Security Fears Prod Firms to Limit Staff Web Use

Carl Bialik from WSJ writes "Companies are limiting employees' use of free Internet services, such as Skype and video downloading, to protect themselves from viruses, communications traffic jams and regulatory missteps, the Wall Street Journal reports. ABN Amro's global head of strategy and engineering tells the WSJ, 'I'm not allowing Skype because I don't know what it does.' Some colleges and departments at Cambridge University also ban Skype. The limits affect executives as well as the rank-and-file, the WSJ finds: ' "I used to think nothing of checking my Yahoo mail several times a day," says Global Crossing Chief Marketing Officer Anthony Christie. Now that he can't, his long workday makes it hard to avoid using his work email account for personal messages, he says.'"

Oh noes

Now that he can't, his long workday makes it hard to avoid using his work email account for personal messages, he says.'"

What's next? Complaining that you can't use company funds to go on a vacation? Complaining that you can't use company computers to play games?

Re:Oh noes

[toleraen]

Exactly, whatever happened to only giving people what they need to get their job done? Where I work we have several services block...I don't even bother trying most things. It's locked down, which it should be. Nobody needs AIM at work, you don't need access to bittorret, etc etc. Better to lock stuff down than get your network owned by some idiot that can't stop talking to MSN bots.

Re:Oh noes

[kfg]

What's next? Complaining that you can't use company funds to go on a vacation? Complaining that you can't use company computers to play games?

Complaining that the shackles won't let you move more than 3 feet from your desk?

Tell ya what, if I can't use the company phone/email to make that doctor's appointment or let my wife know I'll be home late, well, I'm leaving for the day, and you can fuck your deadline and TPS reports.

I work because it is necessary to maintain my life. I do not work so I can maintain yours. If we cannot formulate a reasonable social contract where we both benfit our lives by pooling our resources you will have to do without me. I am neither your mommy nor your slave.

KFG

KFG

Re:Oh noes

[voice_of_all_reason]

A seriously heavy-handed comparison, but I can't resist posting this quote from Rita Hayworth and the Shawshank Redemption. Ever wonder why Andy was allowed to keep posters in his cell given how religious the Warden was?

The prison administration knows about the black market, in case you were wondering. Sure they do. They probably know as much about my business as I do myself. They live with it because they know that a prison is like a big pressure cooker, and there have to be vents somewhere to let off steam. They make the occasional bust, and I've done time in solitary a time or three over the years, but when it's something like posters, they wink. Live and let live. And when a big Rita Hayworth went up in some fishie's cell, the assumption was that it came in the mail from a friend or a relative. Of course all the care-packages from friends and relatives are opened and the contents inventoried, but who goes back and re-checks the inventory sheets for something as harmless as a Rita Hayworth or an Ava Gardner pin-up? When you're in a pressure-cooker you learn to live and let live or somebody will carve you a brand-new mouth just above the Adam's apple. You learn to make allowances.

Same goes here. Bad employee morale is definitely bad for business, because it's across the board. The guy who spends all day browing google video will eventually get discovered when his productivity tanks. It's not worth it to make everyone else in the company unhappy.

Re:Oh noes

[oGMo]

Exactly, what happened to only giving people what they need to get their job done?

Yeah, people could be chained to their desks and allowed 3 5-minute bathroom breaks and a 15-minute lunchbreak. That's all they need, think of the productivity increase! We could use children, too!

Oh wait, I think they have labor laws now.

What happened to having a pleasant workplace where you enjoy what you do? Little things make a lot of difference. I'm not talking dot-com era overindulgence, but personal email access is not too much to ask.

Most people spend at least 8 hours of their waking day, during the prime of their wakefulness, at work. It should not be too much to ask for this to be a pleasant time: people who enjoy being at work get stuff done and are more loyal than those who hate where they are, what they do, everyone around them, and the company.

Re:Oh noes

[Khammurabi]

Nobody needs AIM at work.

Actually, the company I work for requires it. It's very intrusive and time consuming to either walk over to someone's office, or call the person up right then and there. The person could be in a meeting or busy, and your walking over or calling can be very disruptive.

IM is just a faster form of e-mail, and (just like e-mail) it requires discipline not to fritter away the company's time "talking" on it all day. But there have been quite a few instances where my COO or a trainer shoots off an IM during a presentation with a question. IM is useful in that it is quick and discrete.

