Do you want an access to a Web with no sense?
Let’s be clear form the beginning, URL filtering technologies are an essential element in the network security of a company. But IT Security has to be like a belt in a car, we have to get one otherwise it hurts but it does not make the car working and a wrong set up of Websense can be like a handbrake you forget to release.
What follows is more focused on the misuse in the settings chosen/defined when implementing an URL filtering (like websense) inside a company. Somebody ask me some advices this week on what it should think of before to implement this technology so here is my answer in 10 points:
1. Loss of productivity.
Let’s first imagine the simplest situation. One of your employees receives a professional link from a client or a supplier. He clicks on it and gets the message “blocked by websense”. He will have to fill in a form (online or offline) to release this link (necessary for his work). Time spent will be between 5 min to 10 min ( 10 min if he has to justify again why he should have access on the phone later). Of course, the release is not automatic so somebody else will spend another 5 min at the other end of the line. Besides, if he does his work correctly, he should release it in the other servers spread around the world (otherwise the Danish entity will call him tomorrow for the same task ). Add to that the time elapsed between the time when the employee needed the access and the time when he actually gets his access ( medium time will be around 2h unless your are a management member). Url filtering has a hidden cost which is not negligible (not to mention the licensing price).
2. External storage
It’s logic to block external storage for IPP reasons but if you do not have a clear system in place to exchange files with your partners, customers or suppliers, you will risk the following: people will save files in unknown storage on the web which are not blocked by websense. Those web storages not (yet) blocked by websense are the less known but also the less secured (simple http storage site). Users in their work will need to exchange big files and may use this less secured website -> the IPP of your company may be in jeopardy.
3. A question of trust
One of the most negative impacts of websense is that it shows to the employees a lack of trust. This is an indirect psychological impact of websense but it leads directly to the feeling that the management does not trust its employees. If you do not trust me why should I trust you ? Do not use technology like websense to correct a problem of discipline inside your company. If people surf too much outside their field of activity then warn them seriously about the consequences. Do not except them to work 100 % all day long. Everybody needs a break from time to time (and it’s good for their productivity). Moreover, they will find anyway a workaround to your URL filtering system (most of them have an iPhone with a 3G contract). So if there is a black sheep in a department which forces you to take such technology for the others, fire him or make things clear with him (especially why he is paying for). Punishing an entire group because of a few bad guys is so old school (remember the classroom punishment we had in our youth)
4. No News, bad news
If you like to keep an eye on trends of your scope of activity outside your company today, you can no longer rely only on specialized magazines which are dropped on your desk every 4 weeks. We are leaving a real time world where rich information is available on the web almost as soon as it appears (and Google caffeine will enhance that also). Blocking the news can isolate some people from important info on your competition or on potential customers. Knowledge workers need to have access information which is mostly not on your intranet but in the outside world. So unless you have put in place a internal feed that brings all these info in your organization, do not block the news (all day long).
5. Websense and the CIO
A CIO with a rigid approach on websense will transform himself in a CBO (Chief blocking officer). It may sound funny but it has a big impact on the relation the CIO will have with his peers in the C-Suite. Indeed, Security is not really linked to any strategic business process. Websense topic (like any other IT security topic) will just enlarge the existing gap that already exists between the CIO and the real needs of his peers in the C-Suite. The CIO has to show his department as a strategic weapon for the company and not as a potential “offshorable” security department.
6. Websense may increase spam
It’s logic to block private emails inside a company and to have a policy on how professional emails should be used. But have you warned your employees on the use of their professional email when they register on a professional website? Are they aware that their email address will be shared and listed in a databank used by marketers? Privately, most of us have multiple email accounts and one is most of the time dedicated to web registering (to avoid spam). So be aware that, even if it’s necessary, blocking private emails will lead to more newsletters and spam in professional inboxes and therefore decrease their productivity. By the way, there are a lot of ways to read private emails from your email accounts even if websense is in place.
7. Social networking
In the enterprise 2.0 era, some companies do not have a clear vision on how to integrate social networking inside their organization but …. Some users do ! Blocking sites like Linkedin is just cutting the online business network of your employees. If you doubt that online networking can bring benefits to your company then get ready to disappear ;)
The one who may decide to block Slideshare or Flickr is certainly someone who still does his PowerPoints with the horrible standard windows clipart. You may thank him in the future when you will look ridiculous in front of your customers.
I recommend to block Facebook since it’s really a productivity killer but pay attention to which social network you are blocking. Do not put them all in the same basket.
8. Another (wrong) vision
What you see on a website with websense, is certainly not what you may see on this website when you are home (except if you were crazy enough to censor yourself @home). Some css are blocked, some videos are not shown and it can spoil the user interaction on some websites. Lately, one of my friends in Brussels told me that the readability on my website was better before. I told him that I had not changed it since some months and we realized that in fact the css of wordpress was blocked by his newly blocking system: Websense. Worst, some of you may not even have access to this website because it may be stamped as “ blog”. Tell me how a css can harm my computer. I am all hears.
9. We are all equal
At least we should be when it’s about searching information. We all agree that there are different access levels inside your company for the data stored inside it. But as far as I know the web is (still) free, so on which criteria will you decide who can access or not a specific type of website? Who can seriously decide who should access what?
10. Your employees are not kids
Last but not least, do not forget this option in websense which enables your employees to continue accessing a site consciously “click continue to view this website now for work related purpose” or go back. Ate least you give them a choice to go further and your analytics will give sites to release “automatically”.
Conclusion
Paradoxically, you may find more information when you are home than when you sit at your office desk.
One day, a piece of information may be critical to gain a project. Are you willing to take the risk to miss it? I guess no. So install an URL filtering but set it up properly.
Do you feel you are losing productivity with some settings of websense? I would love to hear your comments and experience (good and bad).
Be Xin Fu 
4 Responses to “Do you want an access to a Web with no sense?”
Really great insight on blocking URLs in companies. I entirely agree with all points but I would like to stand out the “question of trust” one. This is very important and companies, in general, don’t care about it at all. If you don’t work in a trust environment, how could you love your job and keep 100% creative and productive? If you are in a cage, your only desire is to get out that cage.
Great post, Sebastien. I wish lots of IT guys read it.
In my company, streaming is blocked. We migrated to MS Office 2007. Users are not very flexibles regarding the computer change. So I looked for information on the Web, many demonstrations or solutions are in the form of small videos. Unfortunately impossible to use these resources to help our colleagues to learn.
I completely agree, but as you know me, I put a lot of thing again in question (myself as well).
So coming to the point of trust, you’re right by saying that you only earn trust when you trust the others, but there is a very critical point that is that everybody lies (that’s why I love to watch “Dr. House”, he says that everybody lies to save themselves).
“Your employees are not kids”, so my question is, why do they act like kids sometimes? I got users telling me that it is saver for them to open dangerous/critical files or URL on the company’s computer then on the home-PC. So where is then the wise adult that knows the responsibility across his employer?
I agree on one side that URL filtering is a as dangerous tool the same as having nothing like this in place, so I would say, the filtering needs to be put in place but starting slowly and well though (step-by-step method by analysing the outcome before the next step) and trainings for the users to sensibilize them for IT matters together with there responsibility as employee.
It is not so easy when trying to consider both “sides”.
Excellent analysis… and I agree with Francisco, the Trust issue is the most important. Employees (who, contrary to the belief of some, are not idiots) sense immediately when they are not trusted, and this can devastate their sense of commitment to the company. To lose this commitment would be a poor decision even before employees had the option of surfing whatever they want on their cellphone…