Six Ways Employees Abuse the Internet at Work

Okay, it’s another hopefully productive day at the office and you’re wondering, again, why is your network so slow? Peering across the room, your employees are seemingly productive, working on the applications and information systems that typify their own business day. But something isn’t quite right. Internet response feels… sluggish, and it takes a long time to retrieve files from the network server. Just what is going on here?

Well, here’s my short-list on common workplace abuses committed by employees that can slow down the performance of your network, your server, and PC’s. These activities can sometimes go unnoticed, and these applications can sit on their workstations and operate in the background, allowing the user to switch or toggle between these and what they’re supposed to be working on; in some cases, no toggle is necessary: these applications are just working in the background, sapping the life-energy away from the company’s network.

1. Torrents, FTP Clients, and P2P File Sharing.

Torrents are files that can be downloaded to what is called a torrent client (BitTorrent is a popular application) and the user can download pirated software, videos, games, and even TV shows to their computer. Torrents are widely available and easily distributed (the Priate Bay, for example, was recently embroiled in controversay). FTP (File Transfer Protocol) clients are software like FileZilla that allows users to download files across the Internet faster, and P2P (Peer-to-Peer) file sharing applications are tools that allow users to distribute as well as receive pirated content. All of these applications can work in the background of the computer and suck bandwidth out of the network while your employee downloads the latest “American Idol”, “Mad Men”, or ripped “Transformers 2″ so they can watch it on their iPods, iPhones, or on their home PC’s. What’s worse is that they can then share what they’ve downloaded with others on the Internet, whereas they, too, can suck bandwidth away from your network to distribute the pirated material.

2. Instant Messaging.

According to HRtools.com, 20-percent of US workers use IM at least once per week at work. The problem with IM is volume and risk. Instant Messaging is a huge time sap for undisciplined employees but it’s also a means of transferring files behind your firewall without restriction. Users connected on IM can move any form of content through the IM interface, including dragging and dropping videos, music, or documents to their friends… again, wasting time and bandwidth. Because IM bypasses all of the traditional filters we use to protect a network, IM is a security risk and a hole in the network’s natural defenses.

3. Music and Video.

Hard numbers on YouTube or Hulu-watchers at work are difficult to come by, but intuitively, we can say that the ease of watching such content online makes it all the more likely they’re being watched from work. Maybe watching one YouTube video or downloading one music file from iTunes seems harmless, but most employees who do this will rarely stop at one. They’re constantly downloading music and watching video, and if you multiply this behavior across an entire workplace, your business network has now become dedicated to delivering pop culture. And just like the previous risks that were mentioned, this content can be stored on your network servers or on the PC’s on your employees, extending your own criminal and civil liability for storing pirated content.

4. Personal Browsing/Shopping.

According to HRtools.com, 29-percent of US workers will shop online at work; 43-percent spend more than one hour shopping at work. 61% of workers will use the Internet for personal research and browsing, and 37% of those workers indicated that they’d spend more than 30 minutes doing it.

5. Blogging and Social Media.

According to HRtools.com, 9-percent of employees have a blog and nearly a quarter of them will blog while they’re at work. Meanwhile, 41-percent of workers surveyed by HRtools.com revealed that they had a Facebook, Myspace, or other social networking page, and more than 30-percent spent time on their page during the workday.

6. Gaming.

Finally, multiplayer games, online gambling, networked video games, or even lightweight arcade-style games introduced by IM software permiates the workplace.

Well, what’s the solution then? What steps can you take to prevent these kinds of distractions from being introduced into your office-place?

1. Set Policy.

You need to set acceptable use expectation. What makes these situations worse is a grandiose sense of entitlement that younger workers have towards using Internet resources. A recent study by Deloitt demonstrated that 63-percent of 18-34 year olds surveyed believe that employers have no business monitoring their online activities, particularly when it comes to social networking. Clearly this is problematic and it’s only going to get worse. If we’re to look at all of these potential abuses in aggregate, we see an extraordinary amount of time and resources that can be sucked away from employers. Setting expectations and controlling perception in the first step you can take to curb this behavior.

