Assessing the Risks of End-User Downloading
Issue
Many companies provide employees with Internet access for legitimate business purposes, including research, communication with customers and suppliers, and so on. But with this access comes increased exposure to potentially ruinous hazards caused by the files that employees may download into the corporate network. Here are some notable downloadable dangers, as well as steps you can take to mitigate the risk.
Analysis
Employees are prone to download software from the Internet, either for business or personal use. An employee may download a program that he or she thinks will increase productivity, such as a scheduling program, or simply a time-wasting game that looks like fun. Either way, that executable file could harbor a virus or a Trojan horse that can wreak havoc on the user's PC and potentially spread to other machines on the network.
A virus is a self-replicating program. Once installed, it makes copies of itself and sends them to other machines on the network, often by reading the email address book of an infected machine and emailing copies of itself to everyone on the list. This form of virus replication depends on users taking some action that will download the virus and trigger its installation. Usually, the required action is as simple as clicking the infected file.
A Trojan horse does not replicate itself. Instead, it hides inside of a seemingly innocuous program and performs operations in the background, unbeknown to the user. A Trojan horse may scan an infected hard drive for passwords, financial data or other sensitive information. It will then transmit this information to a third party via the Internet.
The most important rule that users should learn is not to open any email attachment from someone that they do not know and trust. But curiosity killed the cat, and despite repeated warnings, users still click when they shouldn't.
Email clients like Microsoft Outlook attempt to counter this threat by disabling downloads of attached executable files. But savvy users may know how to change Outlook's settings so that they can continue to receive executable files.
Web links embedded in HTML-based emails are another way in which malicious software can be inadvertently downloaded. A discouraging number of users obligingly click a link when told to do so, even in an email from someone that they do not recognize.
P2P networks are popular ways to share music, videos and applications. Most companies ban the installation of P2P clients on their computers because they have few legitimate uses.
Users may think that they are safe on P2P networks if they avoid downloading executable files. But most media files — such as audio clips, videos and images — found on P2P networks are just as hazardous. They are generally protected by copyright and are being shared without the copyright owner's permission. When such illegal files are downloaded to a company computer, the company is exposed to potential legal liability for copyright infringement.
Few users realize that Web pages are also protected by copyright. Generally, the implied permission given to a viewer is for a one-time use. But many users save or print Web pages to reuse and share with others, violating the copyright owner's rights.
Many documents made available online contain copyright notices that spell out what a user may and may not do with the material. These restrictions are often ignored, as portions of copyrighted documents find their way into company literature and reports, as well onto corporate Web pages.
Employees may download images and material that others might find offensive. Companies that permit such activity run the risk of lawsuits for sexual harassment or creating a hostile workplace.
In rare cases, child pornography may be downloaded to company computers. This activity raises serious criminal liability for the offending employee and potential civil liability for the firm that allowed access to such material.
Online gambling, which often involves downloading specialized applications, is another criminal activity that is common at work. Again, the company may be liable for allowing access to gambling Web sites.
Next Steps
Companies need to develop comprehensive policies — typically called acceptable-use policies — that spell out what activities are permitted and forbidden on company Internet connections and equipment. The policies should also disclose the employee's right to an expectation of privacy when using company equipment. Basically, employees have no such right.
Web-filtering products such as Websense Inc's Web Security line (formerly SurfControl) can monitor employees' Internet usage and alert management to potentially dangerous activity. The program can log all of the Web sites that employees visit, as well as all files that they download.
Blocking access to nonbusiness and high-risk Web sites is another feature that such monitoring software offers. Typically, the monitoring program comes with a database of forbidden sites that are blocked when an employee tries to access them. Some monitoring programs allow an administrator to specify which sites can be accessed and block access to all other sites.
The battle to prevent illegal or potentially harmful downloads never ends. Ways to circumvent monitoring software are constantly developed and disseminated via the Internet, and employees are all too willing to use them. Companies should keep their monitoring and filtering software up-to-date and stay on the lookout for unauthorized downloads on their networks.
Any operational business model relies heavily on IT support and the help desk to achieve maximum uptime for all IT systems. This white paper addresses ways for help desk analysts and IT support staff to easily and efficiently handle their workload by simplifying and automating processes to increase time and operational cost savings, enhance productivity, and boost customer satisfaction. more
