It is the employer not the employee who is the weakest link in a company’s IT security
SurfControl has today announced the results of a new UK survey that uncovers an alarming level of complacency by employers when it comes to combating spyware in the workplace. The poll found that 21.3 percent of all respondents’ employers did not prohibit the use of Instant Messaging to contact friends, Web-based email, recreational surfing, downloading free software, personal online banking, storing personal files, sharing free music/video files, playing online games, running CD-Rom/DVD media or the use of USB flash drives on work PCs.
Well I agree with the sentiment.. well some of the sentiment, if not all of what they claim are ‘threats’.
One has to bare in mind who sponsored this report, and who is presenting the news: Surfcontrol; and they have a rather large stake in this kind of discussion.
Litterally anything can be a threat if you look hard enough. I would not call IM-ing friends a threat. I might call file-transfer via IM a threat, but not much of one… Use of USB drives? Well its the same issue: not being able to fully control what files pass in and out of your network.
At the moment, with the current state of affairs when it comes to files and file-systems, I would say its just about impossible to lock down your network to stop foreign files from entering your network. They trick is to mitigate what threat they do pose. AV on the desktop is one part of that, a strickt and enforced lockdown policy of the desktop enviroment is another.. and the same can be said for permiter defenses…
Its that old cost vs usability vs security arguement. You can have a little of all three, but not all at the max level. People use IM and play games to give themselves a little distraction, which I believe is a healthy thing, in moderation. Not to mention IM being the perfect productivity tools if used for work purposes.
USB sticks? Well they have taken the place of floppies. I often see people resulting to USB sticks if its the easiest alternative for getting to their data. Shutting off access to USB may mitigate some of the foreign-file threat, but I dont think it stands in relation to the added support costs you incurr, or the effect it has on worker morall. Instead, perhaps you should be focussing on giving your users what they need: Easy (and secure) access to their files; remove their reason for trying to work around the system.
And what the hell is wrong with ‘Web-based email’, ‘recreational surfing, personal online banking’. How is this a security threat? yah sure.. downloading trojans perhaps .. spyware? Mabe.. . .. how about a software restriction policy then? If you run windows 2000 and up, you already have the mechnism to impliment it… just a case of doing it.
How about locking down Internet Explorer? Turn of ActiveX via group policy.. its not perfect.. but its a start! Think about running Firefox on desktops yet… might be worth considdering!
I am against the view that Surfcontrol seems to take, that any freedom you give employees, both online and off, is always a bad thing. Try turning off all net access in your company, and lets see what it does for morale? Work should be a place you want to go to, or at the very least, not mind going to, so that means employees should be giving at least some thought to distraction and relaxation, finding that balance of productivity and fun. Blanket blocks on certain activities are not the awnser, a far more nuanced approach is needed that combines and weighs out those important ellements in the way that best suits your companies needs: cost vs usability vs security.