No matter what type of company or configuration used for your network, the biggest threat to your network’s security is your employees.

According to a security firm recently quoted in an article by the Wall Street Journal, most of the new corporate security breaches involve hackers who gained access to company networks by exploiting well-intentioned employees.

In the article titled: “What’s a Company’s Biggest Security Risk? You” Kevin Mandia, chief executive of security firm Mandiant Corp, told the Wall Street Journal:

“These days, criminals aren’t just hacking networks. They’re hacking us, the employees. The security gap is end users…Companies frequently face data breaches when employees lose laptops and disks, but sharing and storing company documents on third-party cloud services carry their own risks, including phishing attacks.”

The growing number of risks associated with employee internet usage  has prompted many many system administrators, managers and I.T.’s to incorporate a policy that manages web-use by User ID.  They’re  setting stricter policies to protect their networks from a well-intentioned but unskilled Web-surfing population.

With employee filtering software and internet filtering servers such as Wavecrest’s CyBlock Proxy, system admins can block employees from social networks, (where many malware programs exist) as well shopping, sports and potentially hazardous sites. CyBlock also provides admins with vital tools such as RealTime Plus Filtering, Real-Time Monitoring and White List functionality, which creates allowable’ lists for users and groups.

For more information about the security benefits of CyBlock Proxy, visit wavecrest.net.

As more managers feel the pressure to enforce Acceptable Use Policy compliance in the workplace, data leak protection has emerged as a top priority for I.T. departments.

An article on businessinsurance.com:  titled: “Security, data loss concerns limit technology adoption: Survey” revealed:

“Concerns about security and data loss are to some extent preventing global technology adoption in 87% of companies.”

Increased connectivity begets  shared vulnerability, which leaves I.T.s and administrators with the crucial task of confining network groups and users to approved websites. Without an  employee internet filtering white list  in place, your company’s confidential data could be spread to malicious third-party websites.

White lists are one of the most effective tools for preventing data leaks in an office network. White lists  place boundaries on employees web browsing. This arrangement  protects your network hazardous websites, such as email-phishing websites disguised as legit corporations and organizations.

Other Simple steps to protect your office network for data leaks include:

1. Limit employee/user access to sites that are essential to their daily work.

2. Block  freeware and bit torrent sites.

3. Enforce an Acceptable Use Policy and make your staff aware of the risks of not governing themselves appropriately while using their computers.

When it comes to internet content security, some of the most overlooked threats often reside within your own company network. A recent article by The Globe and Mail titled “Ten most overlooked security threats for small businesses.” listed malware,  insider threats and disgruntled employees as potential threats.

What is Malware?

Malware, also known as, “malicious software”, is used to track a user’s browsing activity and details of website visits. Malware is a persistent threat that is constantly evolving into different forms and attaching to new programs.  Today, many I.T. teams have opted to block social networking sites in the workplace, as they have become a widespread source of malware infection.  Facebook games and apps often carry malware.

What are “Insider threats?”

Insider threats include disgruntled or irresponsible employees  who expose their company’s internet network vulnerability to a significant risk by visiting dangerous and/or prohibited sites.  If these network users are granted access to too many areas within your internal site or external sites, their damage can spread throughout your network. Other threats listed in the article include:

• Malicious breaches that go on indefinitely.
• Hijacked domain names.
• Breaches caused by connecting (from) infected devices. 
• Any data breach, interception or access causes confidentiality breaches. 
• Business interruptions due to backup data issues.
• Physical breaches and theft.
• Trust abuses. 

To prevent the aforementioned threats, business managers should exercise policy based web use management by implementing an Acceptable Usage Policy. Also known as AUP’s, Acceptable Usage Policies are essential guidelines for improving workplace productivity and ensuring accountability for employee internet usage.

For legal liability purposes, you may want to consider having your employees sign the AUP to confirm that they understand the standards, limitations and agreements. For more information about web filtering in the workplace and web use policy case studies, visit wavecrest.net.

 Employee’s Unauthorized Internet Usage Violated Company’s I.T. Policy

A recent article on Businessmanagementdaily.com shows the importance of establishing an acceptable usage policies or I.T. policies to monitor employee internet usage and to protect an employer from legal liability. (For more information on legal liability and employee web use, read our post:  Legal Liability Risks Without Employee Internet Monitoring)

The article, titled: Employer Blind-Sided by Employees Inglorious Web-Usage, cites a recent example where an employer’s I.T. policy and federal law were violated by an electrician at an Indiana metal alloy manufacturer who utilized the company’s internet connection  to download movies on his laptop computer.

