As business dependence on the Internet grows, so do risks and potential liabilities from Web security threats. Today the proliferation of spyware, phishing scams and spam (on top of viruses, worms and Trojans) lead us to distrust the Net, just as we now suspiciously eye e-mail from unknown sources.
Computerworld Hong Kong gathered a group of CIOs, IT heads and security experts at a recent roundtable discussion hosted by Blue Coat Systems Inc. to discuss the challenges and issues of Web security and the control of Web usage by employees. Blue Coat is a U.S.-based maker of security proxy appliances offers content filtering, IM control, Web virus scanning, content scanning and spyware detection and prevention.
The key theme to emerge from the discussion was how culture and people have drastically influenced how Web security can be managed and enforced.
Executives from Blue Coat painted a picture of corporate America seeking to rein in the spread of spyware from incessant surfing and countless downloads by employees bent on retaining their right to freely use the Web. This has spawned a variety of panicky countermeasures, including blocking of Web sites, blocking of downloads and unsuitable content, and restrictive decrees against Instant Messaging, P2P technology and other communications tools. Spyware is now a big problem Stateside, with networks clogging, PCs slowing to a crawl and the possibility of other malware being attached and deposited by spyware adding to the list of threats to corporate security.
"We are seeing threats that impact our trust of the Web," said Steve Mullaney, VP of marketing at Blue Coat. He added that while most users do trust the Web and are free to go wherever and download applications and software as they need, the rising threat from code writers cannot be ignored. "The Web presents the ultimate target for criminally minded malware writers with malicious code being dumped on your desktop and rendering it no longer your own desktop," he said.
Clamping the user
For CIOs in Hong Kong, the answer to such threats and misuse of the Web has been to restrict staff to standard applications and blocking of downloads while reminding staff of their responsibilities and the possible repercussions of any abuse of the Internet.
"For us there are no PCs, only CCs or corporate computers," said Patrick Slesinger, director and CIO at shipping firm Wallem Services. "There is nothing "personal" at all about our computers."
Wallem strictly enforces policies to restrict software and applications run on all company desktops, banning the ad hoc downloading of new software or updates to applications and other tools.
Steve Beason, executive director of technology at the HK Jockey Club, presented a similar scenario for his organization. "We also lock everything down, we don"t let staff download anything that they want," he said. Beason detailed audits on PCs and admitted that while the approach is "draconian," it is also effective in keeping user misbehavior and Web misuse down.
He added that the measures could leave some staff wondering if they want to connect to the office network at all, which leaves Beason nodding in approval, as that means fewer potentially hazardous connections to the network. "In the end I"m not comfortable with your 15-year-old daughter using your corporate laptop at home," he said. "Strict policies need to be put in place."
More features, more holes
Neither Beason or Slesinger had existing problems with IM or other collaborative tools, IM being used in both companies in a standardized way and monitored for file transfer and download activity. While use of IM is prevalent, it does present issues for large and small firms.
According to SC Leung, vice chairperson at the Professional Internet Security Association (PISA) in Hong Kong, many firms in Hong Kong now have a good handle on their network perimeter. "But many still require further education on user activity and the emerging Internet threats that stem from end-user interaction and behavior," he said.
In addition, the growing use of laptops and mobile devices is adding to the security management problem as these devices open up the network to even more threats. "Much more risk is now involved as devices are moving from company to home and back again with additional communications tools like IM and Skype being added into the list of apps that need securing," said Leung from PISA. Increasingly, IT organizations need to face this challenge. Security fears are such that some firms have built custom IM applications with hardened security, observed Leung.
Consistent enforcement
The lockdown attitude also prevails at Bank of America (BoA) and Cathay Pacific, and seems to typify the belief that a clampdown on users is the best policy in avoiding potential problems with spyware or other malicious threats from Internet communications.
Michael Leung, CIO at BoA, noted the strict regulation and auditing requirements of banking mean that the desktop environment must be consistent across all users and maintained under strict policy. At Leung"s firm, users cannot simply download an IM application or a new browser. "These are company assets," he said, "and users need to be educated that whether the PC, PDA or smart phone is used at work or at home, if it logs onto the corporate network it has to be an approved company device."
At Cathay Pacific, there is an effort to provide staff with as much as they require to perform their tasks but policies governing desktops and Internet use are strict, noted Brodie Lee, IT process and policy manager for Cathay Pacific Airways. Lee added that his firm also operates a "corporate computer attitude" to PCs and laptops.
