It is not long ago that IT managers talked about web threats as mainly the downloading and viewing of inappropriate content in the workplace. However, times have changed and now the term “web threat” is used to describe a broad and evolving range of risks and challenges for business of all shapes and sizes in any market sector.
Of course, the viewing and downloading of inappropriate content is still a big issue for companies. The sheer availability and volume of this type of content is staggering, and whilst web filtering technology has evolved to make it easier to block, staff often revert to using anonymous proxies to bypass filtering. Since this type of content is often used to deliver viruses, spyware or other malware, it can be a major security threat. In addition, companies need to ensure that their duty of care to protect their staff from inadvertently viewing content is enforced – failure to do this may result in expensive legal costs.
Productivity is also a huge issue for many companies and the implications can be staggering, including wasted wages, lost business, and expensive efforts by IT departments to manually block unacceptable websites and clean up productivity-destroying malware acquired from downloads. In addition, an organization legal vulnerability increases when employees illegally download copyrighted or proprietary material or offensive text and images that can be disseminated throughout the enterprise.
Productivity is further compromised by the continuing growth of online shopping with staff being tempted to spend inordinate amounts of time browsing online stores or auction sites during working hours. A medium sized company with 100 PC users, who each spend an extra two hours per week on average surfing non-work related sites, can experience around £120,000 a year in lost productivity.
Whilst online shopping is a big attraction, the recent phenomenon of social networking would appear to be an even bigger draw for users. From Facebook to YouTube to Bebo, avid social networkers can’t seem to get by without their ongoing fixes of social interaction, regardless of whether it is during working hours. In addition to the potential impact on productivity, many social networking sites are bandwidth-hungry, which can have a negative effect on the performance of business applications. Further compromises can also occur as safe sites can be hijacked by hackers to deliver viruses to unsuspecting users.
This type of content, whilst not deemed to be as inappropriate as for example, adult content, nevertheless presents a huge challenge for companies who need to effectively manage their Internet resource. Recent research has, however, suggested that social networking can improve staff morale and increase intra- and inter-company collaboration. In fact, organizations such as the TUC have called for staff to be allowed unlimited access to non work-related content during working hours.
So what are companies to do?
Clearly adopting a head-in-the sand approach to managing access and praying that staff will not abuse resources is best avoided. Companies firstly need to understand what types of content are being accessed, when and how often.
Originally, organizations relied on list-based filters to block access to unacceptable sites. Human classifiers examined the content of web pages and added them to a database blacklist, a white list, or a time-specific list. This strategy, however, has become increasingly inadequate as the Internet continues to grow exponentially each year. Some Vendors have supplemented the database approach with keyword scoring, yet this has also proved to be problematic, as the filter scans a requested page for the frequency of keywords, and if the site scores above a preset level, the filter blocks it. This enhancement is very hit-and-miss and sometimes blocks purely informational pages, such as cancer sites that frequently use the word “breast.” Therefore, building a picture of reliable proactive management of web access and acceptable Internet usage across a company can be made easier with a dedicated third-party web filter that allows detailed reports to be created quickly and easily.
Once an understanding is obtained, a robust Internet acceptable usage policy (AUP) needs to be developed. This outlines what is acceptable, what isn’t and the consequences of breaking the AUP. It is absolutely critical that the AUP is enforced fully and consistently, as failure to do so may mean that staff find methods to avoid it, potentially harming their productivity or the organization IT network.
Bloxx is exhibiting at Infosecurity Europe 2009 held on 28th – 30th April in Earl’s Court, London.