The most innocent employee activities can have the worst security consequences for employers, and uncontrolled Internet use is a perfect example of this. Employees visit sites where they download content violating HR policies, share ‘entertainment’ sites and videos that distract other employees from work, and even download malicious software that can cause network compromise. Instant messaging (IM) has many of the same issues. What can be done?
The first step is to enact a firmer Web and IM use policy. At its most stringent, the policy can ban IM use and restrict Web use to mission critical web-sites, especially when in the office or on a network with brokerage servers – but that can create a less than pleasant work environment. A less strict IM policy may be to allow IM use only between employees, restricting employees to an ‘internal-only’ IM identity, not allowing them to IM with outsiders, and not allowing advanced IM features such as file sharing, audio or video. A less strict Web use policy might only allow traffic to specific, approved, non-work-related web sites. Even if management goes further and does not significantly restrict Web use, it’s still important to have policies. While not an exhaustive list, a policy might include statements such as the following:
- Employees must only use approved software to access the Internet, and software configurations must not be changed by employees without manager approval, including installation of browser plug-ins and Active-X controls.
- Any personal use must not interfere with normal business activities, must not involve solicitation, must not be associated with any for-profit outside business activity, and must not potentially embarrass the company.
- The Internet, including the Web should not be used for the transmission of any offensive, obscene, defamatory or illegal materials.
- Employees must not download executable files from the Internet unless that download is required for performance of their job, and in that case programs should only be downloaded from trusted sources, with extreme caution.
- Sensitive information about employees, customers, or other company-confidential information should never be published to the Internet.
- There should be no expectation of privacy when using the company network and that traffic might be logged and reviewed to ensure policy compliance.
Policies are good, but do little to protect your company on their own. It is important that employees are regularly educated and re-educated on all of your company policies. Your company can be further protected by putting technical solutions in place that reflect the policy and enable monitoring and enforcement, or even take steps to proactively either only allow the limited uses you define or allow a broader range of use but stop prohibited uses. Clareity has guided many clients through the maze of technical options.
Clareity strongly encourages its clients to make considered choices about employee Internet use, implement policies that balance risk and benefit, and take steps needed to monitor and enforce such policies, including implementation of appropriate technologies to protect their company from security and other risks inherent in Internet use.
About the author: Matt Cohen is Clareity Consulting’s Chief Technologist and leads its security assessment practice. Matt has spoken at many conferences, workshops, and leadership retreats around the country on security-related topics, and is a well-regarded real estate industry expert on real estate technology and information security. Clareity Consulting (www.callclareity.com) was founded in 1996 to provide management and information technology consulting to the real estate industry.