Employee policy: Trust but verify

Cut workers some slack but don’t let your guard down

I woke up this morning feeling great. I always feel great on my birthday, even though it marks my advancing years. Today was a good one, despite the fact that as I write this, I’m trapped in a cultural wasteland in Central Florida. At least I’m spending the time lining up vendors at VoiceCon 2004 for InfoWorld’s big, forthcoming IP PBX test.

The surprises of late haven’t been all that great. Like finding out that the chefs here haven’t the slightest clue about how to cook grits. Or sausage. But those are trivial compared with the surprise that a friend got over the weekend.

My friend, a consultant in New York, was called in by a client with a true emergency. One of the client’s employees, frustrated that he couldn’t get into his AOL mail from work, detached his computer from the company network, dialed AOL, downloaded a file, then reattached to the company network and unzipped the file. I bet you’ve already guessed what happened next.

That’s right. The file was infected with one of the worms making recent rounds on the Internet, and the employee had intentionally defeated the company security requirements in the process of unleashing the worm on the corporate network. And, of course, the company was unprepared to deal with a worm that managed to get through the defenses, so it ran rampant inside the enterprise. My friend spent the weekend cleaning it up.

As disturbing as it might be, this event was preventable in any number of ways. Yes, the company was well-protected against outside invaders. But the managers had never thought to take the next step: dealing with threats that got inside anyway.

Because of this, individual computers didn’t have individual firewalls that could have prevented the spread of the worm. There were no internal firewalls between parts of the network. And it would appear that some of the company’s network usage policies were not necessarily well thought out.

For example, because the company prohibited access to AOL, the network security protections that could have screened the download never had the chance to. The user, feeling that his need was sufficient to break the rules, just went around the policy and subsequently went around all the built-in security protection for the corporate network. It would have been better to let the user go to AOL for a few minutes, and then screen whatever came through -- that way, you're covering all the bases.

Yes, I know that companies don’t like it when employees spend hours at shopping sites, looking for deals on eBay, or searching for jobs, but some companies don’t like it when employees make personal phone calls, either. The difference is that most companies have found that allowing personal phone calls improves employee performance as long as it’s kept to a reasonable level.

The same is true about personal access to the Internet. Unfortunately, too many IT managers haven’t figured this out, so employees spend time figuring out ways around security.

A better solution is to monitor where employees go and how long they spend going there. Checking personal e-mail a couple of times a day is hardly a risk as long as downloads are screened. And if you suspect an employee is spending hours visiting sites that are inappropriate, you then have the evidence to correct the problem. With any luck at all, you’ll avoid compromises to your network and keep your employees happier. And that shouldn’t be a surprise.


Copyright © 2004 IDG Communications, Inc.

How to choose a low-code development platform