The Evils that Lurk in Idle Web Surf

Web surfing: the harmless office downtime activity of a thousand IT disasters. What is behind the disconnect between the IT department and clients when it comes to responsibility over Web security?

While summer is almost upon us, theres never a worry over good or bad weather when it comes to clients heading out for some Web surfing. And what better place than the office to check out some sites?

But for IT managers acting as life guards on the corporate beach, enforcing network health and safety rules can get dicey.

The experience of IT pros and the results of a new survey show that most clients arent getting the message about security and the Web. Or perhaps, they just dont care.

The seemingly casual act of Web surfing was thrust into the spotlight last month when an administrative law judge in New York City argued that a city employee had been unfairly penalized for browsing travel and entertainment sites on company time.

The judge likened Web surfing to reading the newspaper or taking a personal phone call, an acceptable downtime activity so long as it does not affect job performance.

However, a number of readers said the judge was missing a vital point: the individual workers responsibility to the security of the network and even to the enterprise itself through his or her behavior when computing.

"What in the heck is this all about? What does that judge know? Absolutely nothing about security, I guess. If you let your employees surf all they want then you are just asking for trouble. I just feel sorry for the IS departments that have to put up with that," eWEEK talkback commenter Tvantine responded in reference to the report on the ruling.

Without fail, the disparity between users perception of the safety of sites and e-mails they click on and the actual safety of those clicks is great.

Just ask Howard Graylin, a senior technical analyst at Southern Farm Bureau, in Ridgeland, Miss., who remembers spending an entire weekend in 2000 disinfecting and patching up the mess left behind by an employee who opened a message with the I Love You worm.

"We all started getting e-mails with the I Love You subject line from a girl that pretty much nobody gets along with. I was confused, but by the time I got the third one, I became suspect that it was a virus. Yet, not before an employee had opened the e-mail and infected the whole group," Graylin told eWEEK.

"It took us two full days to get everything patched and re-secured. I had to drive back to my house, download the patch, store it on a CD, and drive back to work because we had to shut down all of our connections."

Analysts suggest this disconnect between IT and clients is an all-too-common experience.

According to security vendor Websense, almost one in five (17 percent) of organizations have had an employee launch a hacking tool or a keylogger within their network, up from 12 percent in 2005.

/zimages/2/28571.gifRead more here about the myth of "safe surfing."

These results will be released in the companys seventh annual Web@Work survey on May 15.

The survey also will report that 19 percent of IT decision-makers indicated that theyve had employees work-owned computers or laptops infected with a bot.

Four out of five (81 percent) respondents said their employees had received a phishing attack via e-mail or IM, and of those nearly half (47 percent) said their employees have clicked through—this result was up from 45 percent in 2005.

"Although employee awareness of Web-based threats such as phishing attacks and keyloggers is improving, the vast majority of employees still do not know that they could fall prey to these types of social engineering tactics in the workplace," said Dan Hubbard, senior director of security and technology research at Websense, of San Diego, Calif.

A phishing trends study by Websense released in 2005 found that only 4 percent of surveyed employees reported that they had ever fallen for a phishing e-mail, while the IT decision makers polled argued this click-through number was closer to 45 percent.

"Organizations need to implement a proactive approach to Web security, which includes both technology to block access to these types of infected websites and applications, as well as rigorous employee internet security education programs," said Hubbard.

Next Page: Taking a proactive approach to clients and security.