I'm putting on my hat...

[garcia]

"I used to think nothing of checking my Yahoo mail several times a day," says Global Crossing Chief Marketing Officer Anthony Christie. Now that he can't, his long workday makes it hard to avoid using his work email account for personal messages, he says.

Sometimes I wonder if this is exactly what companies *want*. They don't want people to use outside e-mail (especially ones running over https) because then they can't easily monitor what their staff is doing.

If people are using their work e-mail for their personal use, the company gets to see exactly what, where, how, and when their employees are spending their own time. If the employee opts to not use their work e-mail for anything personal, the company knows that they now have the other added benefit of possible added productivity.

I'm just glad I can use SSH and tunnel everything over that. If I can't do that, I have GPRS service on my mobile device and I *could* use that for AIM, e-mail, and browsing instead.

Re:I'm putting on my hat...

[PFI_Optix]

If people are using their work e-mail for their personal use, the company gets to see exactly what, where, how, and when their employees are spending their own time. If the employee opts to not use their work e-mail for anything personal, the company knows that they now have the other added benefit of possible added productivity.

I don't think that's the case at all. Most companies could really care less what an employee does in their off time so long as it doesn't harm the company. What they do care about is things like trade secrets going out via an anonymous hotmail account or employees wasting hours talking to their significant other and circumventing the phone system monitoring by using Skype.

I'm just glad I can use SSH and tunnel everything over that. If I can't do that, I have GPRS service on my mobile device and I *could* use that for AIM, e-mail, and browsing instead.

I think that's where things should be headed. A cell phone doesn't have easy access to corporate documents (though cameras do facilitate that to an extent) and typing a lengthy e-mail is difficult, so trade secret theft (intentional or otherwise) by employees might be reduced significantly.

Re:I'm putting on my hat...

[hotspotbloc]

I consult for a small company that had a problem with an employee IMing all day. The rule (with my recommendation) was "IM/IRC/browse all you want so long as it doesn't effect your work". Well, she would IM almost constantly and rarely did her job. Solution: we signed her up with AIM/gmail accounts specific to work, logged all text (we use gaim) and told her she couldn't use any other IM accounts or clients. In a month they'd review her work and decide to either: return full IM services (with logging only on the company account), keep the restricted account or kick her to the curb.

After reviewing the logs for the month of probation we found the idea worked well for the first four days and then she added in her own IM accounts. While I could've made it tough for her to make any changes to GAIM I didn't because I refuse to treat adults like a forth grader. She was told that her IM sessions would be reviewed and not to add or remove any IM accounts, which she did, so she was fired.

The problem highlighted a possible future issue and we decided to require all employees to use a company related IM account just for company business. If they want to conduct personal IM conversations at work then they can use whatever other client they want. If an employee's performance is a problem and personal net access is high then they are put on "restricted access" for a month. So far the restricted access use has worked well and no one else has been fired for excesive personal net usage.

Moral of the story: Management needs to treat their employees like adults and not like children, let them use the net (IM, ssh, irc and most any web site since the only filtering we do is with prioxy) for personal tasks and work with those that don't follow the rules. So far everyone is fine with the rule because it is reasonable, allows for liberal personal net use and not draconian like most places. The only really strict rule is if you download and share any pron at work you're gone (to avoid an expensive sexual harassment suit).

Complete "no personal Internet use" rules just pisses people off and they will almost always find a way around it. Banning personal net access for minor abuses is like banning coffee because someone left an empty pot on a hot burner or a lunch room refrigerator because some people steal other peoples' lunches.

A message from your employer

[pubjames]

Dear employee,

We hope you enjoy working here. Please work hard and do some great work for us!

Thanks,

Your employer.

P.S. WE DON'T TRUST YOU.

Re:A message from your employer

[Tenareth]

A vast majority of security breeches are from internal users. Users have proven themselves to be untrustworthy.

Sorry, but people seem to do really really stupid stuff when they are feeling "put upon" by the "man". Or, just plain greed. Most Company's #1 security problem is their employees.

Block by default.

