Iyfjky

Question

I'm a software engineer entering a company that has a history of being strongly authoritarian when it comes to computer, I.T., and networking choices. We have a corporate firewall with lots of filters and restrictions on it, and it makes for a lot of pain to do common things, like run programming tools that access the internet for downloads, or to use online chat applications that connect me with other developers around the world.

Have you seen, or written a business-focused justification for open internet access to increase developer or knowledge worker productivity? What arguments or evidence did you use?

The restrictions is why I tend to work deployments from the house (along with the time but i could come into the office). Helps to have a clear connection to talk to one of our outside contractors over skype. — May 6 '15 at 18:17
My company has the same requirement as yours and WindRivers. I'm leaving for greener pastures this month. In the future I'll ask about IT policies because if they get in the way of you doing your job, it's not worth it. You should be given the best tools for your job. — May 6 '15 at 18:48
I don't think I'd be able to use my work computer at a Starbucks or McDonalds, other than using the VPN to have the same blocked sites as I have at work. — May 6 '15 at 20:30
Y'know, if you have to ask us to write the business case for you, you probably don't have a valid business reason to open that firewall. — May 7 '15 at 4:26
@keshlam I wasn't going to answer, because I think your answer is pretty hostile, but it occurred to me to point out that my business reasons are general, rather than specific, as is the request I'm making to my company. Perhaps it would help you to consider that a general change in policies can improve business? — May 8 '15 at 2:59

blankip 19.9k74781 · Accepted Answer · 2015-05-06 20:06:10Z

I am an architect/developer. I have had to justify this for the past 10+ years.

Justification/Reasons:

When looking for open source code I will often have to go to sites that are restricted by our internal proxy server.

I also venture to "hacking" type sites which update on latest vulnerabilities and usually precede normal virus company warnings as well as give tips.

Some downloads and extensions do not go pass proxy server.

I search for things. I am not sure what websites will house those things, especially if I am out of the .com range (even then it is iffy). I don't know when I click on a new dev/code site if it won't have porn ads or girls in bikinis or whatever. When doing these searches usually I am at a "roadblock". If I am at a roadblock at work then either work stops or I go home or I move to another project (jumping from project to project is not productive most of the time).

I also need to test things outside of our proxy servers. For instance if we have a website it might react different for intranet users vs. internet users. One of our developers might have put in an intranet address for some jquery or something like that and it causing internet users to have issues. Just lots of examples here.

Solution:

I have a internet connection on top of my intranet from a local cable provider. Some other people with same requirements share this. This costs us about $100 a month and setting up the VLANs took about 2-3 hours.

Anyone that has this uses an old PC to connect to the internet. It is a little inefficient because you have to move files via usb or something but not a big deal. This keeps people from downloading viruses and infecting other computers (we allow no communication between PCs across the internet VLAN).

If not safe for work content appears from a site, we close site as quickly as possible and continue at home. Our VP talked to HR about this. Basically how we handle this is girls in bikinis is OK - given that you try to quickly handle the page or slide the advertisement out of browser screen. Any type of porn, nudity, or sexual act, you need to close website right away and make a concerted effort not to return to that site. (Some guys turn off flash and pictures in their browser to move past this but good luck navigating some sites with this turned off)

My take:

If your management wants you to be productive and work with a lot of open source applications/code/classes they have to understand that some of these sites will not be "safe for work" and may be blocked. As any developer knows, almost everything has been done before. So not finding something could possibly affect a project by weeks.

The chat part I am not sure about. I share lots of stuff and email works fine. I guess you could use your internet connection for chat but to me that is a different thing.

I think you need to sit down with your boss and explain the entire dilemma and solutions. Obviously when you are in heavy dev mode and you will need full access to everything, working from home or half days at home is the proper solution. But you need to make it really clear how debilitating it is to your performance not having access to everything you need at work.

