| Education Key To Secure Internet Usage Appropriate Web Use Vital To SME Well-Being |
 At most companies, employee access to the Internet is
considered just as important as access to a telephone or photocopier. However, the obvious benefits are
not without their hidden costs. The 2004 SonicWALL/Cerberian Web Usage Survey, for example, reported
that 50% of respondents spent more than 10% of their time at work surfing the Internet for personal
reasons. Despite the payback from access to online information, the Internet has emerged as an
occasional distraction to employees at best and a playground for questionable or even illegal activity
at worst. Web browsing and email habits can provide the ammunition for an attacker to exploit the
network or for an organization to be made vulnerable to legal disciplinary action because of one
employee’s illicit behavior. In either case, the final outcome is negative publicity and lost revenue.
What's a business to do? The security of today’s enterprise network is the responsibility of everyone from the CEO to the corporate end user. Employees typically want to do what is best for their company but they are often unsure of what they can do to assist. The answer is to raise general security awareness and implement relevant workforce training programs, so employees become part of the overall solution.  Acceptable Use Policy The first step toward establishing a well-secured environment is to create a policy pertaining to Internet usage. One of the most significant documents a small to medium-sized enterprise can produce is its Acceptable Use Policy. It is important to review and update the AUP periodically once it has been established. Please refer to “Acceptable Use Policy: A Roadmap, Not A Penal Code” on page 9 for in-depth information on AUPs. Make Employees Part Of The Plan
Workforce training is not a single event. In fact, it is really a continuous process. Employees must be shown how their behavior can contribute to both the vulnerability and the security of the enterprise. IT trainers should also demonstrate how the security skills learned at work can apply at home. In addition to interactive sessions, Internet security training can include brochures, newsletter columns, computer-based tutorials, and other methods. The value of such training is becoming more apparent to corporate management. In the 2002 Computer Security Institute/FBI Survey, 78% of businesses polled reported that they detected employee abuse of Internet access privileges. That number decreased to 59% in the 2004 survey. As a minimum, employees should be trained on the following key issues: Internet Browsing. Understand what type of Web sites are and are not permitted. Stress that any form of unrestricted Web browsing, thanks to inappropriate content, as well as spyware and malware, presents a potential threat to the organization and will not be allowed. Restrictions should normally include sites related to subjects such as entertainment, chat rooms, gaming, pornography, and gambling. Avoid pop-ups. Exercise extreme caution when downloading any program or data. Programs should only be downloaded from respectable, business-related sites and scanned before execution. Email Usage. Recognize the potential security threats associated with email. All messages should be scanned for viruses before opening. Also, do not click any links embedded within an email without first verifying that the URL is legitimate, and never open an attachment from an unknown source. If a message is from an unrecognized sender or domain, or the subject line appears out of place, consider the email suspect. Understand that any email sent or received via the corporate mail system is not private but rather the property of the firm. Privacy. Do not transfer proprietary corporate information across the Internet via any means other than those authorized by the organization. Workforce training should include information on how to avoid attempts at social engineering and fraud such as phishing. Passwords. Change passwords frequently and use a unique combination of letters and numbers. Home Use. The lines between work and home are somewhat blurred, as work often travels in both directions. Employees should be trained to practice safe computing techniques at home, as well as at work. This includes installing a firewall and antivirus software at a minimum and keeping up-to-date with all security patches and virus definitions. If you use removable storage, such as a CD-ROM, USB key, or floppy, to transfer files between home and the job, it is imperative that you scan the data at both locations. Sounding The Alarm. Train employees on what to do if they suspect any form of a security breach or other Internet threat. Encourage staff to report such concerns to the firm’s information security officer or other appropriate management. Even if there is a doubt regarding the veracity of an alleged threat, it is better to sound the alarm and be wrong than ignore the danger altogether. Content Filtering Web-filtering software solutions, such as those offered by WebSense and SurfControl, can also play a role in workforce education. Such products benefit both the firm and the employee. When browsing, it’s common to find yourself being redirected to a site other than what you expected to see, whether it is via a URL redirect or a simple typing error. No matter the reason for the indiscretion, the employee receives a blocked site notification. This serves as a gentle (or not so gentle) reminder of the corporate Internet usage policy. If an employee has a legitimate need to access a restricted site or a category of similar sites, he can submit a request for access, which may be granted if applicable. The primary issue isn’t whether to provide Internet access to employees but rather how to efficiently and safely manage the access. A continued commitment to security awareness training is just as essential as the underlying technology infrastructure. Once properly trained, employees will become a core component of any enterprise security program.  by Joseph Pasquini
|