# Small Business Internet security/monitoring



## cap28 (Oct 10, 2012)

As a business with 10 users and no server (we use hosted email)

Whats the best way to restrict and monitor internet usage? Are there any web hosted systems or do I need to buy hardware?

thanks


----------



## 2xg (Aug 5, 2009)

Hello,

There's no need to buy additional hardware, you may try NetLimiter it's a bandwidth Shaper and you may also monitor the internet usage.

In addition, you should be able to block illegal sites and ports from your router's settings so that none of your employees do any non-related work net surfing.

What is the make and model of your router? I'll be able to tell you if your router has great security features.


----------



## ChloeP (Feb 4, 2013)

I've heard of parents using this kind of thing to monitor their kids on the internet Hardware Keyloggers. World so I suppose it would work as well in your kind of situation. And like with the kids, the knowledge that it's there is probably enough to make them more aware of how much they're using the internet?


----------



## epshatto (Dec 23, 2010)

I would not recommend the use of hardware keyloggers, or any keylogger for that matter.

Monitoring internet activity at work is not the same situation as monitoring activity in the home. There are legal implications to what you do in the workplace. You could find yourself in hot water if you use a keylogger at work in any circumstance. Privacy laws come into play, even in the workplace.

You should use a network-level monitoring and security tool along the lines of what 2xg suggests. You also might want to notify all users of their machines that their activities may be monitored and that use of the machine implies consent of this. You can do that by making a GPO in Active Directory, but with your small network I would guess you probably don't use AD DS and might not even be on a domain. So you can display a warning banner by modifying a registry key on the local machines. It should display each time users log in to the system, excepting if the machine gets locked and signed back in.


----------



## ChloeP (Feb 4, 2013)

Employers are allowed to monitor employees, within reasonable limits. Employers are allowed to monitor email messages, unless it states in the company policy that they don't.
Workers do need to be told that they may be monitored though, and under which circumstances. Suspecting unauthorised use would be seen by courts as a good cause for monitoring.
Even phone calls can be monitored, some states require employers to tell everyone involved in the phone call that this is happening, but most don't.


----------



## epshatto (Dec 23, 2010)

Title I of the Electronic Communication Privacy Act makes it a crime to intercept data across the wire that is intended to be private.

If you use a keylogger to monitor your users, you run the chance of capturing private credentials for user accounts. For example, if you capture login information for a user trying to log into their online banking, at a bare minimum you are now liable for the security of those credentials. More likely, you could be sued for capturing private passwords, because that is illegal. This has been done before. In that scenario, it's far from clear whether you would win such a suit, because it's gone both ways in the past. Also, the expense and headache for such a suit would be tremendous for a small business. 

Since you can't discriminate with a keylogger over what keyboard entries you capture, you run a pretty significant risk of being sued if it's discovered. 

I work as a IS tech, this is my job. We don't use them.


----------



## ChloeP (Feb 4, 2013)

That's interesting, thanks.
It sounds like you mainly need some kind of policy setting out what is/isn't acceptable in the workplace, with regards to internet usage.


----------



## epshatto (Dec 23, 2010)

Policy is always a good idea. You can even be sued for firing an employee for what is obviously inappropriate use of your network, if there is no published policy that forbids it. There have been situations where that has happened, too. Policy gives you legal backing, in addition to outlining exactly what you expect of employees. Existence of a policy itself can also mitigate inappropriate use. You should develop and publish an Acceptable Use Policy and make it available to all employees. You might even want them to sign and date it, though having it available is really all you need.

There is only one situation where use of a keylogger is pretty acceptable and you could probably manage it without fear of a suit. That is when you target one individual for investigation because you have specific reason to believe they are enaging in illegal activity or activity that violates published policy. It's the blanket use of a keylogger that could be the problem, the theory being you have a right to know what employees are doing with your network, but that doesn't give you the right to know their personal information, and you can accomplish the first goal with monitoring tools that aren't keyloggers. Plus, you can get free ones! That's always a plus too.


----------

