One of the most difficult jobs for a security team is to limit the harm employees can put themselves and the organization at risk of, while giving them scope to operate online. A recent survey we conducted of 1000 UK adults confirmed all of a security team’s worst fears about what employees are getting up to at work.
One in ten respondents admitted to visiting adult websites on a work device or while connected to a company network and a further 13 percent admitted to downloading or viewing pirated content. Putting aside the inappropriateness of these activities, adult and pirate websites are often cesspools of malware and viruses. By using them at work, employees are finding a sure-fire way to bring malware onto their company networks.
In fact, recent research from Kaspersky showed that one in four mobile users infected with malware were targeted while on adult websites, most commonly with banking Trojans. For example, earlier this year it was reported that the Panda banking Trojan – which can do nasty things including key logging, web injects, and grabbing passwords from clipboard – was spreading through adult websites taking people’s personal data as it went.
These are the most scandalous examples, but only the tip of the iceberg when it comes to employees potentially jeopardising their company by failing to separate their personal and professional lives. Our survey also found that 25 percent used a work email account to authorise access to other services such as games, productivity apps or social media.
While this sounds comparatively harmless, it means employees are putting their work credentials into the wild. Should one of those personal services be breached, as Yahoo or TalkTalk was, their leaked details could be harvested by cyber criminals to attack the company. People frequently use the same login details for multiple accounts, leaving the company vulnerable to brute force attacks.
Sadly, it is shocking, but not surprising that employees are engaging in bad practices – but it is the security team’s job to account for human fallibility. Not only do tech teams want to stop malware and hackers getting in, they also want to protect teams from offensive, harmful or inappropriate content and make sure employees are being productive.
In this pursuit, simply blacklisting sites isn’t going to be enough – people will always find a work around. Let’s not forget that despite a political scandal and a member of cabinet losing their job, the Westminster network is still getting 160 requests for adult sites a day. And the fringe sites employees go to are likely to be darker and more dangerous.
So, organizations need to accept that this is what employees are doing and take a smarter approach. CensorNet’s United Security Service (USS) includes Web Security, which allows organisations to manage 500 different categories of web content and billions of websites with a simple but flexible rules based engine. This includes deep inspection of SSL encrypted traffic, automated classification of unknown URLs, and categorisation on a page by page basis – all in a matter of seconds. This way, organisations can protect themselves and their employees against site visits that could put both at risk.