2. Set Technical Controls.

After expectations have been set and management has communicated their intent, then it’s important to follow that up with Technical Controls that restrict Internet usage to the level desired by management. Technology professionals can assist in putting safeguards and restrictions over Internet activity to detect, prevent, or outright prohibit the use of these applications or content.

3. Audit.

At the end of the day, we can’t take our safeguards for granted – we must investigate the network and the PC environment to guarantee management’s expectations are being enforced. In the least, following-up on monitored activity to track-down and weed-out the problem performers; armed with useful information, management can take corrective action with their employee and perhaps re-align their activities to management’s expectations.

You know, it’s not like every employee is bad, that they’re wasting huge amounts of time, or even their intentions to expose the company’s network to greater risk is deliberate – they may very well not understand the implications of what they’re doing. However, if left unmonitored or your expectations uncommunicated, these kinds of activities can reduce network performance, exacerbate an unhealthy sense of entitlement, and even expose the company’s assets to malware, further diminishing productivity and raising costs. Since a large part of managing your business is managing employee expectations, taking a few proactive steps like this allows you to manage your technology and your people by setting reasonable standards, and that’s good technology management.

R

Patching the Past to Protect the Present

Once in a while, somebody will ask me why Windows keeps bugging them. An icon will appear on the system tray (that space by the clock in the lower right of your screen) that announces new updates are available. New updates are available; new updates are available; new updates…  ”It won’t shut up,” a recent client lamented, and they were concerned that every time they allowed the update, then the system would restart, and that was just a big hassle, so it’s easier to ignore it… to put it off. Today, in fact, a user complained that they were repeatedly annoyed to upgrade to Microsoft’s Internet Explorer 8, and finally when they did it, the system still wanted more updates and patches. One of her software even announced that it was incompatible with the new version of the browser.

So what is this stuff? What’s patching all about?

Well, patching is all about downloading new versions of software code to your computer. When you install a program, it installs compiled versions of software that were great when it was first released. It’ll probably work okay, but since the program was made, flaws have been found and fixed. Patching is the act of applying fixes. Nearly all modern software on any device (phones, PC’s, game consoles, even kitchen appliances) will attempt to download those fixes if they’re connected to the Internet.  Once downloaded, the patch will unpack and over-write the older versions of software. And bingo-bango-bongo, you’re up to date.

There are various levels of patching.

1. Hotfixes usually refer to replacing a single executable or library (*.dll) file. A fix is made and published, and it’ll over-write just one file or a couple of them.

2. Packs are usually a number of files that are downloaded and updated, usually manually, and this is sometimes referred to a “service pack”.

3. Upgrades or updates are usually even larger patches that have a lot of complex changes to them.

.

.

For the most part, many software solutions will try to patch themselves without bothering/notifying the end user. More often the end-user isn’t aware of probable inconsistencies or issues that may surround applying the patch so, hey, what do they care, and they’ll frequently just answer “yes” anyway. However, software engineers are always conscious of people who prefer to be notified when system changes are applied, and they err on the side of caution: better to tell you about it and warn the user instead of finding something doesn’t work and they have no idea why.

If you’re not really interested in the techie details of a patch, Patching software may seem like a chore. “Yes” seems so obvious, and totally restarting your PC seems like a real time sink. Patching, though, really serves a great purpose, starting with – A: your stuff will likely work better if the software is up-to-date, and B: your system is less at risk than without the patch. If you’re feeling rather geeky today and want to see a listing of the vulnerabilities threatening your stuff today, visit the US Computer Readiness Team (US-CERT)’s  current vulnerability list; for a real kick in the pants, review the weekly technical bulletins; and if you’re a tech professional, subscribing to these US-CERT RSS Feeds is a total must. What you’ll find is a whole slew of bad news facing your phones, PC’s, Mac’s, browser and database software, browsers… just about everything that runs on a microprocessor. And it keeps coming! It’s endless! There’s new crap every day that can hurt your computers!  You see, patches fix these problems. People who don’t patch or ignore the process make their stuff more vulnerable, and they become the targets of viruses and worms that exploit the vulnerability.

