San Diego Source ( The Daily Transcript)
(February 28, 2007)

Picture this: A 20-something employee at a digital media company uses his "free" time to log onto the popular Web communities MySpace.com or YouTube.com and proceeds to download or watch a streaming video posted by one of his friends. While it may seem innocent, an employee's "free" Web surfing can cause huge security breaches for his company. Today, simply clicking on infected Web sites, responding innocently to "phishing e-mails" or downloading applications that contain spyware or keystroke loggers can put a company's most valuable assets at risk. And while many of today's cool, hip technology companies are born and bred on going against the corporate America grain, they might wish they would have implemented and enforced tighter restrictions and policies, such as an Internet-use policy among executives and employees.

"The education for companies about cyber security and the types of threats out there are not being
communicated effectively to executives and employees," said Ken Hamilton, founder and president of San Diego-based Total Tech LLC, a technology consulting firm that helps companies use technology to secure and improve their businesses. "They do not understand what a negative impact that threat can have on the company and its employees in terms of placing assets at risk, including intellectual property, competitive information, employees' personal files and customer information."

Besides possible security problems, an employee who downloads video and listens to streaming Internet radio during the workday not only decreases his/her productivity, but also could slow the company's internal network by consuming available bandwidth, Hamilton added. He said businesses open themselves up to various threats daily, whether it's an employee downloading music using file-sharing software or clicking on Web sites infected with malicious code. Employees' personal information is also at risk with numerous "phishing" scams that beckon a visit to a phony Web site with a lure to confirm critical, personal financial information.

"There are many downloadable files out there that contain spyware that can copy information, log keystrokes and get passwords," Hamilton said. "This malware can control the company's system and the company wouldn't even know it. They can introduce a virus and grab proprietary information or harm the physical network, like erasing hard drives."

Simple yet effective Internet-use policies can save time, money and lots of headaches for companies,
regardless of their industry, Hamilton said. The following are some tips on crafting a policy that will not only keep a company in sync with what its employees are doing but also keep employees satisfied and productive:

¥ First, outline the four biggest threats for miscellaneous Internet use -- decline in productivity, clogging network bandwidth, security breaches and legal liability.

¥ Create an effective communication plan that will explain to employees why an Internet-use policy is needed today. Employees need to be reminded they have a vested interest in the company, and the company possibly could be put out of business through legal liability if customer or employee information is breached or compromised by loss of intellectual property.

¥ When introducing the policy, make sure employees thoroughly understand it and understand the need for it. Make sure they sign the policy, which will become part of the company's human resource function when new employees are hired.

Once a policy is put in place, company executives must ensure it is strictly enforced, Hamilton said.
One way to do that is to install various software tools on the company's network that will ensure employees are in compliance with the policy. Hamilton said these tools are part of a "multilayered security" approach to protecting company assets. Some of these software products, such as the ones Total Tech offer, provide Internet-access management and security, desktop antivirus protection or an endpoint product that won't allow, for example, an employee to transfer files from the company network to a memory stick.

Another possible problem for companies is instant messaging (IM), where people can still send and receive inappropriate content. By using a tool from Websense, a Web filtering and Web security software provider, Total Tech can allow clients' employees to still use IM; however, the software blocks employees from attaching files. Companies can also deploy a client policy manager that will not allow any type of USB drives to plug into the company's system. This can prevent an employee from taking the company's personnel file off the network and downloading it onto a flash drive and taking it home.

Hamilton said it's also a good idea for companies to have security that protects employees when they are away from the office. Remote Web filtering, for example, can protect an employee when his or her laptop is out of the office and off the protected network. When employees return, they can reconnect after having their computer electronically "frisked" by network access control software -- even after downloading new software or files -- without harming the company's internal networks.

"The way to implement some or all of these security solutions is either all on the premises or in a hosted environment," said Hamilton, who is also former director of technical services at San Diego-based Websense. "All the security infrastructure can be at an off-site location, as long as the network traffic runs through that hub.... That way the company doesn't need an IT tech on staff, and they don't have to host the server in their office."

Hamilton acknowledged most businesses cannot deny workers access to the Internet. But the solution is to implement measures that protect the company while keeping employees safe, knowing security threats are being mitigated at the network and desktop levels. Establishing and communicating a comprehensive Internetuse policy, backed by powerful inbound and outbound filtering tools, provides companies an extra security blanket in a "wild west" world that is riddled with
viruses, phishing scams, spyware and Web sites with malicious code.

"With network security tools and an Internet-use policy, company IT departments can be much more productive because they don't have to respond to threats after they get into systems and cause havoc," Hamilton said. "With security taken care of, the IT department can focus on areas that improve employee efficiency, ensure hardware availability and infrastructure and guarantee that their computing systems operate as efficiently as possible."