Office Web Use Tough To Control

Is that employee really working on a spreadsheet, or is it just a cover for an NCAA college basketball brackets pool? It’s estimated that thousands of hours of productivity are lost to “March Madness,” the NCAA men’s basketball tournament that sparks office pools across the country.

What about the rest of the year? Are you afraid your employees are playing “Diner Dash 2” or ordering a cashmere sweater from Banana Republic when they should be finishing a report that’s due at the end of the week?

As is the case with most things, the size of a nonprofit usually dictates how much attention is paid to monitoring employees’ email and Internet activity. Much like small businesses, small nonprofits contacted for this story tend to rely on the honor system when it comes to Internet and email access, lacking the resources to keep a closer eye.

Children’s Square USA in Council Bluffs, Iowa, went so far as to implement a software program that monitors Internet usage by employees. “We didn’t know whether we had a problem or not. What we wanted to do was, do something that ensured that we didn’t have a problem,” said Mike Barker, vice president of professional services.

The 125-year-old children’s service agency is up front about Internet policy with its 140 full-time employees: They should expect no confidentiality on company time and equipment. “It’s not a gotcha thing; everyone knows it’s there,” Barker said.

There have been very few issues with inappropriate use of the Internet, Barker said, with only the occasional caution about spending too much time on the Web. “It’s a good insurance policy for us,” he said.

At some very small organizations, there just are other priorities than monitoring what employees are doing online. “There are only three of us on full-time staff so we are pretty close knit and we are so busy that there is no time for any non-work related anything,” said Heather Arnet, executive director of the Pittsburgh-based Women & Girls Foundation of Southwest Pennsylvania.

While nonprofits might not block or restrict certain Web sites, many do keep an archive of Internet activity and email in case there is a need for a closer look.

“It used to be if you wandered by someone’s desk and they were online, you knew they were goofing off,” said Gavin Clabaugh, vice president, information services, for the Charles Stewart Mott Foundation in Flint, Mich. “That’s just not the case anymore. More than half of what you do involves a Web browser,” he said, whether that’s mundane things like buying supplies or using interactive and collaborative Web sites.

Clabaugh informally polled about 20 foundation information and technology officers at a recent conference and “none really do any active monitoring.” The foundation might block inbound spam or filter ads, he said, but it doesn’t try to control by content. “We don’t try to figure out what people are doing or where they’re going. To some extent, it’s antithetical to what foundations do.”

The lack of monitoring is not a resource decision, “we actually don’t do it,” Clabaugh said. “That’s not to say we don’t block sites. Some sites, we might block a gaming site, not that we had a problem, it just seemed appropriate.”

YouTube, the video sharing Web site, is so unique in its coverage that it’s not blocked, Clabaugh said, since it might relate to politics, business, education or other relevant topics. Audit logs are rather extensive and all are subject to discovery if a problem is identified. The only problems examined have been issues related to bandwidth, he said, but the content itself is seen as management and productivity issues.

“We may be large foundations but we’re small organizations. Most don’t have more than 100 or so people. Those kinds of issues with productivity or abuse handled more on a management than a policy level,” he said.

Some nonprofits monitor Web activity based on the risk of a computer virus more than inappropriate content.

Habitat for Humanity International blocks all Web sites that might be considered high risk for computer viruses, along with the vast majority of spam email that it’s able to detect, said Duane Bates, media relations manager. The Atlanta-based headquarters also monitors telephone bills for the amount of usage so employees who make personal calls can get a bill and reimburse the organization at the end of the month.

Girl Scouts of the Chesapeake Bay Council monitors Web traffic for viruses but blocks Web sites based on whether or not they affect the performance of their network.

For instance, the council blocks music sites that use streaming music players, which can slow down network speed and inhibit employee access to the network, according to Gil Ruiz, the organization’s IT specialist. Likewise, if the size — not content — of an employee’s computer files affects the network running smoothly, the person would be asked to rid folders of redundant or large files.

The Newark, Del.-based council, which serves Delaware and parts of Maryland and Virginia, has each of its 172 employees sign a “proper use” policy by which to abide, and if a problem ever came up, it would be dealt with by an employee’s manager, Ruiz said.

The Leukemia & Lymphoma Society has the capability to run a report to monitor visits to the Internet, and blocks inappropriate Web sites. The reports are done occasionally, according to Andrea Greif, director of public relations for the White Plains, N.Y.-based organization.

Most every organization spells out the policies in employee manuals, making sure workers are aware of where they should and should not be going on the Web and making clear there’s no expectation of privacy on organization-owned resources. One large nonprofit declined to answer citing a policy of not discussing security practices outside of the organization.

“Like most organizations, we have a human resources policy that people sign, essentially agreeing to not abuse email, Internet, etc.,” said Carrie Martin, vice president, communications, for the American Lung Association (ALA) in Washington, D.C.

ALA blocks inappropriate Web sites and while it does not monitor email or computer files, it does keep archives to review usage if necessary, she said. The organization can also review telephone use and access voicemail if necessary, she added.

The Nature Conservancy, with 3,000 employees worldwide, makes clear that staff should have “no expectation of privacy regarding any electronic data stored on technology and information systems or regarding any activities conducted online with access or systems provided” by the organization.

Use of technology and information systems will be monitored and “potentially abusive behavior” might be reported to managers. NPT