[blowdart]

I'm not allowing X because I don't know what it does does not necessarily equate to X is bad

Banning an unknown service from a network is the more sensible default decision for a corporate network to take. Firewalls should block everything by default, corporate desktops should stop installations of anything not checked and cleared. Why should skype be any different?

ssh tunneling

[Rinisari]

As long as it's not against company policy, you could try using SSH tunneling to hit a proxy at home. It might be a lot slower, but you can go anywhere. I've been using one written in Python for six months and haven't had a hitch.

Locking down net access at work makes sense

[rbanzai]

I just started as IT manager for a small advertising agency. The systems were wide open before and it seems like every machine has Limewire, skype, five different IM programs... and lots and lots of problems.

When these items cause problems that reduce productivity they have to go. It's that simple.

Due to unrestrained (and uninformed) users I now have to go over all 50 machines with a fine-tooth comb to scrub off the bad stuff. Several of these machines are probably going to have to be wiped. This is 100% due to user loaded "personal" software.

As I fix each machine they are getting locked down. I've been directed by management to prevent users from pirating music on company machines or using filesharing to share pirated music. I don't see anything unreasonable at all about that.

Any app that is well-behaved and does not expose the company to liability is fine with me. Otherwise it has to go.

Sensible

[Bogtha]

If your employees only need particular websites and particular applications to do their jobs, then why would you willingly open up additional attack vectors? It's a completely unnecessary business risk.

If you have employees complaining about needing to use personal email (what did they do before email in the workplace was common?), then simply set up a shared cheap PC in the coffee room for them to use on their lunch break. Firewall it off so that when all the inevitable crap gets onto the machine, it doesn't affect any important systems.

The Internet is not only for pr0n

[lushman]

As a consultant based overseas, using my client's corporate internet for Skype actually SAVES them a fortune. They would normally pay for the POTS international phone calls we make (VERY $$$$$), but the fact that they allow Skype means that we make all of our calls Skype-Skype without it costing them (or us) anything in call costs. Bandwidth charges are negligible in comparison.

If firms continue to be ignorant about new or alternative technologies then they will continue to be left behind. These savings can be significant over the long term, financially as well as productivity wise. Companies in the future will be split into two categories - those that embrace new technology and those that struggle under malinformed regimes run by beaurocrats who prefer the trusted path, the path of least resistance, over the newer, technologically superior one. I've seen this too many times than I'd care to remember.

Good plan

[TomatoMan]

ABN Amro's global head of strategy and engineering tells the WSJ, 'I'm not allowing Skype because I don't know what it does.'

I expect a few hundred flames of this statement, but it's a rock-solid security policy. Yes, this guy probably "should" know what Skype is in most people's opinions, but his default "deny" policy for anything he doesn't know is correct, and that attitude WILL prevent trouble. On a corporate network, especially one potentially carrying any kind of sensitive data, anything not specifically allowed should be denied. If employees can make a case about what any new service is and why they need it, it can be evaluated and perhaps allowed, but it should be denied by default.

IM and Web blocking at GE

[OzPeter]

TFA makes it seem like GE has just started blocking IM and external email systems. But in the GE division where I have been contracting it has been like that for at least the last 5 years.

And I can understand why. By only allowing communications through official chanels, the companies can better protect themselves by doing such things as applying corporate wide virus checking on emails. It also provides a log as to what communications occurred when. Though I do admit that flash drives and take home laptops can easily bypass any of these measures.

One downside to this is that the corporate policies also block VPN accesses, so I can not get to my offices servers while at the GE location.

One amusing anecdote relating to this is that where I work there is an analog phone line kept for the times when you really need to dial up a system. One lunch time I was using it to send some private email and also to chat with some friends (MSN messenger I think). When I was done I just picked my laptop up and walked back to my desk and plugged into the corporate lan without powering down. I was surprised when 20 minutes later one of my friends initiated a chat session with me. After the shock of chatting from my desk wore off, I realised that the chat program used two separate protocols/ports: 1 for logging into the chat system, and another for the actual chatting. The corporate IT people had only blocked one system and not the other, perhaps in the belief that that was all that was necessary. Combined with the chat system not timing out during the walk back to my desk, I had effectively bypassed their strong security.

