Ask most people how to mitigate the security risks involved in connecting their computer to the internet, and they’ll usually suggest anti-virus software with current virus pattern updates and firewall protection. While these two things are an absolute must for all systems on your company network, and single systems connected to the internet, alike, there are other “attack vectors” that are often overlooked. First, let’s take a look at exactly what it is that we are securing by loosely defining the expectations of most businesses regarding computer resources.
What do you expect?
As a small business, we expect several things from our computers and computer networks. This is by no means a comprehensive list - just the basics:
- Increased employee productivity through data organization, centralizing documents, shared printers, etc. while facilitating the ability to work more efficiently as a team.
- Internet access for email, vendor and support web sites, research, and maybe a little surfing during one of those working lunches
- Protection of financial data, trade secrets, confidential employee data, customer data, etc.
- Verifiable regular backup of this valuable data
- Reliability and ease of use - we want it to work.
Obviously, we want our computers to make our jobs easier. We expect them to work and not cause productivity issues. The only time we think about our computers is when there is something wrong. In fact, if your IT (computer) person knows what they are doing, you won’t have to think about your computer very often. You may say, “We don’t have to worry: we have firewalls turned on and our anti-virus software is up to date”, but keep in mind; the firewall that comes with Microsoft XP (Service Pack 2), and most other firewall software, can allow user defined exceptions. This means that your employees can essentially disable the firewall on their computer if it is not set up properly. Most computers in small businesses are not set up to prevent employees from changing the firewall settings. Even when properly configured, anti-virus programs and firewalls are a safety net - not a catch all.
Windows Vista and Windows 7 do prevent changes to vital systems such as these without an administrator password. Unfortunately, due to a basic lack of understanding as to these built-in security measures, most employees are allowed to log in to Windows as an administrator and can therefore bypass these safety features altogether. This administrative login can also allow malware and viruses to more easily compromise your systems. Because of this, employees should be set up with a non-administrative logins that will not affect their ability to get work done on their computers. There are many more advantages for these segregated logins, but I’ll save that all for another time.
What employees do
It is expected that employees do the job that they were hired to do while using time and resources to the benefit of the company. My job, by its nature, brings me to a lot of different business types: from manufacturing to dental offices, fabrication to professional services, you name it, I’ve probably been there. While the environments are diverse and the office dynamic varies from company to company, there are behaviors by employees that work on computers that I see nearly everywhere. These behaviors potentially breach all five of the expectations for computers listed above.
Many employees use Instant Messaging (IM) to communicate with friends and/or family while they are on the clock. If you are unfamiliar with IM, it’s basically a program that allows people to send and receive text messages and files to and from other people over the internet. IM tends to be used by non-administrative employees, but I have seen it used by management as well. It’s very easy to hide too; the sound of typing doesn’t raise an eyebrow, even if it is noticed. Additionally, IM programs can be made to disappear quickly into a little icon down by the clock. There are several issues with Instant Messaging, aside from the loss of productivity.
- Since text and files can be sent via IM, company confidentiality can be compromised, even unwittingly. IM communication isn’t always secure, and it travels to several locations around the country before reaching the intended person - even if they are in the same office. If an employee is telling their kid to do the laundry, interception of the message is really no big deal. On the other hand, if the employee is gossiping or complaining about work, or a customer, the potential for interception of the message becomes a major concern.
- Many internet worms, viruses, and trojans are written specifically to propagate over Instant Messaging networks. Often, employees that engage in this activity don’t install updates or security patches when prompted to do so, leaving their computer, and your entire network exposed. If infected, the downtime for clearing your network of viruses can be quite costly.
- The connection to the internet in an office is often shared by all of the computers. These connections have a limited capacity. Every email sent or received and every web page viewed reduces that capacity. Add to the mix Instant Messaging, Peer to Peer programs, (see below), watching videos, or listening to music, your internet connection can get very slow, impacting the productivity of everyone in the office. One or two employees using IM doesn’t create much traffic, but everything does add up.
Peer to Peer or File Sharing
Everyone is, by now, familiar with the controversy and legal issues over music and movies being downloaded for free over the internet. Because the internet connection at work is often faster than the one at home, or what ever the reason, employees sometimes install Peer to Peer (P2P) file sharing programs to download their favorite song, or the episode of their favorite show that they missed last night, or even pornography. While this is not nearly as common as Instant Messaging, it should not be overlooked.
- A peer to peer program makes available, to literally hundreds of thousands of people around the world, any directory on the computer that it is set up to use. I’ve seen settings that shared the entire contents of the hard drive, and network shares, presumably because the employee didn’t know how to set the program up. That amounts to a very large door to your network and your data being wide open.
- As with IM, peer to peer programs have viruses, worms, etc. that are written specifically to spread through their networks. If infected, an employees computer can easily infect other computers in the office - even ones that don’t have P2P programs installed on them.
