Top 37 business risks with uncontrolled Internet usage

No one in IT really wants to be the Internet Police – granted. In fact, the less we know about our colleagues’ web surfing habits, the happier we will probably be. Sometimes there really is such a thing as ‘too much information’.

However, it is our responsibility to safeguard our company’s resources, and that includes both confidential information stored on our server and the workstations that use our network, so we do have to take certain actions to protect ourselves and our coworkers from the worst of the web.

The combination of an acceptable usage policy and web filtering software helps guard against the web threats that are out there. What are these ‘web threats’? There are several risks associated with uncontrolled Internet usage. Below you will find 37 of them, grouped into eight categories. Some could be included in more than one category, and in that case, I have them listed where I think they do the most harm.

Malware

1. Viruses

Most infected files these days are downloaded from the Internet. Whether the user is trying to get an application for their job or a new screensaver, downloads which have not been scanned become bad news.

2. Trojans

Many Internet downloads contain remote access Trojans or spam mailers, designed to give bad guys access to your data and resources.

3. Cross-site scripting

Even with up-to-date antivirus software, visits to infected websites can steal information by tricking users into filling out forms they think are safe, or presenting them with malicious content.

4. Tracking

Complete privacy on the Internet is not practical, but providing your complete web history to advertisers is not a good idea either.

5. Botnets

Infected computers often become zombies, reaching out to contact the command and control servers for orders.

6. Spyware and adware

Keyloggers, browsing history, and pop-up ads, are all part of the fun of surfing to the wrong places on the web today.

Phishing sites

7. Identity Theft

Many phishing sites ask for personal information in order to assume the identity of the victim.

8. Financial loss

Other phishing sites may be after credit card or bank account details for immediate financial gain.

9. Social engineering

There are sites out there trying to gain usernames and passwords to webmail, online banking, and remote access systems, with which they can access for further nefarious deeds.

Inappropriate content

10. Pornography

What users do at home is their own business; what they do at work could get the company sued.

11. Racial hatred

It’s a shame that in 2011 racism is still rife and this can lead to a hostile work environment suit.

12. Religious intolerance

Much like racial hatred, religious intolerance of any faith has no place at work, and could also lead to a hostile work environment.

13. Alcohol, tobacco and drug related sites

Unless you work in the industry, there is little chance these topics are work related, but if the arise within the workplace, they could cause tension among employees.

Data loss prevention

14. WikiLeaks type sites

The company’s confidential information won’t stay confidential for long if it is posted to a public site and makes the evening news.

15. Forums

Disgruntled employees may think they are harmlessly venting when the rant on a forum, but the company’s reputation may suffer as a result.

16. Blogs

Company approved blogs are good; technical blogs are too. But a user blogging at work (unless that’s their job) is wasting time, and might be posting confidential information not yet ready for public release.

17. Instant messaging

An approved corporate IM solution is a valuable communications tool; unrestricted access to public services can present many risks, including IM spam, malicious links and data leakage.

18. P2P

Peer to peer software can be useful, but too often a user shares their entire hard drive, making all the company documents on it available to others.

19. Online storage

If a user needs to store data with an online storage company, that data is now outside the company’s control. You’re not backing it up, searching and indexing it, and you cannot retrieve it if the employee leaves. Unless approved by the company, users should never be allowed to use cloud storage services.

20. Webmail

Companies that use DLP solutions on their email system do so to make sure nothing is being emailed that presents a risk, like IP, NPI, or other sensitive data. Letting users access webmail provides them a way around this, and also risks them using personal email for corporate business.

Lost productivity

21. Social Networking

Checking their Facebook wall post may sound like a one-minute thing, but this might turn into hours per week as users tend to do other things once there such as commenting on/following their friend’s status updates, images, videos, andso on.

22. Auctions

Submitting a bid might take only seconds at the start of an auction, but users can burn hours checking on a long term auction, or staying onto the close to make sure they aren’t outbid.

23. Gaming

No need for explanations here, an innocent five minute break to play an online game, might turn into long wasted hours.

24. Gambling

Just as in online gaming, but with the added concerns that this could lead to legal issues.

25. Dating

Dating sites can become attention traps, leading a user to spend the entire day checking out their possibilities rather than focusing on their job.

26. Software downloads

Any software a user needs should come from IT, to ensure it is licensed, appropriate for the task, supportable, and doesn’t crash their PC or LOB application.

27. Daytrading and investment sites

Another site that seems harmless at first, until the user spends all morning waiting for the exact moment to buy or sell.

28. Employment sites

If they want to hunt for another job, they really need to do that on their own time.

29. Online shopping

Here’s one you may want to allow a limited amount of access to, especially during the holidays, but you don’t want users to spend all day shopping when they should be working.

Copyright violations

30. Torrent sites

Bittorrent is a very useful protocol for distributing ISOs of open source operating systems, but too often it is used to distribute movies and music. This could go under bandwidth crushers, but the bigger risk is that your company gets sued by the MPAA or RIAA.

31. Warez

Unlicensed software can cost a company millions of dollars in fines. If a user needs an application to do their job, make sure that IT is buying it legitimately and licensing it appropriately. The BSA does take legal action.

Bandwidth crushers

32. Internet radio

A single user streaming music may not use much bandwidth, but when the entire office is doing it, the total can quickly saturate a pipe.

33. Sporting events

I once worked for a company that only blocked one thing – the NCAA Final Four Basketball Tournament. Every year we had to scramble to block every possible way it could be viewed online because it not only killed productivity, it took out the campus DS3.

34. TV and movie sites

Some folks might be able to work with the TV on in the background; most can’t really work well though, and the amount of aggregate bandwidth several simultaneous streaming movies can consume can quickly use up the entire circuit.

Policy violations

35. Anonymizers

You can argue that anonymizers are only there to protect users’ privacy, but you cannot argue that there is a real reason why they need that while surfing at work. Whatever they are doing online, if they need to use an anonymizer service, it probably isn’t work related.

36. Open proxies

Here’s another case where the likelihood that whatever they are doing is work-related approaches zero. Open proxies really just help you hide your actions or access content that is not licensed for your actual country of origin. In either case, it’s not work related activity.

37. IM portals

If you are blocking instant messaging, the easiest way to get around that is for a user to hit the service’s web portal or one of the many IM aggregation portals that exist. Blocking these helps ensure you are restricting IM access.

You don’t need to block 100% of all sites within all of these categories. A certain amount of recreational Internet access can go a long way towards improving employee morale, and if it doesn’t cause a productivity issue, and all users obey the rules, there’s no harm for most organizations. Look for web filtering software that can permit a certain amount of recreational use, either by total time or bandwidth used.

“Nothing in excess” is a good rule of thumb for those categories that don’t present a risk of data loss or malware infection. While uncontrolled Internet access presents many risks, a good web filtering solution and appropriate policies can mitigate those while still letting users surf the web.

Emmanuel Carabott CISSP heads security research at GFI Software. He has over 12 years’ experience in the security field and is a regular contributor to several websites and blogs. For more information about the benefits of using email usage reporting.