I installed Skype while working for a Swiss bank

[AugstWest]

I was stuck in a hotel all weekend and wanted to talk to my wife, so I installed it, and within 5 minutes I got a call from security saying that my machine was scanning the network. It was Skype trying to find a way out.

When I got back to work on Monday, my Thinkpad was taken away and reformatted, and handed back to me -- without local admin privileges.

Now I work for a University. It's a whole other world.

Obligatory bash quote

[Spy+der+Mann]

Users have proven themselves to be untrustworthy.

Like this guy? :P

OMG, when will it end....

[zappepcs]

Some companies see giving employees small perks as part of keeping a happy and productive work force... can anyone remember the stories of the environment at EA? Now, we have tin foil hat stories about companies that give their employees pens and paper, but warn them to only write in block letters because anything else is a waste of company resources, or could lead to dangerous events in the file cabinets.

Ummm, perhaps its just me, but it is about fscking time that both government and businesses learn the lessons that have been sitting in front of them since about 1991... computers are here to stay, and the advantages and disadvantages of computers are here to stay too.... Its not that hard to limit outside network connections to a specific bandwidth, or monitor all packets in and out... this is not rocket science. Using draconian measures to squeeze every drop out of the company resources is not good for business... see Boycott, Company Stores et al, slavery,

I guess my point is that anything that stifles free and unfettered flow of information and ideas is going to stifle business productivity and innovation. I don't have links, but I thought this was pretty much already scientifically proven... or at least proven in the advent of F/OSS and what it has done to the computer and software markets. Just as the *AA needs to wake up and find a new business model, most of the rest of the business world has some work to do... its just common sense. Anything else usually involves putting holes in your feed with lead ladden projectiles.

Re:This type of admin is the bane of users

[Generic+Guy]

Listen, all you genius admins, I don't tell you what firewall software to use, you don't tell me what file conversion software I need to get the Windows line breaks out of text files, Ok? I don't what you're using for an anti-virus tool, and I don't expect you to know about my use of FrameScript to automate FrameMaker.

Listen you selfish malcontent, letting you put whatever the hell you want on the company computers potentionally puts the company and its directors at risk. When your P2P music crap, or cracked shareware linefeed-corrector gets noticed by the suppliers it can cause huge problems and expenses for the company just to satiate your little cubicle fiefdom. IT admins and directors need to worry about far more than just your "getting the job done" easier. The reality is there is a lot of damage and liability these days which can come out of users free-reign over the office computers.

Don't like it? Fine, resign and start your own consulting business. Then you can put whatever crap you want on your own equipment.

Re:This type of admin is the bane of users

[Malor]

See, you're not the problem; you're a computer professional and, at least in theory, you should be highly expert at using a PC. The problem is Tracy in Accounting and Bob the Receptionist, who haven't a clue what's going on with their machines, and who happily install spyware if it promises something slightly better than a sharp stick in the eye.

Think of it as the "OMG Ponies!" crowd, writ large. You just have no idea how freaking stupid these people can be.

Even in the best and brightest companies I've worked in, there have always been a few that got hired that knew a lot less about their PCs than they thought. In particular, they do not appear to hire salespeople for raw brainpower. The clueless users, especially the ones that don't realize (and never will) that they ARE clueless, cause enormous trouble. Unless the network is internally firewalled (which is getting to be a better and better idea, these days), they're often the vectors for network-wide infection.

The draconian policies of some admins may seem stupid, but remember that admins run on fear. They are, by and large, only noticed when things break, and then everyone is mad at them. When a single user can potentially bring a virus into the network that can stop the entire company dead in its tracks, well... it's a heck of a lot safer and easier to just lock EVERYTHING down and then install what people need, as they ask for it.

Think of it as a default-deny firewall.

Re:This type of admin is the bane of users

[giantsfan89]

The problem here is selective enforcement. Okay, so the admins allow you to run your unapproved application. What if Suzy the administrative assistant wants to run her fav screensaver app? And Jim wants to run Weatherbug so he knows when there's bad weather on his kids in the Midwest? The problem is that machines are locked down to prevent users from shooting themselves in the foot, because if you give them the loaded gun of admin access, they will. Then they start shooting other peoples' feet.

Find out how to get the software approved and do it. Go through the proper channels.

99.9% of corporate users should not have administrative access to their computers. There is no need to.