According to the report, 88% of the company’s bandwidth was consumed by movie downloads, which led to an internal network traffic jam on response times for the service center. As a result,  the company fired the employee for  violating its IT policy, which included rules pertaining to “theft or misappropriation of company property,” “misuse or failure to exercise due care for all tools, equipment or company property,” “any unauthorized entry into company property,” “interfering with others in the performance of their work,” and “engaging in personal work unless authorized.”

In response to a wrongful termination claim by the former employee, a court upheld the termination.

Keller admitted what he did violated federal law as generally stated at the beginning of each movie.Additionally, Keller acknowledged he received and was trained on the company’s IT policy, which included a list of prohibited conduct but which clearly stated the list was “not all inclusive.” (In re Hayes Int’l and Steelworkers Local 2958, Arb. (Cohen), 8/10/11).

3 Lessons Learned … Without Going To Court

1. Have an IT policy. Make sure it lists a variety of prohibited conduct like “theft or misappropriation of company property.” But also make sure it includes language that the list is “not all inclusive” because no one could ever dream up all the infractions employees could engage in.

2. Conduct training. The court strongly weighed policy training in favor of the employer. The return on that investment of time was well worth it to stop this case in its tracks.

3. Monitor employees. Employees can be engaging in federal crimes putting the company at risk for liability. What organization needs to be the subject of that scary movie?

Prompted by the explosion of employee internet usage in enterprises of all types, this post reviews policy-based Web-use management approaches. It first reviews their need and then describes how they can be implemented in a way that benefits all concerned.

The post points out that enterprises of all kinds—business, education, government, etc., —are rapidly increasing their use of the Internet.  This increase goes far beyond “sales” and “research.”  It now extends to many core-business or mission-related functions. As more and more dollars and manpower are invested in this effort, and as the dependency on network resources increases, these enterprises need to strengthen and improve the way in which they manage the use of this increasingly vital resource.

In this regard, the post urges enterprise managers to become considerably more involved in planning and controlling Internet usage.  It goes on to point out that the best way to do this is through use of policy-based Web-use management approaches. A logical sequence of actions for them to follow is this:

First, they need to establish policies that encourage positive Web-use while simultaneously discouraging negative (personal) use.

Secondly, they need to put in place policy-based software to help ensure compliance with the policy. (Policy-based software can automatically monitor, analyze and document Web usage, providing management with usable, reliable information that helps identify problem areas and determine trends.)

Thirdly, management must invest the time and effort to use this information to (a) adjust priorities, strategies, schedules and tactics and (b) to guide any necessary workforce-related actions, e.g., assignments, training, or disciplinary action.

The post concludes by pointing out that the integration of these three elements (i.e., establishing a comprehensive policy, installing policy-based software for reporting, and using the information in the reports to make strategic and tactical adjustments) constitutes an effective policy-based Web-use management approach.

The Case for a Policy-Based Web-Use Management Approach

A.  Background.  It’s no secret that thousands of enterprises are increasing their use of the Internet at a phenomenal rate.  Furthermore, they’re using it for much more than simple on-line shopping and e-mail.  Increasingly, they are using it for core functions of the enterprise, e.g., “front office”, logistic, administrative, financial, marketing, purchasing, shipping, order tracking, advertising, technical, training, project-collaboration and “just-in-time-manufacturing” activities.  While this is all very exciting, many enterprises are discovering that it’s a two-edged sword.  On the one hand, Internet-based approaches benefit the enterprise in many ways, i.e., they typically result in improved communications, increased flexibility and agility, reduced turnaround times, increased profit potential, etc.

On the other hand, such approaches result in an increasing level of dependence on Internet resources and usage.  Now “Net-dependence” is not inherently a bad thing.  However, without proper management attention, such dependence can lead quickly to ineffective use of the work force.  To preclude this from happening, enterprises need to closely manage all aspects of Net-related activity.

B.  Current Management Approaches.  To date, most Internet management efforts, if any, have been aimed solely at preventing or minimizing use of the Net for personal reasons.  Some enterprises do this by blocking access to “undesirable” sites, e.g., those featuring pornography.  This is often referred to as “filtering.”  Another approach, which some enterprises employ, is the use of a very simple reporting system—one that identifies users and lists the sites they have visited. This type of simplistic reporting leaves it up to the individual manager to decide—after the fact—what is abusive and what is not.  This is often an onerous burden.

