Subscribe
  • Home
  • /
  • TechForum
  • /
  • Protect enterprise networks from malicious, inappropriate Web-based content with an adequate Internet policy

Protect enterprise networks from malicious, inappropriate Web-based content with an adequate Internet policy


Johannesburg, 15 Mar 2001

With millions of employees now potentially able to commandeer company property for personal use during the workday, enterprises are understandably concerned about the misuse of corporate Internet resources.

According to a 1999 joint Computer Security Institute (CSI)/FBI study, 97% of companies reported insider abuse of Internet resources. The average loss per company due to employee abuse is $93 000 per year, although losses at individual companies totalled up to $3 million.

Kevin Isaac, Regional Manager Middle East and Africa, points out that when employees use the Internet inappropriately, they could jeopardise the security and privacy of the enterprise.

"The Net has become an essential business communications tool. It supports intra- and inter-enterprise research and collaboration, and accelerated business processes. The productivity gains that Web-enabled enterprises may enjoy, however, are tempered by new concerns.

"Acceptable use policies notwithstanding, employees with Internet access may waste time and precious bandwidth accessing subject matter that has no bearing on business. In addition, certain subject matter may in fact be inappropriate for use or distribution within an enterprise, and may leave the corporation liable for a variety of lawsuits. Finally, enterprise networks may become vulnerable to infection, intrusion, and tampering via files such as cookies or other active content, which can be downloaded via the Web, often without the user's knowledge.

In addition, employees can sacrifice productivity and deplete bandwidth that should be used for business purposes. In 1999, IDC Research reported that 30%-40% of employee Internet usage is non-business related - amounting to millions of dollars per year in lost productivity. With enterprise bandwidth needs doubling every 90 to 180 days (Gartner Group, 1999), some employers are looking to limit employees' Internet usage in order to control the rising cost of connectivity.

In major findings from the Information Security Survey 1999 - conducted by KPMG and BMITech-knowledge Group in South Africa - they found that 66% of end users do not view information security as important. This is despite 70% of respondents investing in formal information security policies. This questions how effective management has communicated their information security policies.

Internet security is becoming an essential tool for doing business in the 21st century. "While earlier vectors of delivering harmful content to an enterprise, such as physical access and file sharing via diskettes, are still a concern, the primary vectors for the introduction of harmful content into an enterprise have now shifted," believes Isaac.

"Today, the two primary vectors for the delivery of harmful content to an enterprise are: Internet access and email."

The IT challenge

Employers are turning to their IT departments to solve Internet usage issues. The assumption is that since Internet usage is a technology-based problem, it is the responsibility of the IT department to solve it.

Internet usage monitoring and data gathering are often the first steps in bringing Internet security issues to heel. But, since Internet monitoring often brings employees' personal Internet use to management's attention, IT can be perceived as "the bad guy", says Isaac.

"IT managers are in the front line of politically and emotionally charged dilemmas, including privacy and trust issues," Isaac says.

"Internet monitoring solutions can also help to identify inefficient use of corporate Internet resources. Unfortunately, these solutions cannot answer the philosophical questions that accompany Internet monitoring, such as who has the right to view Internet usage logs and under what circumstances are employees reprimanded."

A formal, written Internet usage policy helps to take IT managers out of the line of fire and allows them to focus on strategic technology issues. According to Advocate Mariette de Jongh, a labour law specialist and former part-time CCMA commissioner, e-mail can be a very damaging tool, one that needs to be properly managed and secured.

"If it isn't, it can have devastating consequences for companies and their employees," De Jongh says. She says that employees should be aware, however, that there is no absolute right to privacy. "Employers have to by law notify employees that they are going to monitor Internet and e-mail use within the company. In fact, they should even go so far as to get written consent from employees."

And this is where the importance of a proper Internet policy comes in.

She explains that, although employees do have the right to privacy, they are using the employer's property and therefore the contradictions have to be weighed up.

Monitoring the contents of the communication can be justified if the employer has reasonable grounds to suspect abuse, proof of which is not always easy to obtain. If an employee is suspected and/or accused of improper use, the employer cannot simply rely on a print out of the e-mail or verification of sites visited if the alleged abuse and/or extent thereof are challenged by the employee. In terms of the Computer Evidence Act (59 of 1983) the employer may be required to obtain an affidavit from a computer expert or the company's IT manager verifying, inter alia, that the print out is a true copy and that there was no interference in obtaining it.

Yet more dangerous ground surrounding e-mails is the concept of vicarious liability. De Jongh explains that if an employee makes certain defamatory statements within the course of his duties, the employer can be held liable.

"So it is essential to state in your e-mail and Internet policy that employees are prevented from making statements that could be construed as statements coming from the company."

Building and communicating Internet policies Managing on-the-job Internet access is not just another "IT project". When the IT department is asked to spearhead an Internet usage policy project, it must involve the entire enterprise. The most effective policies reflect the corporate culture, business objectives and the importance placed on the Internet as a business tool. Besides IT, other key departments within the organisation, such as Legal and HR, need to be involved in policy development and enforcement. Operations, Finance, Accounting and others should also be asked to provide input. Opinions should be solicited from all employee levels, from entry-level sales and customer service staff to the CFO and CEO. The resulting policy will be easier to implement and enforce when everyone feels they have had a role in developing it.

The policy that is developed should be brief and easily understood. Many employees don't realise that most Web sites can trace their activities back to their employer and even track which applications they are using. In other words, when a staff member surfs at work, they can compromise enterprise security. It is helpful to provide this type of context to employees in your policy.

Once a policy has been developed, it must be communicated to all employees, Isaac stresses. To be sure employees are aware of the policy, some organisations require the employee to sign a copy of the policy, which is then kept in their employment file. The consequences for not adhering to the policy should be clearly stated and communicated as well. Additional training in the proper use and management of the Internet may be necessary.

Managerial supervision alone cannot prevent all employee Internet abuses. It is only logical that the IT department be responsible for monitoring employees' usage and access. In order to minimise resource allocations for monitoring employee Internet usage, many enterprises are turning to policy-based Internet filtering solutions. These solutions enable IT to develop its own set of monitoring and reporting rules -- based on the unique needs of their enterprise as defined in the Internet usage policy.

These tools can usually be customised for certain times of day or work groups. Once the rules are defined by IT, the filtering software automatically monitors and reports Internet usage based on those parameters.

"A sound Internet usage policy, combined with an Internet content filtering solution, can help IT managers to better protect network security, protect proprietary information and reduce liability exposure," he adds. "IT managers can further minimise security breaches - and create an effective enterprise content security solution - by using Internet content filtering solutions in conjunction with mobile code and virus protection and email content filtering solutions."

Share

Symantec

Symantec, a world leader in Internet security technology, provides a broad range of content and network security solutions to individuals and enterprises. The company is a leading provider of virus protection, vulnerability assessment, intrusion prevention, Internet content and e-mail filtering, remote management technologies and security services to enterprises around the world. Symantec's Norton brand of consumer security products leads the market in worldwide retail sales and industry awards. Headquartered in Cupertino, Calif., Symantec has worldwide operations in 36 countries.

Editorial contacts

Robyn Weeda
Symantec
(083) 296 7096