When it comes to network security, one of the greatest security gaps is still the “human factor”, especially through private Internet use at the work place. In addition to private e-mails, the ever increasing reach of social networks is currently representing a great challenge. Viruses and other malware from the web seek out exactly these weaknesses. Attacks increase on a daily base and businesses in all industries and of all sizes, must implement ever more sophisticated standards for protection.
Customers often approach me and ask how to implement maximum security in the IT infrastructure while at the same time minimising the interference with the legitimate data protection requirements of employees. I am happy to address the main factors from my perspective:
- Check the private Internet use of your employees at random and if necessary, clearly warn about the latent dangers. Currently the topic is being dealt with more explosively, especially due to the fact that prior supposedly safe (HTTPS or SSL) transmission protocols are being used for malware attacks. The use of these encrypted connections is steadily increasing. The problem with this is: Until now, these connections were excluded from checks due to their encryption. However, by now, some virus scanners are able to break down these so-called “end-to-end” connections.
- However, the employer not only receives notifications about detected malware, but also, in certain circumstances, knowledge about eBay sales by employees or even access to the HTTPS encrypted on-line banking and consequently an insight of the general asset/debt situation.
To avoid this problem we have developed our anti virus system AV Proxy (available in app stores for UCS) in such a way that one can define exceptions of the SSL scan, through which, e.g. legitimate banking websites remain excluded from the investigation. - Regularly sensitise your staff for topics on network security and the protection of confidential customer data. Both in individual meetings as well as in mandatory trainings. The network is only as safe as its weakest link – from the managing director down the line.
- The monitoring of private Internet use requires clear operational rules. In company agreements, it must be made clear to all employees whether and to what extent private Internet use is permitted. It is vital that you explain to your colleagues that random checks will take place in the necessary operational framework, and how extensive these will be (full-monitoring is only permitted in justified individual cases anyway). In any case these topics require a high level of tact and one should always act in close coordination with the employee representatives.
- Use Open Source Software solutions for your systems. These tend to be less vulnerable to malware than proprietary systems. Especially in server management, Open Source platforms are often a safe alternative.
In this day and age, it is unrealistic to forbid private internet use at the work completely. The internet is an omnipresent part of our lives and therefore even a total ban cannot realistically prevent the use of private websites. It is all the more important to have clear operational rules in place and to react appropriately to threats.