As recently published statistics have shown, the internet world has changed and continues to change. This requires corresponding changes in attitudes regarding employee internet access and IT use. This can perhaps be characterised as a change to a more realistic security policy, from a previous ‘head in the sand – I see no issues’ approach – to ‘I will make time to do something!’. It’s the ideal time to put an Action Plan in place.
Without being overly dramatic, because the company network is attached to the internet, this has potential to severely impact the company financially – as even large companies have found recently. Employees can update their Facebook profiles, book their holidays and make online purchases at home. Why offer them the opportunity at work where the by-product might be to compromise the business network and impact the business itself?
Many commercial organisations, especially smaller companies, operate on the ‘trust’ principle that their staff will not waste time and resources by ‘playing’ on the internet during working hours. Even if this trust is well founded – the likelihood of staff with free reign unwittingly downloading malware is extremely high. Monitoring internet usage is often an eye opener – seeing how much non-work related activity is actually being conducted. The fact that staff dipping in and out of Facebook during the day is not only a time waster, but also a security and resources issue hasn’t occurred to many SMB managers or business owners as a big issue.
The company resources are installed for business use; the company and its security in all senses has to come first. The Network Manager and more importantly his senior management have to put company security at the top of the agenda.
For those that hesitate over the need for such action – two interesting questions:
- Q: How do you know that your network and/or company website hasn’t already been secretly compromised?
A: Possibly you don’t. Worse, you may not be able to legally demonstrate that you have ‘adequate and reasonable’ measures in place to protect your customers and staff which you are obliged to undertake.
- Q: Could you be legally liable when staff using your business network for private banking purposes for example, have their funds and/or identity stolen?
A: Yes. If you cannot demonstrate you have put ‘adequate and reasonable’ protection in place. So why get into this dilemma by allowing such non-business activity?
Here are some simple suggestions for SME network managers – particularly those that have access to NetPilot equipment or are considering purchasing in the future.
Action Plan – Summary
- Create and publish a company Acceptable Use Policy (AUP).
This sounds a boringly formal place to start – but it is essential.
- Implement and enforce a Security Survival Plan (SSP).
This is a combination of processes and technology configuration. This is the next step on from your AUP.
- Monitor and amend your AUP and SSP.
Again use of technology to help amend the processes and modify written documents.