Patching isn’t always easy though. Infrequently, there can be an incompatibility between the old software and the new software; something unexpected can happen to other software or devices on your system. One day something works, the next day something’s haywire, and for no obvious reason – real annoying! Luckily, that what technology pros help out with. Before applying patches, we research the known compatibility issues with the application portfolio (the software your company runs and that we’re managing). If there’s a known issue, we hold off, maybe do a little research, make a phone call to the vendor, or maybe just try to apply the patch on a test computer first to see if it works.  Hey, if we didn’t do this due-diligence, patching could really be a lot more painful. At least we’re lookin’ out for the little guy.

And there’s a direct correlation to security here: if you wait a while to apply hotfixes, service packs, or updates, your system becomes more vulnerable over time. You’re basically patching the past to protect your present. This kind of attention is dire when looking at mission-critical assets like servers, or, the boss’ PC, but it’s real important to everyone because the effectiveness of computer security is often measured by the weakest link. A neglected, unpatched little PC in a forgotten office can become the single backdoor needed to hack your network, servers, or data. That’s why we tech guys are all about updates and patches, and why we’re often found sitting around waiting for them to be applied (either downloaded or unpacked).

So the next time you’re thinking about putting off that patching, take a spin by the US-CERT – think again. Apply your patches… take your medicine, daily if you’re paranoid but at least once a week. Take the time to let the computer help you out by applying what it thinks is good for you to have.

R

Technology Reflections Newsletter – June 2009

Technology Reflections – Fifteen

http://www.micklerandassociates.com/newsletter/fifteen.htm

R

Google Sync for Microsoft Outlook

Google Sync for Microsoft Outlook

As a follow-up to my success story with Cloud Computing, today I spent my time configuring my client’s email systems, phones, and laptops to use Google as a centralized repository for email, calendars, tasks, and contacts – essentially eliminating the need for a local Microsoft Exchange server. Making this process even easier, Google – today, in fact – released Google Sync for Microsoft Outlook.

The sync tool is a local TSR (Terminate and Stay Resident) application that loads into the system tray of your Windows station. After walking through setup, the Outlook containers are synchronized to the appropriate Google application. Changes made in Outlook are replicated to the gmail host, and vice versa, essentially eliminating the need for an Exchange Server.

Again, imagine: the ability for you and your clients to access your critical business information and email, anywhere, on any device, without investment in a server or the risk incurred for managing connectivity to a server from the Internet. Low risk, immediate capability, transitioned responsibility, contained cost, high accessibility, low management and maintenance expenses. All the best that Cloud Computing has to offer.

The sync tool is only available to Premium service customers from Google, but it’s a powerful example of what lies ahead in Cloud Computing offerings to small to midrange business computing. If you’re a CIO or the owner of a small business, this is one strategy that begs immediate consideration; watch this video and see for yourself.

R

Risking Everything: The Perils of USB Drives

I often tell this story to my students. Several years ago, a new client approached me, and she was concerned about the recent loss of her company’s financial data. When she provided further details, I learned that she was backing up her Quickbooks files to a thumb drive, and she recently lost her keys; the thumb drive was attached to her keys. As all thumb drives are immediately accessible and unencrypted, her data was unsecured and in the wild. She asked about the password on her QuickBooks file. Unfortunately, I had to explain, that the password that remained on her QuickBooks file could be compromised with dozens of utilities.

But this stuff isn’t purely small business problem. In April 2006, the LA Times reported a story on how US military flash drives – some containing top-secret military information – were being resold in Afghanistan bazaars; one reportedly included the names, address, and social security numbers of over 700 service members. And in 2005, MSNBC reported a data loss of 120,000 patient records from Wilcox Memorial Hospital Kauai, Hawaii. Why? Somebody lost a thumb drive. And by extension, anything that can be used as a portable media drive (like iPods and cell phones) can also put intellectual property and confidentiality at risk.

