Monitor activities to protect your organization from viruses, liability and disgruntled workers

A new survey by international e-mail and security software provider GFI Software has found that almost half of the small businesses surveyed— including nonprofits—underestimate the impact that uncontrolled access to the Internet and e-mail can have on their organizations.

The perception of what constitutes a security threat by some organizations is flawed, said David Kelleher, the communications and research analyst at GFI Software. “Many organizations only think about who might be trying to hack in from the outside— snooping. But with daily employee use of laptops, mobile devices, USB sticks and home usage where children have access to the computer, the threats become massive in size,” he said.

With so much at risk, Kelleher recommends that organizations have policies and software in place to monitor employee activity, ensuring network security and productivity levels and providing assistance to human resources.

In terms of security, he said, the threats are wide and varied. For instance, employees may come in 10 minutes early, have their coffee, check their Facebook pages and unknowingly download malware—malicious software—onto their computers. That code could be effecting changes to the operating system, replicating itself over the network, and adding the infected machine to a Botnet—a network of infected machines used by spammers to send out spam. Other malware can make subtle changes to a computer’s settings, Kelleher said, and deactivate antivirus software, blocking security measures in place or preventing other updates from downloading. Kelleher said a good example of this intrusion was the Conficker worm that spread across the country during the spring of this year. Although the outcome was not as serious as expected, it still infected more than 10 million machines, raising awareness on how one single piece of malware could cripple whole networks. The more malicious the intent, the greater the risk.

“Phishing” is another threat that employers and employees need to be cognizant of, where an individual is sent a harmless e-mail and asked to respond using a link. “The link may look exactly like the authentic Web site,” Kelleher said, “but once redirected, users are asked to provide or update personal information, which can then be used in identity theft.”

But it isn’t just e-mail. “Employees also need to be aware of the Web sites they visit,” Kelleher said. “They may click on what they think is an innocent link and be redirected to a site that will download infected code, or hijack them to pornographic sites or other fake sites that are also infected.” A security threat isn’t the only reason insider usage should be carefully monitored. Internet and e-mail usage by employees can significantly drain resources and affect productivity.

Recently there has been an increase in rogueware. A box appears on the user’s screen stating that the machine has been infected with a virus. It encourages the user to download the software, which can only be removed when the person purchases it. Playing on people’s fears is proving to be a highly effective mechanism for cybercriminals.

“There is a strong correlation between security and productivity. Imagine if that same employee checking their Facebook account did so for an hour a day. Now imagine that you have 50 employees and eight of them are checking their pages for an hour a day. You’ve just paid for a full day of work when no one was actually working. Imagine then if that became two, or two-and-a-half hours a day, per person. The costs quickly add up,” Kelleher said.

The same goes for employee shopping online. According to Kelleher, up to 40 percent of Internet browsing is non-work-related—especially on Cyber Monday—the first Monday after Thanksgiving. Kelleher said that if 10–15 employees shop for an hour a day over 365 days, the impact on productivity is significant.

Once infected, the cost to eradicate a virus or worm can be devastating to a small or medium-sized organization working on an already strained budget. Imagine if your organization had to shut down work for a half-day, a day, or longer, while an infected system was wiped clean, Kelleher said. Do you have employees with grandchildren, or who are music lovers, or budding filmakers? Consider the cost of purchasing extra bandwidth because employees are downloading YouTube streaming videos.

“Most organizations purchase a specific allotment of bandwidth and if they go over their limit, it can be expensive,” Kelleher said. “The more bandwidth an employee uses, the more he is hogging resources and costing the organization money.”

Yet, perhaps the most important reason to monitor employees has to do with the way organizations can protect themselves from liability and support their human resources departments.

“Imagine you have an employee who downloaded pornographic material to his computer,” Kelleher said. “He insists it’s only happened one time or he had no idea how it got there, but by using monitoring technology, you can track every site the employee has visited during any length of time.” Such evidence can help an organization build a strong case for dismissing the employee. If a judge is presented logs and browsing histories showing an employee has repeatedly violated policy by going to such sites, you have a fantastic tool that avoids any ‘he said, she said,’ activity,” he said.

Monitoring also keeps an organization in compliance and safe from liability, particularly when dealing with legislation like HIPAA or FERPA. “You want to be able to prove that your organization has taken every step possible to protect a client’s data, especially if there is a breach,” Kelleher said. Such precautions help organizations fulfill their duty of trust, both legally and ethically.

“Most of the time, employees don’t mean to do anything wrong,” Kelleher said. “But you should monitor their activities, while keeping their personal needs in mind. Occasionally checking an e-mail won’t hurt anyone, but sending out confidential health data might. You need to be flexible and be prepared,” Kelleher said.

For more information GFI Software provides network security, content security and messaging software for small to mediumsized businesses. With award-winning technology, an aggressive pricing strategy, and a strong focus on the unique requirements of small to medium-sized businesses, GFI Software satisfies the needs of SMB organizations on a global scale. You can contact David Kelleher, communications and research analyst, at dkelleher@gfi.com. To read the complete GFI Software survey, go to www.gfi.com/documents/Security Report2009.pdf