The None Category

I had an interesting weekend discussion with an end-user of web filtering products, whose company takes the approach that anything that ends up in the category "None" needs to be blocked. Unfortunately for end-users that means new websites and websites that aren't visited frequently are ones most likely to have that rating. The end-user also mentioned to me frequently it prevented him from finishing his project or job he was working on, leading to a ticket submission into the IT helpdesk to get him access for those sites, a process that usually took at least a week. A week where he was unproductive.

It got me thinking about the category none, and what you can do about it as an IT administrator. There are two obvious choices, first, block it like this company did, causing a reduction in productivity, when websites that are required for work end up in this category, or the opposite, which is to allow "None" and risk allowing malware, phishing attacks, and prohibited websites from making it into the corporate network.

There is a third option of course, which is one that it seems not enough companies take advantage of, and that's the coaching page. When a website turns up with a rating of "None", instead of blocking it or allowing the page, throw up a coaching page, that explains the website was found to have no rating, and as such could be a dangerous site, with a new threat that hasn't yet been discovered. Allow the user to click through if they are certain the website should pose no risk to them and they agree they have a business purpose for visiting that website, and at the same time alert the end-user that their identity and the fact they visited the site was being recorded for accountability.

With a coaching page, most users who really have no business going to the new site will be wary of visiting the site, and only go if they have a business purpose for visiting the site. It should unload much of the hassle of creating custom exception lists for end-users when their requests get blocked, and leave accountability in the hands of the end-user. Make sure of course your proxy can create an exception page and will indeed log the user's identity and the site they attempt to visit.