Scanning and blocking
While these firms all follow strict guidelines on desktop uniformity and blocking of downloaded files and executable code, actual blocking of content and Web site access is not apparent.
Both Beason and Slesinger pointed to their lack of proactive blocking of Web sites and content. "We can block some sites, but we don"t block very often," said Beason. However, business managers and their staff receive reports on where each employee has been and how long for. "When staff realizes that their managers see this activity, the behavior changes pretty quickly," added Beason. Similar practices are adopted at Cathy Pacific where again proactive scanning is limited. "We log everyone"s activities and send them to managers who rarely look at them," said Lee, "but it has the desired effect on staff."
The panelists were then asked if productivity was being affected by Internet use and IM communications. The feeling among the CIOs was that while spyware, IM and Internet abuse could lead to lost productivity, there were many other factors that could attribute to the loss in staff performance.
"Productivity can be affected by many things, not just IM and the Internet," said Lee. "We let staff go to whichever site they wish as long as they deliver results." Beason agreed that productivity would be an issue if it was clear too much time was spent on IM and surfing non-work related sites. "There are people that stay late in the office simply because they don"t want to go home," he said. "They like the coffee and the Internet access."
In such cases, Slesinger simply advises that staff be told clearly that they will be subject to predetermined action in cases of misuse of corporate assets and time. Like many other firms, Wallem makes staff sign policy documents that state clearly if they abuse company resources they will suffer the consequences.
"There will always be new tools that raise these [security and productivity] questions, yet treating these is merely treating symptoms rather than the cause of the problem," Slesinger pointed out. He advocates treating staff with respect in allowing them latitude to decide where is suitable to surf and what content is work-related. "If staff cannot understand that going to a porn site is not in business interests then we don"t block their access. We let them go [fire them]."
"Filtering and blocking tools will simply provide a level of comfort to the management and the users, but when a user still breaches the set guidelines whether accidentally or not, who is to blame then?" queried Slesinger. "The management for not putting in more systems? The vendor for a technology lapse? We prefer to make the user responsible."
Cultural sensitivity
Blue Coat"s Mullaney agreed that the lockdown approach is ideal from an IT security standpoint but could not be applied in all circumstances.
"Across US and Europe, we see a broad spectrum of approaches and cultures, from those who will totally lock [their] people down to others who are not comfortable with that approach," he said. "From a security and legal standpoint, a lockdown is the way to go, but will everyone want to work in those conditions?"
He went on to say that flexibility is what many firms wanted and technology like Blue Coat"s would allow firms to choose to turn the dial from a "laissez faire" policy right through to a locked down state.
HK Productivity Council"s Principal Consultant, Roy Ko, made the point that while people should be respected, it is distinctly easier to adopt a lockdown attitude here in HK and Asia. "Employees are simply more obedient here, and statistics for internal security incidents clearly show fewer instances here than in other parts of the world," said the active member of Hong Kong"s computer security emergency response team (HK CERT).
All the panelists agreed that Hong Kong staff were more likely to follow corporate guidelines and less likely to object to policies on Internet use. "We moved to XP recently and staff complained for a month over lack of support for some PDA functions," said BoA"s Leung. "Over time the issue was resolved and they just accepted it."
Standardization is key
According to Vilis Osilis, CTO at Blue Coat, the key thing to realize about spyware is its implied threat: "If people with criminal intent with a clear incentive can spread spyware and other [malware] on corporate desktops, what else can they do?" Osilis stressed the need to view the Internet as a source of many threats and that firms must adopt protection to make the Web a more trustworthy environment to conduct business. "People are now relying on the Net for remote access, for access to their ERP, CRM and other applications," he said.
Osilis also advised standardizing on Mozilla"s Firefox browser to reduce potential threats. However, there was also concern that Firefox did not offer the required remote centralized administration that Internet Explorer offers.
Osilis noted that spyware was becoming an international problem, with Korean partners of Blue Coat reporting heightened activity.
HKPC"s Ko also noted that spyware is expected to be the second most reported security issue after viruses for HK enterprises next year. Leung at BoA said that all the panelists thought spyware would become an issue but was not deemed a pressing concern right now.
"In the past the media have picked up quickly on viruses, hacking and malware threats," said Ko, "but so far with spyware there"s no major incident to arouse the media yet."
"The potential damage has yet to be realized and, critically, the solutions are incomplete and immature too," Ko concluded.