IT Security Risks for SMB
One of the most overlooked security risks for small businesses today comes from the most unlikely of places, your own employees. Non-business related Internet usage by employees not only can be dangerous and drain productivity; it may also open your business up to human resource and litigation concerns. In this month’s Tech Brief we’ll look at the risks that employee Internet usage can have on your business and the steps that you can take to limit its impact.
- 30-40% of Internet use in the workplace is not related to business.
- 70% of all Internet adult-site traffic occurs during the 9-5 workday.
- 37% of workers say they surf the Web constantly at work.
- 63% of companies monitor workers’ Internet connections and 47% store and review employee email.
- When asked “should employers monitor, limit, block, or control your Internet access while at work?” over 60% of employees said “yes”.
Data sources include: U.S. DEPARTMENT OF COMMERCE – Economics and Statistics Administration National Telecommunications and Information Administration – Greenfield and Rivet. Employee computer abuse statistics
We’ll focus on the three most common uses of the Internet by employees (web surfing, email use, and instant messenger use) to identify what risk each can potentially pose to your business.
A recent survey of Danish businesses found that up to 30% of companies have been infected with malicious software as a result of Web surfing, while only 20-25% of the same companies experienced infections from emails. Employees doing non-business related web surfing are more likely to pick up spyware, viruses, worms, and trojans. These can lead to reduced system and network performance as well as unauthorized access from outside to sensitive company information
Another cost to companies resulting from non-business web surfing is lost productivity and potential human resource/litigation risks. In a study, 41% of employees admitted to personal surfing at work for more than 3 hours per week. That’s the equivalent of 19.5 days of lost productivity per year. And if your employees are viewing inappropriate content, you may be held responsible for any legal action that may result from it. For example, in 1995 a New Jersey court held that an employer’s failure to detect and stop an employee’s unlawful activity using corporate email and Internet resources could support a negligence claim against the employer by the victims of the employee’s unlawful action.
Do you know what is passing through your corporate email system? An American Management Institute study found that 20% of companies surveyed have had employee emails subpoenaed in the course of a lawsuit or regulatory investigation. Many employers remain largely ill-prepared to manage email risks such as inappropriate content or the transmission of company files/intellectual property. Also, the personal use of corporate email in small amounts may be ok, but a large amount of non-business emailing will result in lost productivity and a drain on network bandwidth.
There has been a significant increase in use of instant messaging (IM) software at companies and some analysts suspect in years to come it will be as commonplace as email. A recent survey by the ePolicy Institute found that nearly 35% of employees use IM at work. Of those employees, 58% admitted to using IM for non-business chatting. Much like web surfing, productivity and network bandwidth are at risk due to non-business IM. Also, as the recent Mark Foley case demonstrates, there are potential legal ramifications that inappropriate messaging can have.
Thankfully there are steps that you as a business owner/manager can take to prevent non-business Internet usage from negatively affecting your company.
Invest in software or hardware that monitors web browsing activity : There are programs and devices available that allows you to monitor and review employees’ browsing and set up filters to block specific content such as gambling or adult websites. Many devices also allow you to prioritize Internet traffic to limit non-business surfing and prevent critical applications or systems, such as VoIP, from losing bandwidth.
Track and archive corporate email : Most modern email systems have basic message tracking features that you should always have enabled. Also, make sure you have an archive solution in place that allows you to retrieve email in case you ever need to review old messages.
Block or monitor instant messaging traffic : If IM is not business critical, invest in a tool to block it from your system. For businesses where it is critical, you should standardize on one IM platform (be it AOL IM, Yahoo IM, or enterprise-wide private IM software). You should also invest in IM tracking solutions so that activity can be reviewed in the same way Internet traffic and email should be.
Implement and enforce company-wide policies on web browsing, email usage, and instant messaging : The American Management Institute found that 79% of employers implement a written email policy and only 20% of employers implement an IM policy. You should always have a set of guidelines in places governing Internet usage and make sure all employees are familiar with them.
Understanding the risk that non-business Internet usage poses to your company is What essential for all owners and managers. If you implement and enforce a strategy of reducing unacceptable employee activity, you will minimize lost productivity and your risk of legal liability. If you have any questions about monitoring software or policy creation, please