Bugwatch: Reducing the risk from P2P downloads

Each week vnunet.com asks a different expert to give their views on recent virus and security issues, with advice, warnings and information on the latest threats.

This week Frank Coggrave, UK regional director of Websense, examines the legal implications for businesses and IT directors of employee use of P2P networks.

P2P is a concern to any organisation, but on a more critical level it is also illegal.

Downloading pirate material not only infringes on existing copyright laws but, since March this year, it is a breach of the European Union Directive on the Enforcement of Intellectual Property.

This recently created intellectual property legislation makes US digital media rights laws pale in comparison. Under the European directive, counterfeiters and pirates will be prosecuted, facing fines and other civil penalties for breaching intellectual property rights.

It is hardly going to do much good for a company's reputation if one of their employees is accused or prosecuted under these new regulations. If pirated music is found on the company's servers then, arguably, the companies could be complicit, with an accusing finger pointed at the IT director.

So what can IT directors do to avoid opening their systems to abuse? Should they prevent employees accessing the internet?

Although this would put an immediate end to the problem, such a draconian approach would do little for employee morale and could reduce workers' productivity, especially as a large number of staff need to use the internet to fulfil their job.

Even requesting employees to avoid certain websites and refrain from downloading applications cannot be a completely foolproof solution.

It is a fact of life that there will always be a group of users that persist in disobeying the rules, especially if they think it's harmless.

At the same time, companies should bear in mind the absence of any real business advantages of P2P applications - which pride themselves on beating defences and infiltrating networks - and consider forbidding users to download them in the first place.

Ultimately, the buck stops with the IT director, who has the overall responsibility to ensure that the appropriate controls - policy, procedures, education - are implemented to mitigate the risks (and costs) associated with the use of pirated software in the enterprise.

It is the IT director's job to ensure that employees are using the internet sensibly, according to pre-agreed company guidelines. It is not the duty of the internet service providers or of the file-sharing software providers to regulate how their systems are used.

Companies need to draw up clear internet access policies for employees and ensure that they are communicated effectively and enforced throughout the organisation.

Otherwise employees will continue to use their company internet connections for non-work reasons. That's not only a lot of wasted employee time and bandwidth; it could ultimately have serious legal repercussions for the business.