If you and your staff don’t need unfettered Internet access to do your job, don’t allow it. Period. Most of your employees do not need access to Facebook, Amazon, CNN, YouTube, and a majority of the websites they’re accessing every day. Every time you go online and access a website, you are increasing your exposure to bad things – even if you think the websites are perfectly innocent.
In early 2016, we saw numerous examples of popular websites that were compromised and used as malware attack platforms. These were not shady websites of ill repute – we are talking about AOL, the BBC, the New York Times, and Wired.com, to name only a few. Nobody thinks that these websites are out to get them, but they make their money by serving up advertisements from third party content providers. These ad networks failed to sufficiently filter out the content they were serving up, allowing tens of thousands of users to be subjected to malware attacks on their systems in under a day.
On top of this, there is the risk that employees will intentionally go to a website that they should not be accessing from work. Classic examples of this are job searches, online shopping, adult content, and social media when these sites have nothing to do with the employee’s job function. Ask yourself “do I want my employees goofing off, looking for a new job while I’m paying them?” Even if you think “I trust my employees,” that’s great – trust and verify by limiting access to inappropriate websites. If you do think that nobody is doing anything inappropriate, I recommend you work with your IT provider to simply monitor access* for one week, and look at the results, which I guarantee will surprise you.
A good web content filter can be configured to allow, block, or warn groups of users when they attempt to access categories of websites. This is important because you want to be sure to configure access based on job roles, not by people. In other words, you should never set up permissions so that “Sally can get to Job Search websites because she is in HR.” You should have an “HR” role to which Sally is assigned, and that role should be granted access to job search websites. By doing this, it is much easier to assign the HR role to Sally’s replacement or assistant. It also makes you look like like playing favorites when permissions are based on job role rather than per person. That way, when Bob asks “why does Alice get to go on to Facebook but I don’t?” You can say “Because Alice is in the Marketing department, and they handle our social media campaign.” Even in smaller firms, this goes over a lot better than “because I said so.“
This takes a little more effort to technically enforce this, but you can at least begin with a written policy that spells out what sort of Internet access is and is not permitted. At the very least, you need to have an acceptable use policy, stating what is and is not permitted on your network. Then, be sure to follow up by giving this written policy to your IT staff so that they can enforce it with a technical policy.
* Before you do any sort of monitoring of employee activity, be absolutely certain to have all staff sign off on a policy stating that all of their activities may be monitored. Failure to do so may wind you up with a nasty HR legal issue on your hands.
Peter Nikolaidis is an information security professional based in Cambridge, MA. He holds several information security certifications, including the CISSP. In his spare time, he enjoys practicing martial arts and yoga, mountain biking, and thinking about ways to protect the innocent… often from themselves. Connect with Peter on LinkedIn.