See your link here
Companies need to be responsible Internet community members - stop the shopping with company resources!
9 comments- IT TOPICS:Management, Security
Now that the holiday season is fully upon us, many people will be turning to the Internet to do their shopping. I think this is a great thing in most respects. But it also has many security implications.
From the standpoint of a company with employees, this risk is high because of the number of employees using company computer resources to shop while at work. The typical security consultant, engineer, manager, admin type knows this risk very well and does what he / she can to protect the organization. But the question is this: why do organizations allow this type of non-business Internet activity on their network? St. Bernard Software is reporting this:
In the latest security survey conducted by St. Bernard of 298 organizations, 76% reported that they do not block employee Internet access to online shopping sites during work hours.
This makes no sense to me and most security professionals out there. The tools are readily available, and in most cases would pay for themselves many times over if implemented.
Just looking at the issue from the direction of productivity should be enough to make an organization lockdown the Internet connection. Yet companies have tended to look at this more like the shoplifting problem. They just kinda factor it into the cost of business, only doing something about the more blatant cases.
But when you combine the issues of security with the productivity argument, the argument for controlling the Internet access seems like a slam dunk. The possibility of ID theft, phishing attacks, spam, malware, etc. go up dramatically when shopping is allowed on company computer resources. Though the Internet has made many people informed shoppers, these same people are, for the most part, still uninformed about security risks on the Internet. They will go to almost any site that offers a perceived bargain or free shipping or some other gimmick, and these sites could host any manner of security problems.
And the kicker is that the risk of the issues could be headed off to a high degree if only organizations would police their Internet access. Instead, they opt for reactive measures by setting up anti-spam, anti-virus, anti-whatever. These measures are necessary in any event because bad stuff can leak through even with only legitimate Internet traffic, so the argument could be made that it makes no sense to buy tools to lock down Internet surfing when the reactive tools are needed anyway. But the concept of defense-in-depth slaps this argument down quickly and soundly.
So what other reasons are there for not policing the Internet traffic? I think it is as simple as a culture issue. Fast and reliable Internet access at most companies has been available for around 10 years now, and organizations did not set the precedent of policing the traffic from the start (especially the smaller organizations), so people simply expect it now. And who wants a bunch of griping, unhappy employees who actually have to do work instead of shopping for Christmas presents? That was tongue in cheek, in case you didn't catch it.
But organizations have to realize that they are contributing to the total insecurity of the Internet when they allow employees to use their resources for irresponsible Internet activity. This is no different than companies taking part in helping out their physical communities. The virtual community is no less important, and organizations should be responsible members there as well.
Related Post: I guess I am a Scrooge
Print
Email this
Digg this
