The Internet sometimes is referred to as the "wild, wild West"--a moniker earned by the manner in which the Web represents an open, loosely policed territory where traditional rules and procedures don't apply.In recent years, it became abundantly clear to executives at Penn National Insurance Co. that this relatively new frontier needed some taming-through a higher level of governance and accountability.
The Web has been a boon to the 900 employees at the Harrisburg, Pa.-based carrier, and it serves as a valuable research and information-gathering tool. But due to concerns about data security and privacy, and employee productivity, Penn National wanted to clamp down on employees who roam the Web for purposes unrelated to their jobs.
"Four years ago, we managed much of these security efforts in-house, and we believed we were able to control employee Internet activities pretty well," says Tom Miele, Penn National's manager of information security management. "But as the company grew, there was a need to expand this effort."
That's because Web-based employee management is about more than curbing employees' online activity to make them more productive. It's also a compliance issue because giving employees carte blanche access to the Web can compromise the security and privacy of customer information.
The passage of the Gramm-Leach-Bliley Act-governing the disclosure and collection of consumers' confidential financial information-pushed financial services and insurance companies to take measures to protect their corporate assets from emerging Internet threats.
With the law's requirements hanging over its head, Penn National Insurance in 2004 invested in an employee Internet management program to better optimize employees' use of computing resources, while also mitigating new threats related to Internet use, including instant messaging, peer-to-peer file sharing and spyware.
In doing so, Penn National Insurance-with annual written premiums of $511 million and assets of $1.3 billion-scouted for a more robust solution externally rather than relying on its own internal resources.
Recreational surfing
Prior to 2001, Penn National self-managed and policed its network security. For example, employees who took liberties online-such as visiting Web sites that were not related to their work-faced only minor reprimands from their supervisors.
On top of that, Penn National supervisors had no way of effectively monitoring ongoing Internet activities, short of constantly looking over employees' shoulders.
Although most Penn National employees would visit legitimate Web sites, a handful had a tendency to visit non-work related sites.
The danger posed by this recreational surfing is that malicious spyware, key-logging applications and Internet viruses may be inadvertently installed on employees' desktops. In addition, they can go undetected for extended periods of time, which can result in a continuous, long-term outflow of confidential customer, personal or organizational data to unknown third parties.
The specter of third-party sites dragging down its operations was unacceptable for Penn National Insurance.
After conducting due diligence, the insurer opted for a subscription-based employee Internet management program developed by Websense Inc., a San Diego-based provider of employee Internet management solutions.
Selecting Websense became the centerpiece of a rigorous four-year plan rolled out in 2001 to beef up Internet security, boost productivity and comply with industry regulations such as Gramm-Leach-Bliley.
"As we continue to rely on our employees' use of Internet technology to improve efficiency, we see Websense Enterprise as an essential solution in defending the security of our customers' confidential information, while at the same time improving overall employee output and optimizing our network bandwidth," Miele says.
Sensible solution
Serving about 23,600 customers worldwide, Websense touts the fact that its solution, called Enterprise, is the only employee Internet management technology that offers filtering solutions at three distinct levels to establish and enforce Internet usage policies.
The three levels are the Internet gateway, the network and the employee's desktop.
Websense has classified more than 7.3 million Web sites into 90 categories encompassing more than 50 languages, a functionality that enables customers to quickly detect possible network breaches. Websense also has identified and categorized more than 500,000 software application and executable files that can be unknowingly downloaded and cause problems.
What's more, the vendor also enables customers to establish their own categories and add them to this database of potential threats.
In addition, the company built a comprehensive database of common network protocols to help companies manage network policies and filter spyware, instant messaging, peer-to-peer file sharing, streaming media and other non-HTTP traffic.
"As malicious applications such as spyware and keylogging become more prevalent with the increased use of unmanaged peer-to-peer file-sharing networks, organizations are taking action to proactively protect their corporate assets as well as comply with important industry regulations," says Saran Gopalakrishnan, product manager for Websense.
"We developed a product that brings together patented advanced Internet filtering options, enhanced mobile security, and an updated database to support the employee Internet management market."
Websense Enterprise serves as the core module in the product suite, but several other add-on modules are available, such as Security PG and Productivity PG.
Websense Security PG provides a "first line of defense" for a network by preventing employees from inadvertently accessing sites that are infected with mobile malicious code, or distributing spyware.
"Should spyware find its way to the corporate desktop, Security PG stops the transmission of sensitive information, such as consumer financial records, to external spyware host servers," says Gopalakrishnan.
To manage workflow, Websense Productivity PG blocks employee access to pop-up ads, instant messaging host sites, message boards and clubs, as well as online brokerage and trading sites.
Product flexibility
Miele says another advantage of Websense Enterprise is its built-in functionality that enables Penn National to loosen or tighten restrictions when needed.
For instance, Penn National Insurance currently blocks access to all Web sites that involve firearms-sales or otherwise. The key reason: Accessing these sites could lead to an employee acquiring a weapon.
But what if access to a firearm site was required for a work-related reason? For example, a group of Penn National underwriters recently needed to conduct research on firearms, because the company was rating a company that sells firearms.
"To do so, they needed to visit certain Web sites of that nature," Miele explains. "And flexible filtering was able to provide special authorization to those underwriters who needed to visit those sites, while blocking access to everyone else."
Websense's service is provided on a subscription basis, an option Miele says is attractive to the carrier.
"It's relatively inexpensive to pay for an annual subscription (Penn National spends $15 per desktop per year on the service). Plus, if next year we feel the technology is not performing, or if we identify a solution we like better, we can easily cancel the service. We're not locked in for multiple years," he says.
With 900 employees, the company's costs for the service are about $13,500 per year.
Penn National Insurance has yet to generate hard figures on the benefits of Websense Enterprise to its business.
With Websense Enterprise firmly entrenched in the carrier's day-to-day activities, bringing order and accountability to the "wild, wild West" is not a pipe dream anymore-but a reality.
Enterprise is definitely keeping malicious code and viruses from infiltrating Penn National Insurance's firewalls, which improves the security of customer information. "I get a daily download report that details anything the database catches," says Miele. For instance, there are probably 100 Web sites that debut every week that feature some type of pornography, he says.
As soon as these sites are identified, they can be immediately blocked. "The thing I like is that I can add information independently to the database if I have to," he adds. "We can plug things into the database and they're instantly blocked."
Management also believes the company's employees are more productive now, with less latitude to roam freely on the Web.
For example, the solution has a time parameter built in which enables the company to allot a certain number of hours per week to employees for a specific type of site, such as travel sites.
"We can't prove that people are actually more productive, but we do have a way of tracking how many hours a month an employee spends on the Internet," Miele says.
"And we've established a policy that limits employees to 12 hours of Internet time per month. So if someone is spending 30 hours on the Internet, we're able to flag it. We receive a detailed report of not only sites visited, but accumulative time spent online."