- Many P2P programs are undetectable by firewalls because of the way they communicate over the internet - so blocking them can be difficult.
- A business can be liable for the contents of all files and programs on their computers. If a movie or song, or worse, was illegally downloaded to the employees computer, your company could be held accountable.
- Music and movie files are quite large. Transfer of large files between computers over the internet can have a significant impact on internet speed for everyone in the office.
Inappropriate internet use
The internet contains something for everybody. Music and news, videos, pictures, shopping, sports, the list goes on. You cannot reasonably expect every employee, every day to view only web sites that pertain directly to their job. While some surfing is tolerated during the work day, excessive and inappropriate use of the internet can become an issue in small businesses.
- Music, news, talk shows and other popular audio streams are available for all tastes. While this is not necessarily an inappropriate use of the internet at your company, this activity slows down the internet speed for the whole office. There too is the possibility that an employee may chose to listen to a “shock jock”, or some other program that may create a hostile work environment for other employees.
- Streaming video and social networking sites are becoming increasingly popular thanks to websites like YouTube and Facebook. In addition to the lost productivity for the employee watching video or updating their Facebook, internet speed for the whole office slows down significantly because of the large file size of video and other multi-media content that is used on these sites. Poor Internet speed is often thought to be a problem with the service provider, (i.e. Road Runner, AT&T, etc.), even when the problem originates from inside your company network.
- Pornography is viewed in the workplace more than most would admit - and not just by men. When I work on the computers at a client’s office, I have complete access to all of the systems. In my experience, I would estimate that greater than 1 in 10 computers have some type of pornographic material on them, or evidence that pornographic websites have been viewed. Some of these sites require visitors to download a program to have access to their content. More often than not, these downloads contain spyware, browser hi-jackers, viruses, or myriad other malicious code. Sexual harassment and company liability are also significant considerations when employees view and download pornography on company equipment.
What you can do about it.
As you can see, these types of behavior impact the five expectations referred to earlier. If you are wondering how exposure to viruses and worms can effect your back ups, consider this: If you use tape backup, there are several un-patched vulnerabilities in the major vendors backup software that are exploited every day, allowing an attacker access to your network. If you do not use tapes for backup, viruses can be backed up with your data and can be re-introduced if you need to restore data. This is also a factor in tape back ups. There are many ways an employee can waste company resources, or even expose you to legal consequences by inappropriate use of your computers. There are, however, steps that can be taken to mitigate these types of risk to your company.
Internet Use Policy
Companies of all sizes should institute an Internet Use Policy (IUP). This is not just a memo that says “Don’t visit this type of website, and don’t install that type of software.”, although, that may work in very small companies. Depending on the size of your company, a comprehensive policy should take into consideration the needs and wants of people or departments from across your organization. Care needs to be taken not to alienate employees by the tone or nature of the restrictions put in place. A thoughtful IUP can greatly reduce inappropriate internet use, and your liability as well. Often companies hire a consultant to help them define an Internet Use Policy. If a good policy is difficult to enforce, there are other options.
Monitoring and firewalls
The firewalls that I had mentioned previously are programs installed on individual computers that have limitations in securing and deploying company wide settings. Another type of firewall is a piece of equipment that acts as a barrier between your entire network and the rest of the internet. Your email and internet function normally, but it is very difficult to penetrate from the outside world. This type of firewall, like the other type, allows you to block things like Instant Messaging and most Peer to Peer programs as well. The difference is this: programs are blocked in one place and cannot be unblocked by employees. With additional features installed, web activity can be reviewed at the click of a button. This is often deterrent enough for inappropriate use. Another option allows priority to be given to administrative and executive staff to assure an internet speed that is not affected by the use of others on the network. Additionally, the websites accessed by your employees can be viewed in the devices logs. There are several Open Source systems to choose from too. Pick the one that best fits you business. Using Open Source, in addition to proven security for your network, you get the benefit of paying only for the cost of the hardware - and there are no subscription fees for updates ever. See the m0n0Wall or IPCop website for more information and download. Both of these firewalls must be installed as a seperate piece of hardware on your network.
If certain types of websites aren’t accessible from your company network, employees can’t view them and expose your company to the risks described earlier. That is the concept of content filtering. You pick what is and is not allowed to be viewed by your employees. Enforcement is not an issue because employees can not access blocked sites. There is DNS filtering, as provided by OpenDNS. They provide filtering of adult web sites as a free service -no strings attached. For larger organizations such as school districts, a filter integrated with an external firewall like the Open Source project dansGuardian would be a good starting point.
It’s not an expense, it’s an asset.
Although there are many issues surrounding computer network security, there are specific things that you can do to greatly reduce your company’s risk. Your computer systems and network, when properly managed, become an asset as productivity and reliability increase while expenses due to service go down.