I actually find this pretty interesting. I've worked the dev side of this 10 years now, but before that I worked the admin side where I was the one actually advocating the filters. In this time on the dev side this has never been a major issue for me as I've been able to find reliable places for good information on about everything I've needed to look for without venturing into NSFW websites. (I'm sure the hacker sites would be an exception here) Just surprised, there are so many resources these days I'm curious what sort of things you look up that you wind up in NSFW space) — May 6 '15 at 20:19
@RualStorge - To be honest most of the sites that are NSFW that we use are either hacker sites or German/Russian. Not to pick on those countries because I have nothing but love for them but you go to a German/Russian coding/dev site... well who knows what will come up. If it is a forum where someone answers a question (how do you do this on this CMS and the code behind it) and that has a .de extension... you are getting NSFW - in my particular experience. — May 6 '15 at 20:23
Gotcha, and yes I've seen those sort of sites. I've just never had to access them for anything work related. I've been lucky enough to find most of those sort of answers either in sites like stackoverflow, or sites specifically catering towards whatever technology I'm dealing with. But yeah, if you have to dig that deep to get an answer, it is what it is. — May 6 '15 at 20:33
@RualStorge - SE sites have cut down the NSFW sites by two fold at least but when looking for specific code for a specific CMS - for instance we use seedDMS for some business sectors - SE doesn't do specifics. SE is more for I have this bug than for how do I integrate this Calendar into the workflow on this CMS. If you ask things like that on SO they tend to never get answered. — May 6 '15 at 20:37
@blankip I really like your thought about the opportunity cost(?) of finding a solution earlier rather than later. This is definitely one of the places where open access to discussion areas (i.e. IRC) can really provide a business shortcut and a lot of value. — May 8 '15 at 2:46

RualStorge 9,5372231 · Answer 2 · 2015-05-06 20:00:03Z

Rules and restrictions

I've had the pleasure of working in education, small government, and companies that contract with the DOJ and DOD. I've personally been required and even advocated similarly dogmatic and overzealous measures over networks before.

It's absolutely true these filters are extremely inconvenient. Often requiring overhead to maintain as people in position X need a pinhole to access Y, Manager A wants website B locked down because people wasting time on it, etc.

Each company have different reasons this was necessary, but it usually boiled down to a mix of accessing things inappropriate at the work place, wasting time on websites that are of no benefit to work, and concern of malware from people who aren't cautious in their browsing.

I can say since most of these systems log who tried to access what when they got blocked it's both amazing and appalling the sorts of stuff people will do on the company dime. For us we usually turned the filter to just monitor to build a case to actually turn it on. I can say every single time we had people accessing porn, gambling sites, trolling around websites like rotton, somethingawful, and 4chan. Plus a variety of sites that deal in flash games, or otherwise have no redeeming value at work.

It improves company wide productivity

In my experience this has always resulted in an improvement in overall productivity. Even though individuals are effected by being able to access helpful tutorials on youtube, etc. Often the time people waste doing stuff they aren't supposed to be doing far exceeds that of the additional time incurred having to figure things out without these assets.

In a perfect world these filters would be unnecessary, but I can promise you everytime I've turned on a proxy to monitor traffic before going live it was staggering the things people would do on the company network.

Malware is just too dangerous

For a sophisticated user safe browsing is easy enough where it's pretty unlikely you'll get bitten by malware, the problem is most users don't know how to protect themselves from going to the wrong places and risking getting bitten by whatever the newest piece of malware is. Antivirus helps, but new zero day bugs come out daily and it only takes one virus to spread over your network to destroy any time benefit from not having the filters up.

I can say personally I've seen two companies get bit bad by malware. One was through going to places on the internet one should avoid at the office, the other was an infected USB key. Both cases cost the companies hundreds of thousands to millions of dollars as they were effectively shut down. IT had to take the network offline and go system to system cleaning the viruses off before putting them back on the network. One company this took the company of ~200 offline for almost 6 hours. the other it was effectively two full days.

Sure the filter can't fully prevent such a scenario, but it only takes one such occurrence to out weigh the benefit of having no filters.

Successful negotiation to be on the "lax filter" group

That said, in one of these companies we had a marketing department that the filters proved detrimental as some of the sites we really needed to filter from most people were the exact sites they needed to promote on.