These simplistic approaches, while useful to a point, have several drawbacks. First, they focus solely on the negative aspects of Internet usage and do nothing to prompt or encourage positive, constructive use of network resources.  Secondly, they can lead to a false sense of security, i.e., they can never capture more than a modest percentage of “unacceptable” or “undesirable”sites.

Even if these two approaches were effective, mere minimization of abuse is no longer adequate in today’s Internet-intensive world.  After all, waste and abuse constitute only a small fraction of Internet use, perhaps five percent.

C.  A Better Way.  If waste and abuse constitute only five percent of Internet use, what about the other 95 percent?  This remaining “fraction” consists of extensive human and technological resources that are being devoted to enterprise-related Internet activity every day.   As with its other resources, management needs to plan and control Internet usage to ensure optimum results.  To do this successfully, enterprise managers need to develop and implement policy-based Web-use management approaches. At a very fundamental level, a Web-use management approach includes:

• a strategy for Internet use
• a policy for governing that use
• a policy-based mechanism or process for monitoring and reporting on that use
• a follow-through process for analyzing Internet usage and taking appropriate action on the basis of that analysis.

As you can see, the first, second and fourth bullets represent human management functions.  These functions involve decision-making responsibilities that cannot be performed by anyone or anything else (sorry, computers can’t do it all).  On the other hand, the third bullet can be handled automatically by well-designed Web-use management products (more on this later).  All four bullets are discussed briefly in the following paragraphs.

1.  Strategy for Internet Use.  In a way, discussing the need for strategy is “stating the obvious,” but then again, maybe not.  In today’s world, network resources are absolutely crucial to achievement of the enterprise’s goals and objectives.  In addition, it’s no secret that they are extremely expensive.  Consequently, to ensure cost-effective mission success, the enterprise should have a carefully crafted, clear strategy for the way these resources are to be used.  The strategy should state the enterprise’s goals and objectives in a clear, coherent way and should indicate the priorities to be employed, functions that are to be stressed, etc.

 2.      Policy for Governing Internet Use.   A sound, formal Web-use policy is needed to help implement the enterprise’s strategy.  In the context of network usage, an effective, thoughtful, and properly administered policy is a dual-purpose document.  That is, it 1) encourages and guides all members of the enterprise work force toward positive constructive use of network resources, while 2) simultaneously helping to curb inappropriate internet surfing in the workplace.  To accomplish the first purpose, it should clearly reflect the strategy discussed above as it relates to network usage.  In so doing, the policy should clearly state how, when and why network resources should be used and when they should not.

To aid the second purpose, it should clearly state what is acceptable use and what is not, and it should clearly indicate the sanctions to be imposed for engaging in unacceptable use.  In our judgement, though, the former should be emphasized more than the latter.  In sum, a sound Web-use policy is more than just a litany of restrictions and penalties; it is the fundamental promoter and guideline for using network resources in positive ways to benefit the enterprise and all of its members and stakeholders.

3.  Policy-Based Monitoring and Reporting. By definition, Web-use policy management strives to ensure that Internet usage conforms to both the positive and restrictive aspects of the enterprise’s policy.  Successful accomplishment of this objective requires implementation of some type of highly efficient monitoring, documenting and reporting product that can record and display the number, type and origin of Web site visits. This information is needed to determine the degree to which network resource usage conforms to the enterprise’s Web-use policy. To produce this information, enterprises can implement some sophisticated but easy-to-use Web-use management products that are currently in use in a number of sectors (more on this later).

4.  Follow-Through Process (for Analyzing and Using Reports).  As indicated earlier, an effective policy-based Web-use management approach includes a follow-through process for analyzing Internet usage and taking appropriate action when deviations from policy are noted.  Such action may be needed to 1) bring network usage into conformance with policy, or 2) to modify the policy (or related plans) accordingly.  When this is the case, management can use the information provided by the reporting system to guide adjustments to priorities, strategies, schedules and tactics, and/or to guide any necessary workforce-related actions, e.g., assignments, training, or disciplinary action.  It can also be used to guide the establishment of Web-access blocking regimens if management decides to include filtering in its overall approach.

D.  Web-use Management Products.  Having discussed the four elements of policy-based Web-use management briefly, we would now like to follow up on the third one (monitoring/reporting) with a more detailed discussion of Web-use management products.  Just what are Web-use management products anyway, and why does anyone need them?  Let’s take a look.

