Your employees and the Internet; by Donal Casey, technical solutions architect, Morse.
The use of the Internet within corporations for such activities as ordering goods, sourcing information and communicating with customers and colleagues has become as widespread today as using the telephone 30 years ago. In fact, in many ways, it has replaced it. The ease of online ordering and banking, email and Instant Messaging (IM), Intranets and Extranets has revolutionised employeesโ communication potential, and now allows them to communicate without the whole office listening in.
Along with this communication revolution has come a whole new raft of issues, the biggest of which is controlling the content transported and accessed using the Internet. Sending an IM or web based email to friends and colleagues, for example, to organise social events is, in general fairly innocuous. However, such communication may become noxious when confidential corporate information is shared with unauthorised parties, or files that may contain potential dangers, such as viruses, are inadvertently transmitted over the corporate network and, due to their nature, bypass standard corporate content checks.
Managing these forms of communication is becoming increasingly importantโ not least because organisations have to comply with growing numbers of regulations and industry standards. This may take several steps; firstly, employees must be regulated and educated about what they are allowed to use. Secondly, controls must be put in place to protect the corporate environment from potential dangers that arise from the daily use of the Internet. Finally, there must be a facility to review traffic logs and content in order to enforce the regulations and policies and generate additional control.
Regulation and education
For many years, companies have adopted Acceptable Usage Policies for such things as telephones and fax machines. Attempts to adapt these policies to take into account email, web browsing and other electronic access has led to serious gaps in the policies. It is virtually impossible to replicate a telephone usage policy for the Internet because the repercussions of using the two tools are very different. For example, making a personal telephone call to Australia may significantly increase a telephone bill, however visiting a malicious website may cause wider network damage that impacts customer service and therefore the reputation and profits of the organisation. Organisations are advised to initiate a whole new policy for communications. It should cover acceptable use and corporate governance and should be complete, clear and available.
A comprehensive policy should include all forms of electronic communication – email, IM and webmail, telephone, mobile phone and fax. This can be quite difficult to achieve, however, there are many available templates as well as companies offering services to help generate these policies. Any policy should be reviewed by the businessโ legal department to ensure that it does not contravene prevailing legislation such as the Freedom of Information Act or Health and Safety.
The content of the policy should be concise and ideally not contain any technical jargon or legalese to ensure the messages are understood by all individuals within the organisation. The policy should also make clear the ramifications of failing to comply with the procedures outlined.
It is also important to ensure that the opportunity and facility to view the policy is provided to all employees. There also needs to be a mechanism in place to record that this has happened, for example, explaining the policy during the employeeโs induction or by using technology that automatically registers that the employee has read the policy. Using technology makes it easier to ensure that future changes to the policy are presented and acknowledged by the employee. Unfortunately, there isnโt a way to ensure that the employee has actually understood the policy that they have read.
Internet users should also be made aware that the policy provides guidelines for acceptable Internet use and is in place to protect them and the corporation and by adhering to it, they will minimise the risk to all employees, as well as their personal data and email address.
Putting controls in place
Once the Internet Usage Policy is in place, it requires enforcement. There is no point in having a policy that states that users should not access specific sites (e.g. online auctions) if the technological enforcement is not there to prevent them. There are now many tools available to help enforce policies, such as web content filters, URL blockers, anti-virus gateways and email content filters.
When a corporation is selecting a technology solution, it should take into account the contents of the policy and to what level they wish to enforce that policy. If, for example, the policy states that no Microsoft Word documents should be sent electronically, the enforcement solution should check for these types of files, both as attachments and as compressed files, for all forms of electronic traffic – FTP, webmail and Instant Messaging, as well as traditional email.
Email, is both a business critical application and a danger because it allows the simple transmission of legitimate and illegitimate material. To control this activity, email content filters now have an established foothold in many organisations. They can be easily configured to block viruses and spam and prevent content such as Word documents leaving the organisation. Unfortunately, many employees are now aware of these email content filters and are choosing alternate forms of communication, such as webmail or Instant Messaging, to circumvent these controls. Many businesses are now implementing web content filters in order to solve the dilemma of controlling users accessing webmail through legitimate protocols like HTTP/S.
Web usage control solutions are available either as a standalone product or as a suite containing URL blocking with anti-virus, content filtering and traffic archiving. URL blocking as a standalone product is the simplest form of web content filtering. It provides an effective way to prevent users accessing web sites that are against policy, for example webmail sites. Issues arise, however, when users have a legitimate requirement to use these sites – their customers may require it for example. Control of webmail then becomes more difficult as it creates the need to examine the content of targeted, yet legitimate, web traffic. Organisations need to start to treat webmail content as if it was email content and apply similar controls in addition to URL blocking.
Instant Messaging provides similar security risks to webmail, however, many corporations do not yet control its use. Confidential information, such as share price, can be transmitted in real time, with a few key strokes and the communication will not be traceable. In addition, attachments can be sent back and forth with no virus checking until the file reaches the desktop. A recent virus, the BROPIA.f worm, has specifically targeted MSN users. It installs a trojan that performs keylogging and can act as a spam relay.
In response to this issue, integrated solutions are now available that provide URL blocking, anti-virus, content checking and archiving for both standard HTTP traffic and Instant Messaging. These go a long way to help enforce Internet usage policies.
Enforcing regulations and policies
In order to police the Internet Usage Policy, effective logs must be kept of what users have done and when. They can also be useful in the future, for example, the logs produced, coupled with the evidence that the employee has had the opportunity to read the policy, should be sufficient information to support HR in a disciplinary proceeding. Generated usage logs also provide an opportunity to review the Internet Usage Policy and make relevant changes/improvements to processes, procedures and the technology enforcement solutions in place.
The Internet, as a communication medium, is here to stay and is being used more and more for business and private communication. Corporations, therefore, need to ensure that they are protecting both themselves and their employees against threats such as viruses, spam, offensive material, Trojans, phishing and spyware that are prevalent in todayโs business environment. By using a combination of user education, putting controls in place and monitoring and enforcing security policies, businesses can ensure they are protected with a minimum of fuss and effort.