The whole problem, of course, is convenience. Users love the immediate accessibility to their data anywhere and on nearly any computer. Critically, though, we can see the inherent risk: we are voluntarily taking data out from behind our firewall, stripping it of the user-access permissions used to safeguard its confidentiality, placing the data on an unencrypted volume, and exposing it to other computers outside of our control. So realistically, what you’re looking at is a total bypass of every security measure and safeguard that organizations have built to protect their information assets: firewalls, filters, user access restrictions, auditing controls, anti-virus, computer access restrictions, and data encryption. We risk everything at the sake of convenience. And instantly, the problem of securing the network becomes controlling user behavior and expectations – a problem bigger than programming the most complicated of firewalls.

So how can the small business address this issue? Here’s a couple of ideas to help shape expectations, control for user behavior, and better secure these assets.

1.  Create Portable Media Provisions in Your Acceptable Use Policy (AUP).

Administrative Controls are policies, procedures, and work instructions that dictate management’s intention in the work place. A common expression of management’s intention to control technology assets is through an Acceptable Use Policy. Management should write in their expectations governing portable media and have employees acknowledge their rights and obligations in this area. First and foremost, management needs to say “securing portable media is important and a risk to this company”, and that’s what the AUP is for, but the AUP also sets the expectation for taking procedural countermeasures and for taking employee disciplinary action. The AUP conveys management’s intent. Clearly, management must effectively communicate their intent to control the problem. If the intent is to completely disallow these things on the network

2. Restrict USB Access by Group Policy.

Future network management tools offer some technical controls. The newest release of Microsoft’s Windows Server 2008 has provisions within Group Policies to secure access to removable devices. Unfortunately, this only works with GPO’s within 2008 and it only works with Windows Vista client computers; the settings associated with those GPO’s aren’t translated into Windows XP.

3. Control the USB Port.

Sometimes, though, the best control is a draconian Technical Control that just prohibits the use of the USB port on the computer.  Here’s a good, free tool: USB Blocker for Windows. It’s free and works on any Windows station. A great place to install a utility like this would be on uncontrolled computers (like kiosks, or, temporary workstations). Warning: blocking USB ports like this can incur the wrath of your CEO who simply must be able to sync his Blackberry; not to worry – this software gives you a central administration tool to set variable controls over different workstations on your network, so you can be selectively draconian.

4. Encrypt the USB Drive.

The best offense is a good defense and if you simply must take data away from the safeguards of the centralized system then at least encrypt the drive. A great free tool that I’ve written about before is TrueCrypt. This puts some strong encryption over the thumb drive that is accessible by password; it can be used on any Windows platform.

5. Choose and Offer an Alternative Strategy.

Without a doubt, if management begins taking a stand on these issues and implements sweeping Technical Controls that prevent users from “working”, well, there’s going to be a legitimate complaint from the masses. So the question might become how do you allow for secure access to confidential information while users are mobile? What’s the alternative? The analytical answer to this problem is to perform a study and classify what data should be allowed on portable media and what data can’t be; this could be a form of informed compromise. Another alternative would be to allow secure intranet access whereas the information can still be centrally controlled but not widely distributed.  Finally, another form of control could be from serializing these devices and “checking them out/in” so at least the company is aware when a data loss happens.

In conclusion, it’s really all about controlling risk. If you were to look at this problem in a larger context, it also applies to devices like laptops and minicomputers, cell phones and digital cameras. It’s difficult to fight progress: the digital world is mobile and end-users will expect to be able to work in a mobile condition and have immediate access to personal and private information. That’s a given. However, a few reasonable precautions you can take today can set behavioral expectations and control that risk so it can’t balloon out of proportion. And when you think about how interconnected your business strategy might be to the confidentiality of intellectual property,  paying attention to these problems are more important than ever before.