They were able to come up with a list of about two dozen sites they needed access to in order to be effective. After some back and forth we decided to give them their own group. These filters are actually pretty good where sites are categorized by why they would be blocked porn, criminal, games, entertainment, malware, etc. What we did is for the marketing group we relaxed the rules a great deal, porn, malware, etc were still blocked, but we opened up categories that had sites on their list. (which actually was only opening up two groups of something like 18)

Turning off the filters entirely was just deemed too dangerous. Not to mention as I said before overall productivity improved despite the impact caused by some useful sites getting blocked.

Moral

I know someone will probably go. "I would never work for this sort of company" or "They probably have high turn over" the first is by all means your choice, but I can say we didn't see a notable impact in employee retention from before / after we put filters in place.

+1 No company of any meaningful size can afford to have "open" internet access. Depending on the size of the company and the nature of the business, the filtering can be more or less lax, but truly open access is too risky. — May 6 '15 at 20:04
@cdkMoose - I work for a HUGE company and my group has open access. I am not sure what you are talking about. A big company should be able to segment the open internet access from other things. — May 6 '15 at 20:07
@blankip, then I would say your HUGE company is taking a HUGE risk IMHO. All it takes is one person in your group going to a site they shouldn't have to potentially infect the corporate network. I wouldn't want to be the IT person responsible for explaining that. — May 6 '15 at 20:09
@blankip you can segregate your network, but that only works if it's true segregation. IE If a computer is in group X it never ever shares any resources with group Y. this isn't realistically possible in most cases. Marketting will need to send files to the dev team, Engineering will need to send files to marketing, etc. Often this is done through network shares, USB, etc. For us our network was 4 segments which had no mutual shares, but we were bit by a virus that sat dormant a few weeks. It was spread as files were shared, when it's go day happened, all 4 segments were hit. — May 6 '15 at 20:29
@RualStorge - Realistic? We have 100K employees at our company. We have at least 20 people that share the "internet" connection at our location - almost every location has this set up. We have a DIFFERENT COMPUTER for this per my answer. This is the key. The computer will never communicate with the internal network. If they want it to then they don't get it. You use DVDs or USB to move things. I can send a file from my internet PC by moving it to USB and putting it on my laptop... I am not understanding why this is so hard. — May 6 '15 at 20:34

score 6 · Answer 3 · 2015-05-08 14:36:33Z

I'll warn you that you are "Fighting Uphill" on this one. In the last 18 months, we've seen data breaches that have cost companies in the hundreds of millions of dollars (Sony, Target, Home Depot, etc.), and the CryptoLocker ransom attacks are a very serious ongoing threat, too.

And, unfortunately, IT is held liable for everybody else's action at once, so you end up with the "Junior High Hall Monitor" approach: You set the security for the worst-behaving person in the company, and make everyone else live by that.

I currently live on both sides of this fence. I'm in charge of all tech for my company. I am a developer, but IT admin comes under my department, as well.

Your best approach is going to be this:

You need a separate, less-restricted network for development. All your dev machines should be here.

You need "Corporate" machines to be able to do company email, intranet, whatever, in the secured network.

Tell IT that the "Corporate" machines can be the old/slow systems no one else wants, as you're not going to be doing much with them. They will probably be fairly open to that idea.

This has several advantages:

The budget hit is going to be fairly small - essentially only labor. You're not asking for new gear.

You are respecting IT's need to lock down some networks. They should be on your side if you show them that deference.

You're working towards a solution, not starting a turf war.

Good luck!

I agree here. One filter to rule them all wound up being a problem in most cases I've worked with. Generally we had the normal user filter, Admin filter, and Marketing filter. Normal users were locked up tight, Admin was the most lax really only locking down stuff that was simply inappropriate, IT was lax, but not quite as lax as admin. (Mostly because if the CTO wants to screw around on Facebook during work hours, the network admin can't exactly tell him no) — May 6 '15 at 20:11
Wesley, thanks for the thoughts. In a lot of places, the segregated networks approach is probably the best compromise. Amusingly, in my enterprise, >50% of the 'sensitive' network resources are on the public internet (lots of outsourced, SAAS applications). If I were enterprise security architect, I'd harden my services so that they ALL were safe for open internet access, and then have the internal LANs work like an internet cafe. Much of the trouble with having open internet access is the network over-trusts the workstations. Eliminate that trust, and you can vastly reduce restrictions. — May 8 '15 at 2:51
@JoshRivers - That's exactly what I'm doing (Internet Cafe approach), but I'm the one who makes that call in our company. I'm assuming the OP is not in that role. — May 8 '15 at 20:20

