Dr Craig Valli and Dr Ian Martinus
The 10 80 10 rule of compliance made famous by J Edgar Hoover is basically 10% of people will comply all the time, 10% will subvert compliance and the 80% depends who is looking and what happens for transgression of stated compliance. Think this is not an issue for you wait until there is a celebrity or “funny” video that goes viral on the Internet and check your web connection logs for openers.
Content filtering is increasingly becoming relevant for today’s business owner to consider the risks, liability that may develop and the productivity lost. So the dilemma is there are known known bad/illegal/liability inducing sites out there. Furthermore, they are catalogued in known, accessible, public blacklists. Blacklists contain website URLs, domains (e.g www.badsite.com) or IP addresses of these locations on the Internet. So we have the means to remove some of these from access or at least log there access for proactive HR discussions with employees. Also many of these marginal sites are often used by cyber criminals to deploy malicious code (malware) to your devices. The malware can enable exfiltration of information from that device, the ability to use its compute to generate crypto coins or simply make the device non functional via destruction or ransom via rendering your device useless and demanding an unlock fee.
Latent Risk and Liability lurks on the Internet
Now in 2022 there are several factors at play that are increasing the need to consider a content filtering approach based on liability. In the case of the known known (e.g well known hate sites, pornography sites, drug sites, video sites) there is little defence that an employer can produce when asked to demonstrate what they do to prevent a staff member from accessing this type of material during work hours. It should be noted that while the access of some imagery on your own computer in your own home is not a criminal offence normally, workplaces are a increasingly different context. However it should be strongly noted if it is a declared site, unclassified or criminal (for e.g child exploitation, beheading, hate, torture) then it is illegal. Furthermore, with you even having knowledge of someone routinely accessing illegal sites and not reporting it to law enforcement, that act is in of itself an offence.
At work access of these materials on a work computer would not constitute reasonable use in most cases and contribute to causing offence and quite possibly a hostile or culturally insensitive work environment which generate significant issues with possible fines or penalties.
Paid to do a task
Last time we looked and heard, few job descriptions had in their duty statement
“You must peruse the Internet at will and download non-business content frequently”
From a pure draconian viewpoint your employees are paid to do a task for you and any distraction from that task costs the business productivity and should be expunged. Unbalanced is one way to look at approach in modern workplaces but there is some reasonable trade-off here for increased flexibility in work such as pay billings or doing personal banking. But that trade-off would not normally include (but not limited to) watching live stream of sports events, submitting job applications, checking out employment sites, text chatting on dating sites, sharetrading.
One of the biggest failures we see is that what is considered reasonable is not clearly articulated in business policy, nor is what is unreasonable usage of business resources explicitly outlined. One of the simplest fixes for this is a succinct (less than 2 pages), enforced Internet usage policy that addresses this we will cover this in future posts.
Congestion caused by non-business use impacts your business
The obvious loss that is also never addressed is the opportunity cost of bandwidth congestion i.e your business network Internet access is slowed by a empoyees activity. For example viewing high definition non-business videos because their home Internet is too slow (please note: a real excuse given by real persons in a real investigations). In the case of a volume charged or restricted connections non-busines usage again something that can significantly impact business performance. Once your unlimited “quota” has been consumed your access to bandwidth is typically restricted/shaped downwards e.g from 100MBit to 2MBit. Then there is the question of performance for your routers, proxy servers and other network equipment as well while sending this material they are not being used for their prime reason for existence to deliver business benefit.
In early 2000s Dr Valli’s Doctoral Thesis was on Non-business use of the Internet in one of the cases the Non-Business use was that bad that it caused complete failure of remote connections in one of the case studies for the organisation a large WA government department . Once the non-business use was countered via filtering this did not occur. Furthermore, as the bandwidth was volume charged at that time the it was estimated in excess of 80K was being lost to non-business use. The amount in saved in the preceding year after installing filtering was a $50,000 plus saving. With added benefit that the business was now able to operate its remote connections to the central database at reasonable service speeds.
How does it work?
When a user requests a URL e.g https://dodgy.website.com before it is sent out from your business to the the Internet for retrieval the user request is checked against known bad blacklisted sites by a program. If there is a match then the request is halted, the request is recorded to a logfile, access is denied and the request redirects to a warning page. An example record of a “block” follows:
2021-08-30 10:23:51 [8216] Request(default/drugs/-) zoompearl.com:443 192.168.1.51/192.168.1.51 craig CONNECT REDIRECT
The record contains date and time, the blocked category in this case porn, and then the URL requested zoompearl.com, IP address of client and the authenticated username who made the request. At the end of each day any access violations we send to the business owner via email for review and any action.
What lists are available?
There are both commercial and non-commercial lists available we use an amalgam of open source lists. Example categories we parovide are:
ads blocks sites that are pushing advertisements
aggressive sites that are related to hate and violence
audio-video this stops streaming files or downloading movies
drugs prevents access to drug sites
gambling prevents access to gambling sites
hacking prevents access to sites that teach hacking or offer services
mail stops access to sites that have mail services
porn self evident
redirector prevents services that allow users to hide their traffic/activities
spyware sites that are known to contain spyware and malicious software
violence sites that have known violent content e.g terrorism
warez sites that have pirated/illegal software which is often a source of cyber infections
There are more and you can leave or add categories as you please to suit your business needs.
https://github.com/cbuijs/shallalist Shallalist no longer maintained
https://dsi.ut-capitole.fr/blacklists/index_en.php University of Toulouse list