R

Life in The Clouds – A Small Business Success Story

Two weeks ago, I was approached by a new company to set up file storage, email, and calendaring for five users. Eventually, I imagine they’ll want a website and some other web-based services. Generally speaking, the traditional approach to this problem would be to convince the company to purchase a small business server running these functions in-house; specifically, Microsoft’s Small Business Server (SBS). The SBS server would then be configured to manage these functions.

Aside from the labor to stage and deploy the server, additional expenses would be incurred. PC’s would need to be “joined” to the new server, and the network would need to be appropriately configured to allow for email and web-based traffic. Further, a backup solution would need to be introduced to provide some redundancy to the data stored on the server. They would need an anti-virus and anti-spam application for the mail server. And the server would have to be “hardened” – this is an additional step that secures the server as it transacts with other unknown computers on the Internet.

All told, the investment for the small business would traditionally be fairly high:

• Approximate cost for a small business server ($1,700)
• Approximate cost for SBS licensing for five users ($800)
• Approximate cost for a local backup solution ($200)
• Approximate cost for the antivirus/anti spam solution on year one ($300)
• Approximate labor costs associated with managing the PC’s, staging and configuring the server, and “hardening” the server against security risk ($700)

Therefore, a start-up company like this would be out – approximately – $3,700 to gain this capability of calendaring, email, and file storage.  They would be making this investment in technology even though tech isn’t the core competency, and they’d be paying somebody like me for on-going maintenance associated with the server and the network.

Instead of going this route, I recommended a different setup. I advised that we create their domain and host the domain on Google Apps. Google Apps is a software as a service (SAAS) application. It is a professionally-managed service from Google. It securely handles email, calendaring, web-based services, file sharing, and instant messaging applications. Instead of purchasing a new server, we could use Google to host all of the company’s needs. It took me fifteen minutes to create the domain for the new company and another 1.5 hours to set up the new domain services under Google. Within that two-hour time frame, I had the five users setup with all of the desired features under their new domain. Costs:

• Approximate domain registration cost ($20)
• Approximate cost to setup 5 users on Google Apps – year one  ($50/user for 1 year) ($250)
• Approximate labor cost total ($240)

The math here is pretty compelling: the same capabilities at 1/7th the cost, and they gained immediate capability after those two hours. I didn’t need to manage their network or their PC’s to use the system – it was available immediately, on any platform (Mac, Linux, or PC).  Their data is secure, professionally managed by Google and backed up by Google. Further, Google’s native email filtering takes care of the anti-virus and anti-spam problem without additional expense. And they can manage their files, email, calendaring from any computer that has Internet access – they can share their client with people inside their company, or, with customers, or anyone on the Web.  Any PC or device, like cell phones, can interact with Google natively. And to add/remove users or to set permissions on stuff, they don’t need me for that – they can manage that themselves entirely through Google.

Finally, Google has a lot of extra web-based features like blogging, videos, websites, and website analytics that can eventually be integrated – at no additional cost – with the company’s services, improving their Search Engine Marketing (SEM) and viral marketing strategies. And my job has changed as a consultant. Instead of managing the box (the server), the value my value is in securing PC’s and helping them integrate knowledge-based services into a single web-enabled platform managed by somebody else – Google – and at fractions of costs relative to what their competitors are spending for the same capability.

Now that’s competitive advantage. That’s using technology strategically. I had them setup in hours instead of days. It transfers IT out of their hands because it’s not what they do best, and to somebody who does it best, like Google, who can maintain it at a cost much lower than what they could normally do on their own. It contains and reduces security risks, and transisitions the risk of disaster recovery away from them, again lowering costs. Now the company is “in the clouds”, operating entirely off of Google, working anywhere they have an Internet connection, and not managing a server. That’s a cost-containment edge that can help any company get a leg-up on the competition in an economy like this one.

R