When public employees abuse their Internet privileges at work, IT managers need to know how to deal with it.
For some employees in Hernando County, Florida, coming to work has been a little more exciting than it was supposed to be. County officials plan to put a stop to that. An audit found that employees using computers at two fire rescue district stations and in the Parks and Recreation Department had accessed Web sites offering sexually explicit materials. Other employees were engaging in online shopping sprees or visiting dating services during working hours. Overall, the audit found an unacceptable level of personal use of government computers by people calling up Web sites that could in no way be connected to their day jobs.
While e-mail and the Internet create efficiencies for government employees and help them improve service delivery to citizens, the electronic advantage comes with a negative side effect. Slouches have an outlet for wasting time and their choice of activity can put workplace decorum at risk. In addition, employees downloading or e- mailing personal materials on the sly leave networks vulnerable to computer viruses and worms that could take down systems.
Government employees from California to Florida have been caught, if not in the act, then after the fact of searching inappropriate sites. Monitoring software has nabbed users from low-level staff to agency heads. Sometimes they're doing it against government policy or just against common sense.
What's a government to do? The Hernando County auditors came up with eight recommendations for management, including evaluating whether employees spend too much personal time on the Internet, tracking all computers' Internet activity, blocking access to sexually explicit sites and educating management and staff about the county's Internet usage policy. County officials have been able to react quickly to employee misuse of Internet privileges because they have had a usage policy in place. Many jurisdictions do not, but several are moving in that direction.
New Mexico just instituted a policy for state agencies. By executive order of Governor Bill Richardson, staff "shall have no expectations of privacy with respect to state IT resource usage." IT resources are to be used solely for state business, and staff cannot download pirated software, such as music files or extremist material, using state IT resources.
A similarly explicit state policy didn't help Kentucky stave off Internet trouble. The state auditor ran tests on 29 different days and found that 212 computers had been used to visit more than 1,000 pornography sites. "It sounds almost like a pandemic," says auditor Ed Hatchett. "You can implement policies all day long. If you don't have any way to enforce or monitor for compliance, you might as well not have them."
It is up to management to make sure Internet policy is understood so that employees don't abuse it, says Aldona Valicenti, the state's chief information officer. But Kentucky also is looking into filtering software to, among other things, prevent access to pornography.
As far as IT professionals in Jacksonville, Florida, are concerned, filtering software is a must. Leaving it to some employees to control themselves "is like taking alcohol and putting it in front of an alcoholic," says Sandy Bateh, the city's CIO. "It's easier if you just move it and don't make it tempting." It's possible that some employees spend too much time on sites such as ESPN or CNN, sites that are not filtered out, he says. The city doesn't encourage use of city equipment for anything other than city business, but it tolerates some personal use, the same way it tolerates occasional phone calls home.
In some cases, ignorance of what's in Internet-use policies is a huge part of the problem. Michigan is starting a program to make sure that state policies are fully understood. The state has entered a partnership with an in-state college to develop "awareness training" for state employees. "At the basic level, it's about what you should and should not be doing with the PC on your desk," says Dan Lohrmann, chief information security officer.
Trainers will explain to employees the risk of bringing a virus into the state if they, say, download onto their PCs a file with Madonna's latest CD. Once employees are trained, they are no longer able to plead ignorance if caught. "I don't care how good your architecture, your intrusion detection, your fire walls are," says Lohrmann. "If employees are violating policies or you don't have policies, you're in trouble."