In the context of this paper, Web-use management products are software applications that analyze Web site visits, list them in subject-matter categories, and determine their acceptability or appropriateness.  (Such products may or may not be used in conjunction with filtering.) Through various output reports, these applications provide information to managers for use in identifying relevant trends and making business decisions. Very importantly, these products may or may not be policy-based. (“Policy-based” refers to an application that can be tailored to reflect—and monitor compliance with—the enterprise’s own policy.) While both types are useful, a policy-based product is much more advantageous than one that is not. A well-designed, policy-based Web-use management product can monitor and report on Internet usage in a much more useful and efficient way than one which is not policy-based. The reasons for this are discussed next.

1.  Non-Policy-Based Products.  If the product is not policy-based, it simply reports “raw visit data.”  It does not analyze results or compare them with any standard. Without extensive manual analysis, such data doesn’t answer the most important Web-related question: “Were the visits productive or abusive?”

2.  Policy-Based Products.   Conversely, if the product is policy-based, it does answer the question: “Were the visits productive or abusive?”  There are three reasons for this.  First, the product can help with policy formulation.   Secondly, the product can be used for policy administration. Thirdly, it can help with policy dissemination.  These three uses of policy-based products are discussed in more detail below:

1. E.     Use of Policy-Based Products for Policy Formulation.  A well-designed, policy-based product can help formulate as well as administer Web-use policy.  The parameters of such a product can help enterprise managers define and describe the policy in highly specific language that is completely consistent with subsequent audits and reports.  These parameters include the (a) subject-matter categories, (b) acceptability classifications and (c) permissibility thresholds that are built into the product and (if desired) customized by the enterprise. Definitions of these three parameters (product features) can be translated easily into policy language, thus tying the policy directly to the product.  These parameters enable enterprise management to assign “acceptability” classifications to the categories and to establish thresholds for identification of improper use.  These last two concepts are discussed below.

1.  Category “Acceptability” Classifications (Ratings).   As part of policy definition, each category can be assigned an “acceptability” rating, e.g., “acceptable”, “unacceptable” or “neutral”.   Management makes these assignments on the basis of the enterprise’s policy and “business” objectives.

2.   Intra-Category Thresholds.  After assigning an “acceptability” classification to each category, the enterprise can also assign it a quantified “threshold” value.  Thresholds, expressed as “number of visits”, help differentiate “appropriate” from improper or abusive use, as defined below:

• Appropriate Use.  Appropriate use includes “authorized” visits that benefit the enterprise or user in positive ways.  Also included is a reasonable but limited number of “personal” visits in selected categories.

• Improper Use.  Improper use is defined three ways:

• Any number of visits to totally “unacceptable sites.”

• “Excessive visits to Web sites for personal reasons”; i.e., a level of visits that is ABOVE the threshold in a nominally authorized category.  This is considered “abuse”.

• Excessive visits to sites that may not be “unacceptable,” but are simply not productive for the organization’s purposes.

As indicated earlier, threshold levels are defined by the enterprise, not the software vendor.  And they can relate to the potentially positive as well as negative uses of the Internet.

F.  Policy Dissemination.  If the product is well-designed, the category, classification and threshold definitions can be translated easily into policy language.   The policy can then be widely disseminated, in an understandable form, to all concerned. As part of this process, the various components of a policy-based Web-use management system can be used to “educate” the enterprise’s computer users in a positive manner.

First, management can explain the content of the policy itself, pointing out the reasons—both positive and restrictive—why the policy is necessary.  They can then explain how the language of the policy is reflected in the design of the product’s categories, classifications and thresholds.

Next, they can discuss how these three entities are tailored for the enterprise.  Finally, management can describe how the various provisions of the policy will be monitored and audited, how the users will be notified of any deviations, and the kinds of corrective action that may be taken if necessary.  As mentioned earlier, such orientation does not need to focus solely on the “negative.”  It can be used to stress how management wants the Web to be used (not just how it should not be used), and how proper use can help the enterprise and all of its stakeholders succeed. Done this way, the policy helps preclude misunderstanding or confusion as to what constitutes desirable and undesirable use of the Internet.