score 1 · Answer 4 · 2015-05-08 02:56:37Z

This is a (possibly snarky [sorry!]) revision of RualStorage's answer. I wrote it up to get it out of my head, and to clarify some of my thinking. Leaving it here as an alternative set of thought...and in case it helps others.

Open Access

These filters are extremely inconvenient, requiring overhead to maintain and expertise to request specific exceptions.

Each company have different reasons for imagining this was necessary, usually alarmism about inappropriate or time-wasting websites, and the belief that malware comes from incautious browsing. While you can often find people accessing porn, gambling sites, trolling around websites like rotton, somethingawful, and 4chan or playing flash games, web filtering doesn't prevent people from goofing off at work, it just redirects those efforts into other channels that may be equally unhealthy or unsafe.

It doesn't improve company wide productivity

While removing unapproved and work unrelated traffic from the company network is often accomplished by using web filtering, most filters are incomplete and other sources of distraction are always available. Eliminating quick and easy forms of distraction often has the adverse effect of making workers need to go away from their desks to take a break or to spend extra time routing around the breakage, causing extra distraction rather than reducing it.

Malware is unpreventable

For a sophisticated user safe browsing is easy enough where it's pretty unlikely you'll get bitten by malware, and antivirus helps, but new zero day bugs come out daily and attackers have found many ways of working around the limitations imposed by corporate proxies and firewalls. In todays environment, most companies are already infected broadly with malware and are forced to triage which infections are most pernicious, reducing employee productivity for a small gain in malware production is hard to justify. Malware protection and data integrity need to be designed to be comprehensive despite open access rather than rely on the tenuous protection of a proxy.

The middle ground of an lax-access group

While it is not always possible for a company to make a sweeping move towards opening up internet access in one swoop, providing employees a by-request open access group can provide a middle ground that can allow use of internet services to engaged employees who request more service, and still leave the default as somewhat restricted to address the concerns of nervous managers who have read the alarmist reporting of computer breaches in the mainstream press.

blankip 19.9k74781 · Accepted Answer · 2015-05-06 20:06:10Z

I am an architect/developer. I have had to justify this for the past 10+ years.

Justification/Reasons:

When looking for open source code I will often have to go to sites that are restricted by our internal proxy server.

I also venture to "hacking" type sites which update on latest vulnerabilities and usually precede normal virus company warnings as well as give tips.

Some downloads and extensions do not go pass proxy server.

I search for things. I am not sure what websites will house those things, especially if I am out of the .com range (even then it is iffy). I don't know when I click on a new dev/code site if it won't have porn ads or girls in bikinis or whatever. When doing these searches usually I am at a "roadblock". If I am at a roadblock at work then either work stops or I go home or I move to another project (jumping from project to project is not productive most of the time).

I also need to test things outside of our proxy servers. For instance if we have a website it might react different for intranet users vs. internet users. One of our developers might have put in an intranet address for some jquery or something like that and it causing internet users to have issues. Just lots of examples here.

Solution:

I have a internet connection on top of my intranet from a local cable provider. Some other people with same requirements share this. This costs us about $100 a month and setting up the VLANs took about 2-3 hours.

Anyone that has this uses an old PC to connect to the internet. It is a little inefficient because you have to move files via usb or something but not a big deal. This keeps people from downloading viruses and infecting other computers (we allow no communication between PCs across the internet VLAN).

If not safe for work content appears from a site, we close site as quickly as possible and continue at home. Our VP talked to HR about this. Basically how we handle this is girls in bikinis is OK - given that you try to quickly handle the page or slide the advertisement out of browser screen. Any type of porn, nudity, or sexual act, you need to close website right away and make a concerted effort not to return to that site. (Some guys turn off flash and pictures in their browser to move past this but good luck navigating some sites with this turned off)

My take:

If your management wants you to be productive and work with a lot of open source applications/code/classes they have to understand that some of these sites will not be "safe for work" and may be blocked. As any developer knows, almost everything has been done before. So not finding something could possibly affect a project by weeks.

