I recently had an interesting conversation with the editor of a non-profit business publication in the US. We were talking about the results of a recent survey that GFI had commissioned and the editor seemed somewhat surprised that so many security threats existed.
I wasn’t in the least surprised and I’m sure a lot of her readers are in the same boat. Mention internet monitoring, web security and filtering to a cross-section of SMBs and non-profits and you might get a gentle nod of the head but not necessarily understanding.
Survey after survey, report after report and yet businesses fail to grasp the impact of uncontrolled Internet use. Those that do have a higher level of awareness are still too concerned that any attempt to monitor what employees are doing could lead to privacy rights issues and a plethora of complaints from employees.
Tough! A business has every right to know what is happening within the organization, who is wasting time or watching totally inappropriate material on the Internet. Not all employees like the idea that their activity online is being monitored, but more often than not, the complainants are those who have something to hide. Employees who do their job well do not need monitoring but those who abuse the system need to be controlled.
At the end of the day, if the business’s reputation is at stake, then the organization has every right to do something about it.
There are five reasons why Internet access and use in an organization needs to be monitored and I’ve listed them below.
Many employees consider Internet access at the office to be a sacred right and therefore how they use the Internet at home is often extended to the workplace. Downloading illegal or pirated software, visiting sites with illicit or adult material, shopping online and online gambling are examples of how employees misuse Internet access. Some employees also spend excessive time browsing non-work related websites such as news and social networking sites. The result is a considerable impact on productivity levels and resources, such as waste of expensive bandwidth.
2. Malware infection
There is a growing risk of malware and spyware infection when employees do not pay attention to the type of websites that they visit. Innocuous-looking websites may have been hijacked and are simply a smokescreen for malware, such as targeted Trojans, to gain access to the network, often bypassing signature-based anti-virus programs. One infected workstation is all it takes. Clicking on links and downloading software (often ridden with malicious code) pose a serious security risk.
3. Misuse of email access
Web mail access can be a backdoor through which employees can trade company information, download or exchange inappropriate material or used to contact friends on company time. Email can contain libelous content that could seriously damage a company’s reputation. There are few business-related reasons to allow web mail access but a good number of reasons why it should be blocked.
There are many employees who do not appreciate the security risks involved. Even those with good intentions can click on links in phishing emails, open websites that are not genuine, provide their personal details and email address online without good reason, open suspicious files and so on. If proper user training or security policies do not exist, monitoring and managing Internet by an IT manager may be the only option.
5. Legal liability
The presence of illegal, illicit and inappropriate material on users’ workstations creates legal liabilities for the company. True that businesses are sued for even the most absurd of reasons, but they cannot afford to be caught napping. Internet monitoring and web filtering give business owners the ammunition they need to counter any claims from clients or employees. In an employment dispute, for example, a company may need web browsing reports on an employee who is suing for unfair dismissal. If they can prove that he or she spent excessive time on the Internet or accessed inappropriate sites instead of working, they have won the case. Without that evidence, a company has a very weak hand. It is also management’s fiduciary responsibility to have the data for when it is needed.
A number of businesses may consider the risks above to be acceptable. Good luck to them.
Somehow, if I were a business owner, I’d feel more comfortable with a report in front of me listing those employees has been busy gambling online or watching porn at the office and then be in a position to take action.