Companies both large and small have never been so vunerable to attacks from without and from intentional or unintentional treachery within.
Access to the internet provides many workers with the means to do their job better but it is an Achilles’ heel, a weakness in a company’s defences through which corporate data can leak out and harmful software slip in.
Most companies are already alert to the external threat from malware – viruses, trojans, spybots and the like – and will have a firewall in place and use a third party to monitor and disinfect their internet traffic.
But the question of how much latitude to allow employees in accessing internet sites has becoming increasingly important: “Most companies will have some sort of restraint on what their employees can do on the internet,” says Bob Tarzey, service director with the consultancy Quocirca.
There are essentially three reasons why companies should be concerned about what websites their employees are visiting.
First, productivity: an employee spending time on Ebay, MySpace or YouTube is probably not doing his or her job. There are statistics showing that on average an employee with full access to the internet will spend two to four hours a week cruising the web.
Peter Watkins, chief executive of Webroot, a US-based antivirus specialist, points out that 90 per cent of all amateur stock trading, 50 per cent of online shopping and most pornography downloads take place during the working day, as employees take advantage of the greater bandwidth available at work compared with the home.
”Many small and medium sized companies are taken aback when they discover how much time their employees are spending on the internet,” says Harnish Patel, head of Europe for the US group, SurfControl.
The second reason is data leakage: Mark Sunner, chief security analyst at MessageLabs, the e-mail security group, says he has detected a decrease in malware attachments and an increase in malware hyperlinks (active links that can be clicked on to call up a web page). “We think these people have decided this is the path of least resistance to get bad stuff in,” he concludes, pointing out that e-mail filters do not follow hyperlinks. “They arrive in e-mails but the target is the browser,” he says.
Social networking sites are a particular problem because they encourage individuals to divulge personal information: “A gold mine of data for the bad guys,” Mr Sunner says, pointing to a new wave of e-mails targeted at individual executives identified by name and title.
Employees are often and inadvertently the source of security failures. Nigel Hawthorne of Blue Coat, an internet security appliance vendor, says: “The key is to understand that whatever technology is deployed, the weakest link is often the employee. From passwords on Post-It notes to unattended, logged-on computers, it is employees that need training, coaching and to be kept secure from threats.”
The third concern is the threat to a company’s reputation if employees access unsuitable or unsavoury sites. At worst, this could open a company to the possibility of legal action if, for example, an employee was caught downloading child pornography. But even an innocent blog could cause problems if it carried the company’s name and was thought to represent its opinions.
Software capable of preventing access to certain sites is readily available. Generally, this takes the form of a huge database or look-up table against which every request to access a site is measured.
It is possible to set software parameters so that, for example, access to Ebay is mostly denied but allowed at lunchtime and after work. Employees have, after all, always shopped in their lunch breaks and online shopping should be no different.
Currently, there is a sea-change in the way such software is deployed. The biggest companies, with scores of security specialists on hand, will continue to buy the software and tweak it to their own requirements.
This is an expensive approach, and the choice of product is bewildering: “It is far too complex,” says Peter Watkins of Webroot. Furthermore, the number of suspect sites is growing rapidly: “We update our database twice a day” says Mr Patel of SurfControl.
Companies have to decide what business they are really in: internet access or their chosen speciality. For the latter, the choice is between the appliance solution – a computer loaded with the appropriate software – or a managed service.
“You get the same service as the other ways but you do it with a phone call,” says Mr Watkins, predicting that 40 per cent of small and medium sized companies will protect themselves with appliances and 40 per cent with managed services. Appliance vendors offer online updates to web filtering databases.
Mr Watkins thinks desktop software will eventually collaborate with managed services over the internet to identify rogue sites and put them off limits not only to the individual company but all the managed service provider’s subscribers: “It will be a network effect from which everybody will benefit,” he says.
Circumscribing access to websites is, however, at best a necessary evil. The internet is most effective when access is freely available. “There are competing dynamics,” says John De Santis, chief executive of TriCipher of the US. Its software is designed to guarantee the identity of an individual on the web.
He argues for freedom: “Let people do what they want. If they do something bad, then at least we will know who is responsible. Staff will know their behaviour on the web is being monitored.”