The chat part I am not sure about. I share lots of stuff and email works fine. I guess you could use your internet connection for chat but to me that is a different thing.

I think you need to sit down with your boss and explain the entire dilemma and solutions. Obviously when you are in heavy dev mode and you will need full access to everything, working from home or half days at home is the proper solution. But you need to make it really clear how debilitating it is to your performance not having access to everything you need at work.

I actually find this pretty interesting. I've worked the dev side of this 10 years now, but before that I worked the admin side where I was the one actually advocating the filters. In this time on the dev side this has never been a major issue for me as I've been able to find reliable places for good information on about everything I've needed to look for without venturing into NSFW websites. (I'm sure the hacker sites would be an exception here) Just surprised, there are so many resources these days I'm curious what sort of things you look up that you wind up in NSFW space) — May 6 '15 at 20:19
@RualStorge - To be honest most of the sites that are NSFW that we use are either hacker sites or German/Russian. Not to pick on those countries because I have nothing but love for them but you go to a German/Russian coding/dev site... well who knows what will come up. If it is a forum where someone answers a question (how do you do this on this CMS and the code behind it) and that has a .de extension... you are getting NSFW - in my particular experience. — May 6 '15 at 20:23
Gotcha, and yes I've seen those sort of sites. I've just never had to access them for anything work related. I've been lucky enough to find most of those sort of answers either in sites like stackoverflow, or sites specifically catering towards whatever technology I'm dealing with. But yeah, if you have to dig that deep to get an answer, it is what it is. — May 6 '15 at 20:33
@RualStorge - SE sites have cut down the NSFW sites by two fold at least but when looking for specific code for a specific CMS - for instance we use seedDMS for some business sectors - SE doesn't do specifics. SE is more for I have this bug than for how do I integrate this Calendar into the workflow on this CMS. If you ask things like that on SO they tend to never get answered. — May 6 '15 at 20:37
@blankip I really like your thought about the opportunity cost(?) of finding a solution earlier rather than later. This is definitely one of the places where open access to discussion areas (i.e. IRC) can really provide a business shortcut and a lot of value. — May 8 '15 at 2:46

RualStorge 9,5372231 · Answer 6 · 2015-05-06 20:00:03Z

Rules and restrictions

I've had the pleasure of working in education, small government, and companies that contract with the DOJ and DOD. I've personally been required and even advocated similarly dogmatic and overzealous measures over networks before.

It's absolutely true these filters are extremely inconvenient. Often requiring overhead to maintain as people in position X need a pinhole to access Y, Manager A wants website B locked down because people wasting time on it, etc.

Each company have different reasons this was necessary, but it usually boiled down to a mix of accessing things inappropriate at the work place, wasting time on websites that are of no benefit to work, and concern of malware from people who aren't cautious in their browsing.

I can say since most of these systems log who tried to access what when they got blocked it's both amazing and appalling the sorts of stuff people will do on the company dime. For us we usually turned the filter to just monitor to build a case to actually turn it on. I can say every single time we had people accessing porn, gambling sites, trolling around websites like rotton, somethingawful, and 4chan. Plus a variety of sites that deal in flash games, or otherwise have no redeeming value at work.

It improves company wide productivity

In my experience this has always resulted in an improvement in overall productivity. Even though individuals are effected by being able to access helpful tutorials on youtube, etc. Often the time people waste doing stuff they aren't supposed to be doing far exceeds that of the additional time incurred having to figure things out without these assets.

In a perfect world these filters would be unnecessary, but I can promise you everytime I've turned on a proxy to monitor traffic before going live it was staggering the things people would do on the company network.

Malware is just too dangerous

For a sophisticated user safe browsing is easy enough where it's pretty unlikely you'll get bitten by malware, the problem is most users don't know how to protect themselves from going to the wrong places and risking getting bitten by whatever the newest piece of malware is. Antivirus helps, but new zero day bugs come out daily and it only takes one virus to spread over your network to destroy any time benefit from not having the filters up.

