Assessing the Risks of End-User Downloading

Updated: April 09, 2008


Many companies provide employees with Internet access for legitimate business purposes, including research, communication with customers and suppliers, and so on. But with this access comes increased exposure to potentially ruinous hazards caused by the files that employees may download into the corporate network. Here are some notable downloadable dangers, as well as steps you can take to mitigate the risk.


Employees are prone to download software from the Internet, either for business or personal use. An employee may download a program that he or she thinks will increase productivity, such as a scheduling program, or simply a time-wasting game that looks like fun. Either way, that executable file could harbor a virus or a Trojan horse that can wreak havoc on the user's PC and potentially spread to other machines on the network.

A virus is a self-replicating program. Once installed, it makes copies of itself and sends them to other machines on the network, often by reading the email address book of an infected machine and emailing copies of itself to everyone on the list. This form of virus replication depends on users taking some action that will download the virus and trigger its installation. Usually, the required action is as simple as clicking the infected file.

A Trojan horse does not replicate itself. Instead, it hides inside of a seemingly innocuous program and performs operations in the background, unbeknown to the user. A Trojan horse may scan an infected hard drive for passwords, financial data or other sensitive information. It will then transmit this information to a third party via the Internet.

The most important rule that users should learn is not to open any email attachment from someone that they do not know and trust. But curiosity killed the cat, and despite repeated warnings, users still click when they shouldn't.

Email clients like Microsoft Outlook attempt to counter this threat by disabling downloads of attached executable files. But savvy users may know how to change Outlook's settings so that they can continue to receive executable files.

Web links embedded in HTML-based emails are another way in which malicious software can be inadvertently downloaded. A discouraging number of users obligingly click a link when told to do so, even in an email from someone that they do not recognize.

P2P networks are popular ways to share music, videos and applications. Most companies ban the installation of P2P clients on their computers because they have few legitimate uses.

Users may think that they are safe on P2P networks if they avoid downloading executable files. But most media files — such as audio clips, videos and images — found on P2P networks are just as hazardous. They are generally protected by copyright and are being shared without the copyright owner's permission. When such illegal files are downloaded to a company computer, the company is exposed to potential legal liability for copyright infringement.

Few users realize that Web pages are also protected by copyright. Generally, the implied permission given to a viewer is for a one-time use. But many users save or print Web pages to reuse and share with others, violating the copyright owner's rights.

Many documents made available online contain copyright notices that spell out what a user may and may not do with the material. These restrictions are often ignored, as portions of copyrighted documents find their way into company literature and reports, as well onto corporate Web pages.

Employees may download images and material that others might find offensive. Companies that permit such activity run the risk of lawsuits for sexual harassment or creating a hostile workplace.

In rare cases, child pornography may be downloaded to company computers. This activity raises serious criminal liability for the offending employee and potential civil liability for the firm that allowed access to such material.

Online gambling, which often involves downloading specialized applications, is another criminal activity that is common at work. Again, the company may be liable for allowing access to gambling Web sites.

Next Steps

Companies need to develop comprehensive policies — typically called acceptable-use policies — that spell out what activities are permitted and forbidden on company Internet connections and equipment. The policies should also disclose the employee's right to an expectation of privacy when using company equipment. Basically, employees have no such right.

Web-filtering products such as Websense Inc's Web Security line (formerly SurfControl) can monitor employees' Internet usage and alert management to potentially dangerous activity. The program can log all of the Web sites that employees visit, as well as all files that they download.

Blocking access to nonbusiness and high-risk Web sites is another feature that such monitoring software offers. Typically, the monitoring program comes with a database of forbidden sites that are blocked when an employee tries to access them. Some monitoring programs allow an administrator to specify which sites can be accessed and block access to all other sites.

The battle to prevent illegal or potentially harmful downloads never ends. Ways to circumvent monitoring software are constantly developed and disseminated via the Internet, and employees are all too willing to use them. Companies should keep their monitoring and filtering software up-to-date and stay on the lookout for unauthorized downloads on their networks.

Related Categories
Featured Research
  • Office365 Adoption eGuide

    Microsoft moved to the cloud in 2014, and, as a result, Office 365 is taking off. Now, Okta customers are connecting to Office 365 in increasing numbers. This eGuide explains why IT departments should plan and deploy solutions around identity and mobility management in concert with their Office 365 roll out to get maximum user adoption. more

  • Okta Directory Integration

    For most companies, Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) play a central role in coordinating identity and access management policies. When on-premise applications are integrated to Active Directory or LDAP, users get the best possible experience. That's why Okta's cloud-based identity and access management service provides a highly useful single integration point. more

  • Securing Enterprise Information Technology

    In the 1980s and 1990s, business applications and data were largely confined within and protected by a Local Area Network (LAN). The 2000s introduced a significant change. Download this white paper now to learn why the shift to the cloud is changing how companies think about and manage their IT infrastructure. more

  • Top 8 Identity and Access Management Challenges with Your SaaS Applications

    With more and more businesses adopting Software-as-a-Service (SaaS) applications, enterprise IT is fundamentally changing. This whitepaper presents the eight biggest Identity and Access Management (IAM) challenges associated with adopting and deploying cloud and SaaS applications, and discusses best practices for addressing each of them. more

  • Better BYOD with Pulse Secure and MDM Partners

    Learn how Pulse Secure and leading MDM product partners are transforming the way employees and IT benefit from the productivity and flexibility of BYOD — without compromising security or increasing management complexity. more