While summer is almost upon us, theres never a worry over good or bad weather when it comes to clients heading out for some Web surfing. And what better place than the office to check out some sites?
But for IT managers acting as life guards on the corporate beach, enforcing network health and safety rules can get dicey.
The experience of IT pros and the results of a new survey show that most clients arent getting the message about security and the Web. Or perhaps, they just dont care.
The seemingly casual act of Web surfing was thrust into the spotlight last month when an administrative law judge in New York City argued that a city employee had been unfairly penalized for browsing travel and entertainment sites on company time.
The judge likened Web surfing to reading the newspaper or taking a personal phone call, an acceptable downtime activity so long as it does not affect job performance.
However, a number of readers said the judge was missing a vital point: the individual workers responsibility to the security of the network and even to the enterprise itself through his or her behavior when computing.
“What in the heck is this all about? What does that judge know? Absolutely nothing about security, I guess. If you let your employees surf all they want then you are just asking for trouble. I just feel sorry for the IS departments that have to put up with that,” eWEEK talkback commenter Tvantine responded in reference to the report on the ruling.
Without fail, the disparity between users perception of the safety of sites and e-mails they click on and the actual safety of those clicks is great.
Just ask Howard Graylin, a senior technical analyst at Southern Farm Bureau, in Ridgeland, Miss., who remembers spending an entire weekend in 2000 disinfecting and patching up the mess left behind by an employee who opened a message with the I Love You worm.
“We all started getting e-mails with the I Love You subject line from a girl that pretty much nobody gets along with. I was confused, but by the time I got the third one, I became suspect that it was a virus. Yet, not before an employee had opened the e-mail and infected the whole group,” Graylin told eWEEK.
“It took us two full days to get everything patched and re-secured. I had to drive back to my house, download the patch, store it on a CD, and drive back to work because we had to shut down all of our connections.”
Analysts suggest this disconnect between IT and clients is an all-too-common experience.
According to security vendor Websense, almost one in five (17 percent) of organizations have had an employee launch a hacking tool or a keylogger within their network, up from 12 percent in 2005.
These results will be released in the companys seventh annual Web@Work survey on May 15.
The survey also will report that 19 percent of IT decision-makers indicated that theyve had employees work-owned computers or laptops infected with a bot.
Four out of five (81 percent) respondents said their employees had received a phishing attack via e-mail or IM, and of those nearly half (47 percent) said their employees have clicked through—this result was up from 45 percent in 2005.
“Although employee awareness of Web-based threats such as phishing attacks and keyloggers is improving, the vast majority of employees still do not know that they could fall prey to these types of social engineering tactics in the workplace,” said Dan Hubbard, senior director of security and technology research at Websense, of San Diego, Calif.
A phishing trends study by Websense released in 2005 found that only 4 percent of surveyed employees reported that they had ever fallen for a phishing e-mail, while the IT decision makers polled argued this click-through number was closer to 45 percent.
“Organizations need to implement a proactive approach to Web security, which includes both technology to block access to these types of infected websites and applications, as well as rigorous employee internet security education programs,” said Hubbard.
Next Page: Taking a proactive approach to clients and security.
Taking a Proactive Approach
to Clients and Security”>
Taking a proactive approach to clients and security
Some security analysts suggest companies take a range of proactive approaches to protecting their networks from what they view as one of their biggest security threats: employee misunderstandings.
While some companies implement Internet use or acceptable use policies, others pursue a more aggressive route by installing policing software.
A popular product is put out by SpectorSoft, and used by more than 10,000 companies to monitor their employees computers and Internet surfing activities.
“[These companies] primary concern is that the average employee with an Internet connection at work spends between one and two hours a day surfing the Internet, and typically more than half of that time spent is not work-related,” said Doug Fowler, president of anti-spyware vendor SpectorSoft.
“And some employees are spending more than half of their work day goofing off on the Internet. Companies are looking to identify the worst offenders and turn wasted time into productive time, and our software helps them do this because it allows them to see exactly how their employees are spending their time on the computer.”
Companies that have implemented the software feel that theyve both boosted productivity and reduced their time patching security breaches.
“Very often, wed find that the problem with an employees computer was that theyd clicked on a bad file, often from downloading music. Theyd download virus and it was contact work to clean their stuff,” said Chuck Benedon, former executive vice president for compliance at Ashton Finance in Brookfield, Wis. He said the monitoring software reduced virus attacks.
“We fired more than one employee for consistently violating our computer policy,” Benedon said.
Similar reactions were echoed among posting on the Web-surfing judicial ruling.
“I may be old-fashioned in this respect, but the Internet connection at ones job, like the telephone, is the property of ones employer, and using it, especially on work time, for personal purposes, is theft from ones employer,” commenter KHFleischer said.
In the case in question, the city workers employers clearly felt the same.
On May 5, despite the judges recommendation that he receive only a reprimand for disregarding warnings to not surf the Web on company time, Toquir Choudri was fired for Web surfing.
“The penalty of termination is appropriate and not shocking to ones sense of fairness,” Schools Chancellor Joel Klein said in a statement.
Check out eWEEK.coms for the latest news, reviews and analysis on IT management from CIOInsight.com.
