the acceptable use policy for internet usage.

If you don't have a staffed IT security team then I propose you drop the conversation of limiting people's internet usage and start talking to your C-Level executives about a 2017 budget to staff a security team.

In the meantime, hire Clear Skies to perform an IT Security Assessment on your company to show you exactly how you're gonna be owned. In short, your fears are TOTALLY misdirected if you think locking down outbound internet is gonna achieve anything other than a mass exodus of talent and terrible morale.

Floating that policy is a career limiting move. I urge you to take my advice. I am a professional with 17 years experience in this space and I do know what I am talking about here.
posted by Annika Cicada at 11:57 AM on August 29, 2016 [8 favorites]


OK, thanks for the feedback. The policy has only been in place a short time, so it looks like it's time to rescind it.

Y'all can stop nthing. I get it.
posted by alex1965 at 12:14 PM on August 29, 2016 [12 favorites]


Not at all nthing here, but as the IT guy at a small non-profit, I have to say: if you have donor data primarily stored on staff machines or credit card data anywhere near staff machines, please do something about that.
posted by ssg at 5:38 PM on August 29, 2016 [4 favorites]


I like a white-list system - where by default all sites are blocked, then you open up the major ones (news sites, facebook, gmail etc). Every time a user tries to visit a site that has not been white listed, they get a message "access to this website has not yet been authorized, the domain has been submitted for IT management review, please check again in 2 business days" etc. No IT review actually needs to happen, there's a list that gets sent to the IT manager and it automatically gets white-listed within 2 days unless he / she intervenes.

I believe it's a good reminder to users that their personal use is explicitly allowed - if the site lets them access Facebook or Gmail, it's because IT is specifically allowing them to - so employees can feel confident their personal use is sanctioned and safe for use. Eg, if the company did not want them to access Facebook or did not feel it was secure, they would have not whitelisted it in the first place.

At the same time it's a good reminder for users to be responsible in what they are requesting access to, as it's possible to get complacent and fall into the trap of thinking their personal use is private and without consequence, as opposed to the reality that they are access these sites on a corporate machine.

The worst IT policies are the ones which are obscurely worded, so users can fear they might be fired for any grey area violation. White-listing is essentially IT taking responsibility to prevent users from committing violations: they cannot by definition commit any violation, as the white-list will stop them before it happens.
posted by xdvesper at 7:12 PM on August 29, 2016


they cannot by definition commit any violation, as the white-list will stop them before it happens.

"...please check again in 2 business days"

They more than likely will also have trouble doing their jobs, unless IT can anticipate every possible relevant website or turn approvals around (way, way, way) quicker than that.
posted by cotton dress sock at 8:53 PM on August 29, 2016 [3 favorites]


A whitelist system like that would drive me insane if I needed to be able to do web surfing for work purposes. I'm supposed to wait two days to read a blog post that may or may not help me solve my problem?
posted by zachlipton at 10:19 AM on August 30, 2016 [3 favorites]


I haven't worked in ecommerce in a while, but I seem to recall that PCI standards do have strict rules about how cards are handled. Some of them involve segregating where the card data is acquired and locking systems down. Though the main tenet is not to store anything if you don't need it--if you can get your systems to use payment authorization tokens and not storing the card number itself, that helps a ton. I don't think they demand that those systems be airgapped from the rest of the internet, though.
posted by fifteen schnitzengruben is my limit at 7:20 PM on August 30, 2016


I work for a government agency that handles sensitive information; we are subject to significant exceptions from our state's open records law that keep our files and information confidential. Our office allows personal internet surfing subject to a web filter.

On this tip, I work for the frickin' Department of Gnomeland Fershurity and I want to also point out that there's no bright line for determining what's "personal" web use. Our office had banned all social media sites until recently; this change came as a big relief since (for example) our inter-governmental relations officer came to me last week with a question about a local election in our district and the most relevant information I was able to help her dig up came not from the county registrar's barebones website but from a candidate's Facebook page.
posted by psoas at 3:44 PM on August 31, 2016 [1 favorite]


IT-wise, beats me. HR-wise, I'd be less concerned with other workers and more concerned with you.

You're the IT department. Network security is your job. It seems like you're maybe trying to cover your ass by offloading your responsibility onto everyone else, so that instead of doing the work of preventing security risks, you can just say I TOLD YOU SO when security is inevitably compromised.

That might not be how it really is, but that's how it looks to me. What happens if your employer agrees? You've already violated their policy and their orders in doing this; do you really need them adding "huh, come to think of it, that's pretty lazy and irresponsible, and possibly a sign of total incompetence" into the mix?
posted by Sys Rq at 10:16 AM on September 4, 2016 [1 favorite]


« Older A ? from a ? in a zoot suit   |   What are my best options for hanging posters... Newer »
This thread is closed to new comments.