Why do companies need to control internet access?

I’m still seeing so many organisations not controlling what their employees are doing on the Internet. This is a problem.  The problem lies in the fact that the internet habits of staff outside of work are now clear and present inside of their day to day working environment.

/ Managed IT Services
April 16th, 2010

IT security - Why you need to control Internet access

How can employees’ internet usage put your business at risk?

1. Security risks

An employee browsing potentially dangerous websites without control can open your business to an array of security risks, such as viruses, trojans, spyware – the list goes on. This is because non-work related websites are a major feed of dangerous exploits into the network. These obviously risk to the individual PC but we’ve also all seen the news articles about private companies and the public sector being down for days when a nasty virus gets into the network. I’ve seen this myself a few years ago where the whole IT team and the CIO of a company were flying around the world trying to eradicate a virus that was flooding the network and killing communications.

Your risk also grows as uncontrolled internet access also allows employees to send information in and out of your organisation without control. This can be intentional via webmail or web messenger applications, such as MSN Messenger, Yahoo messenger or Skype. Or it can be unintentionally through spyware, phishing or other vulnerabilities.

I see data leakage prevention as one of the biggest reasons to control internet access. I’ve lost count of the number of times I’ve been alerted of a customer’s employee taking a sales database or confidential documents before leaving a company. It is difficult to erase any risk but you can make it difficult. This area really falls out of the topic of this blog –  if data leakage is a real concern due to the sensitive nature of your data, or your customers’ data then look into data leakage prevention (DLP) products.

2. Legal liability

If you have copyrighted information, such as software, music, videos, even photo’s on your business network, your business could be legally liable for it. Even if an employee downloaded it onto the network without your knowledge or permission, the business, basically the directors could be legally liable.

Uncontrolled internet access does, unfortunately, leave the door open to a whole host of legal issues. Creating an ‘Acceptable Use’ policy for your IT will help. An effective EIM system will take that further and go a long way to controlling the issue.

3. Waste of bandwidth

Your internet connections are typically the main artery for your business, the main communication line between your business, its customers, and its suppliers. If your employees are downloading non-work related files, listening to music or watching the news then you’ll be paying for that. What do you do when people say that internet browsing is slow? You typically put your hand in your pocket to ‘upgrade the line’.

I can tell you that in at least 70% of cases that I come across when people tell me they need to upgrade connectivity (internet or WAN connections) they actually don’t. They just need to route, control and shape the traffic on their networks more efficiently.

4. Reduced productivity

Your employees’ browsing the internet during work time costs your business money. The average employee spends 15 minutes of time browsing the internet during working time (excluding breaks) for non-business related purposes. This may not seem much but that’s 10 hours a day for a 40 computer-based employee company.

You may say that 15 minutes a day, on top of breaks and lunchtimes, is acceptable, and that’s fine. However that’s an average, and I’ve pulled reports showing some users wasting an hour or more a day on non-work-related internet activity.

If you just say that your employees are all on the minimum wage then it’s costing well over £1,000 per week just on browsing time alone for a 40 user organisation, without taking into account loss of productivity thus loss of potential earnings. The potential for a return on your investment in an employee internet management system should be clear from the start.

It’s not about being Big Brother and locking everything down. Why not quota your employees’ internet access for some non-work-related sites or maybe just allow them access during lunch? This can be managed with virtually all Employee Internet Management systems. If you don’t want people using work machines for non-work related tasks then I suggest that you allow access to dedicated ‘internet workstations’ that staff can use to perhaps to book a holiday or to check their bank balance. These workstations can be given their own internet connection or they can be secured from the main company network – most firewalls/networks can do this.

What about social media?

Should Twitter Facebook and LinkedIn be restricted?

Facebook, Instagram and Twitter? Are these really of any use to an organisation? There will always be exceptions to the rule, but generally, I don’t see why anyone needs access during work hours. You probably wouldn’t be too happy about the whole company sitting on their desk phones chatting to their mates in the day, so why should they do the same through your IT systems?

I was asked if LinkedIn was a security risk the other day, and I guess the question more or less applies to all social media. It does tend to fall under the control of the IT security department, in terms of EIM, as it ‘can be’ classed a productivity killer. It is often bundled into the social media categories with Facebook, Twitter, etc. Is it a risk itself to security? Not directly. You could, however, argue the social engineering card, but that could be done in other ways and you are straying into paranoia territory. There are always exceptions but generally, it’s safe in my opinion.

It all sounds pretty negative but it’s not something to panic about. I do however believe it’s worth thinking about the issues and looking at some sort of control. There are a vast array of Employee Internet Management systems on the market, some more effective, some cheaper and some more expensive than others. The ROI is usually pretty easy to measure and all vendors should offer a free trial to help you gauge the issues within your environment. I should note that I’ve seen Employee Internet Management systems pay for themselves within month 1.

Here’s a list of some EIM vendors

Many vendors now also offer cloud-based services, so you don’t have to purchase hardware and software to install on your own network. Again, your business and its operations will determine if cloud is the right solution. Typically, you’ll probably lose some level of functionality/control with the vendor run cloud-based services over internal hardware/software solutions.

If you want to look at implementing some controls then speak to your IT provider or seek expert advice. All the solutions vary and although most solutions will control Internet access some solutions will be better than others. Fitting the right solution depends on your business and its operations.

And remember it’s not all about the technology. Changing employee’s internet access is a contentious issue and could lead to some unhappy people if not managed correctly. I’d suggest that you explain that the main driver for control is IT security – because it is.