I can say personally I've seen two companies get bit bad by malware. One was through going to places on the internet one should avoid at the office, the other was an infected USB key. Both cases cost the companies hundreds of thousands to millions of dollars as they were effectively shut down. IT had to take the network offline and go system to system cleaning the viruses off before putting them back on the network. One company this took the company of ~200 offline for almost 6 hours. the other it was effectively two full days.

Sure the filter can't fully prevent such a scenario, but it only takes one such occurrence to out weigh the benefit of having no filters.

Successful negotiation to be on the "lax filter" group

That said, in one of these companies we had a marketing department that the filters proved detrimental as some of the sites we really needed to filter from most people were the exact sites they needed to promote on.

They were able to come up with a list of about two dozen sites they needed access to in order to be effective. After some back and forth we decided to give them their own group. These filters are actually pretty good where sites are categorized by why they would be blocked porn, criminal, games, entertainment, malware, etc. What we did is for the marketing group we relaxed the rules a great deal, porn, malware, etc were still blocked, but we opened up categories that had sites on their list. (which actually was only opening up two groups of something like 18)

Turning off the filters entirely was just deemed too dangerous. Not to mention as I said before overall productivity improved despite the impact caused by some useful sites getting blocked.

Moral

I know someone will probably go. "I would never work for this sort of company" or "They probably have high turn over" the first is by all means your choice, but I can say we didn't see a notable impact in employee retention from before / after we put filters in place.

+1 No company of any meaningful size can afford to have "open" internet access. Depending on the size of the company and the nature of the business, the filtering can be more or less lax, but truly open access is too risky. — May 6 '15 at 20:04
@cdkMoose - I work for a HUGE company and my group has open access. I am not sure what you are talking about. A big company should be able to segment the open internet access from other things. — May 6 '15 at 20:07
@blankip, then I would say your HUGE company is taking a HUGE risk IMHO. All it takes is one person in your group going to a site they shouldn't have to potentially infect the corporate network. I wouldn't want to be the IT person responsible for explaining that. — May 6 '15 at 20:09
@blankip you can segregate your network, but that only works if it's true segregation. IE If a computer is in group X it never ever shares any resources with group Y. this isn't realistically possible in most cases. Marketting will need to send files to the dev team, Engineering will need to send files to marketing, etc. Often this is done through network shares, USB, etc. For us our network was 4 segments which had no mutual shares, but we were bit by a virus that sat dormant a few weeks. It was spread as files were shared, when it's go day happened, all 4 segments were hit. — May 6 '15 at 20:29
@RualStorge - Realistic? We have 100K employees at our company. We have at least 20 people that share the "internet" connection at our location - almost every location has this set up. We have a DIFFERENT COMPUTER for this per my answer. This is the key. The computer will never communicate with the internal network. If they want it to then they don't get it. You use DVDs or USB to move things. I can send a file from my internet PC by moving it to USB and putting it on my laptop... I am not understanding why this is so hard. — May 6 '15 at 20:34

score 6 · Answer 7 · 2015-05-08 14:36:33Z

I'll warn you that you are "Fighting Uphill" on this one. In the last 18 months, we've seen data breaches that have cost companies in the hundreds of millions of dollars (Sony, Target, Home Depot, etc.), and the CryptoLocker ransom attacks are a very serious ongoing threat, too.

And, unfortunately, IT is held liable for everybody else's action at once, so you end up with the "Junior High Hall Monitor" approach: You set the security for the worst-behaving person in the company, and make everyone else live by that.

I currently live on both sides of this fence. I'm in charge of all tech for my company. I am a developer, but IT admin comes under my department, as well.

Your best approach is going to be this:

You need a separate, less-restricted network for development. All your dev machines should be here.

You need "Corporate" machines to be able to do company email, intranet, whatever, in the secured network.

Tell IT that the "Corporate" machines can be the old/slow systems no one else wants, as you're not going to be doing much with them. They will probably be fairly open to that idea.

This has several advantages:

The budget hit is going to be fairly small - essentially only labor. You're not asking for new gear.