G.  Use of Policy-Based Products for Policy Administration.   A well-designed, policy-based product provides clear, understandable reports which show usage in relation to conformance to the policy (“How many and what kinds of visits are being made?   Are they productive or abusive?”).  Such a product can help ensure comprehensive, equitable, fair administration of the enterprise’s Internet policy.   Assuming it is implemented with a thoughtfully designed and tailored set of categories, classifications and thresholds, the product can easily produce a variety of cogent, immediately usable reports.  The information in the reports can be as concise or as detailed as desired.  The information can be used by itself, or it can be used in conjunction with other enterprise data (functional, financial, etc.) to aid in a wide spectrum of planning and decision making efforts.

Summary.  Because of the burgeoning use of the Internet, it behooves enterprises of all kinds to strengthen and improve the way in which they manage the use of this increasingly vital resource.  It is no longer enough to simply block access to pornographic sites, or to leave it up to individual supervisors to detect abuse via oversimplified site-visit reports.  To maximize return on their Internet “investment,” enterprise managers need to become considerably more involved in planning and controlling Internet usage, and they need to develop and implement policy-based Web-use management approaches.  To achieve this objective, they first need to establish policies that encourage positive—and discourage negative—use of the Internet.  Secondly, they need to put in place  progressive management systems that ensure compliance with the policy.  Thirdly, they must support the systems with policy-based software that automatically monitors, analyzes, documents (and possibly filters) Web usage.  Such software can provide management with usable, reliable information that helps identify problem areas and determine trends.  Finally, management must use this information to (a) adjust priorities, strategies, schedules and tactics and (b) to guide any necessary workforce-related actions, e.g., assignments, training, or disciplinary action.

As new cyber attacks on social networks are reported, more I.T. professionals and office managers will turn to employee internet monitoring software to block social networks in the workplace. A recent article on CNet revealed an increase in cybercriminal activity throughout the most popular social networks.

Due to changes in the delivery methods, malicious software (malware) and other viruses have become harder to detect than the older versions which were often distributed via email downloads and pop up advertisements. According to recent surveys, many work computers are exposed to malware and viruses that are attached to games and applications which are shared on Facebook. These threats were thoroughly described in the article: “Facebook nasty traps – and how to protect yourself!”

“They are kinky, erotic, extreme and incredibly funny. They contain lurid headlines, some striking images, often with misspelled words. We’re talking about the wrong video-posts on Facebook, which increasingly make the rounds and have two things in common: The link in reality does not come from a friend and you also do not click the actual video. In most cases, it creates Facebook-worms within these messages. The process is called ‘Likejacking’ or ‘Clickjacking’.”

 Impact of social networks on office network security.

Social networks are among the most frequently visited websites in the workplace. Surveys show an increasing amount of workers visiting social networks multiple times during each workday, which increases the odds of your network being exposed to “likejacking” or clickjacking.”

Unfortunately, many businesses don’t establish an acceptable use policy with their employees. As a result, their internet use isn’t monitored throughout the day, company productivity suffers and I.T.’s are tasked with repairing infected networks. Unmonitored employee internet usage may also contribute to spikes in bandwidth usage, which decreases network speed for each user.

If internet abuse is suspected, Managers, I.T’s and CIO’s should utilize internet contents security software and detailed web log analyzer reports to locate the user(s) who are abusing their internet access privileges.

An expert advice column  on Technewsworld.com warns of the risk of social networking in the office workplace. As an extra measure to ensure network  security and stability, any managers  and I.T.’s are beginning to track employee internet usage and block social networks in the workplace.  In Alexandru Catalin Cosoi’s column titled “Social Menaces“, readers are warned of the variety of network security risks involved with social networking.

According to Cosoi, many social networking sites and profiles accessed by employees may expose your network to a botnet or malware.

“Many social networking sites and profiles could provide an ideal and cost-effective platform for the distribution of a range of malicious content such as viruses, bots, Trojans, spyware and adware….We have also seen cases where a piece of code has been attached to a profile page, so that when the user logs in, a bot is automatically downloaded into the system, transforming the unprotected computer into a “zombie” — a compromised machine that is part of a larger net of infected machines, called a “botnet,” which an attacker remotely controls.”

Key targets in these hacks include high level office personnel who aren’t web savvy enough to detect a hack. According to technewsworld.com, these employees represent the weakest link in a company’s armor and are often the backdoor hackers use to gain access to classified data.

“Using highly versatile social engineering techniques, attackers can exploit an online professional network to target employees who are not likely to be data security experts, but who may have access to various essential data resources stored within the organization’s network.”

With the continuous spread of social network memberships across the globe, more I.T.’s and company executives will be forced to decide between  filtering employee Internet access or risking their network data.