You are respecting IT's need to lock down some networks. They should be on your side if you show them that deference.

You're working towards a solution, not starting a turf war.

Good luck!

I agree here. One filter to rule them all wound up being a problem in most cases I've worked with. Generally we had the normal user filter, Admin filter, and Marketing filter. Normal users were locked up tight, Admin was the most lax really only locking down stuff that was simply inappropriate, IT was lax, but not quite as lax as admin. (Mostly because if the CTO wants to screw around on Facebook during work hours, the network admin can't exactly tell him no) — May 6 '15 at 20:11
Wesley, thanks for the thoughts. In a lot of places, the segregated networks approach is probably the best compromise. Amusingly, in my enterprise, >50% of the 'sensitive' network resources are on the public internet (lots of outsourced, SAAS applications). If I were enterprise security architect, I'd harden my services so that they ALL were safe for open internet access, and then have the internal LANs work like an internet cafe. Much of the trouble with having open internet access is the network over-trusts the workstations. Eliminate that trust, and you can vastly reduce restrictions. — May 8 '15 at 2:51
@JoshRivers - That's exactly what I'm doing (Internet Cafe approach), but I'm the one who makes that call in our company. I'm assuming the OP is not in that role. — May 8 '15 at 20:20

score 1 · Answer 8 · 2015-05-08 02:56:37Z

This is a (possibly snarky [sorry!]) revision of RualStorage's answer. I wrote it up to get it out of my head, and to clarify some of my thinking. Leaving it here as an alternative set of thought...and in case it helps others.

Open Access

These filters are extremely inconvenient, requiring overhead to maintain and expertise to request specific exceptions.

Each company have different reasons for imagining this was necessary, usually alarmism about inappropriate or time-wasting websites, and the belief that malware comes from incautious browsing. While you can often find people accessing porn, gambling sites, trolling around websites like rotton, somethingawful, and 4chan or playing flash games, web filtering doesn't prevent people from goofing off at work, it just redirects those efforts into other channels that may be equally unhealthy or unsafe.

It doesn't improve company wide productivity

While removing unapproved and work unrelated traffic from the company network is often accomplished by using web filtering, most filters are incomplete and other sources of distraction are always available. Eliminating quick and easy forms of distraction often has the adverse effect of making workers need to go away from their desks to take a break or to spend extra time routing around the breakage, causing extra distraction rather than reducing it.

Malware is unpreventable

For a sophisticated user safe browsing is easy enough where it's pretty unlikely you'll get bitten by malware, and antivirus helps, but new zero day bugs come out daily and attackers have found many ways of working around the limitations imposed by corporate proxies and firewalls. In todays environment, most companies are already infected broadly with malware and are forced to triage which infections are most pernicious, reducing employee productivity for a small gain in malware production is hard to justify. Malware protection and data integrity need to be designed to be comprehensive despite open access rather than rely on the tenuous protection of a proxy.

The middle ground of an lax-access group

While it is not always possible for a company to make a sweeping move towards opening up internet access in one swoop, providing employees a by-request open access group can provide a middle ground that can allow use of internet services to engaged employees who request more service, and still leave the default as somewhat restricted to address the concerns of nervous managers who have read the alarmist reporting of computer breaches in the mainstream press.

Search This Blog

Iyfjky

Business Case for Open Internet Access

4 Answers
4

Your Answer

Post as a guest

4 Answers
4

4 Answers
4

Post as a guest

Comments

Post a Comment

Popular posts from this blog

What does second last employer means? [closed]

List of Gilmore Girls characters

Confectionery

Category

Random preview

Business Case for Open Internet Access

4 Answers 4

Your Answer

Sign up or log in

Post as a guest

Post as a guest

4 Answers 4

4 Answers 4

Sign up or log in

Post as a guest

Post as a guest

Sign up or log in

Post as a guest

Sign up or log in

Post as a guest

Sign up or log in

Post as a guest

Comments

Post a Comment

Popular posts from this blog

What does second last employer means? [closed]

List of Gilmore Girls characters

Confectionery

4 Answers
4

4 Answers
4

4 Answers
4