Bugwatch: The perils of work-time surfing

Each week vnunet.com asks a different expert to give their views on recent virus and security issues, with advice, warnings and information on the latest threats.

This week Bob Jones, managing director of Equiinet, warns of the dangers of employees' unauthorised use of the internet and email.

Whether it is acceptable, or to what extent it is acceptable, for an employee to use the company's facilities isn't a new issue.

Over the years, most companies have found a solution that fits them. Use of the phone is a good example. Some companies give their employees more or less a free rein, with just a tacit understanding in place that lengthy chats to pals abroad is not on.

Others take a firmer line, with written guidelines for employee behaviour, perhaps allowing occasional calls.

Some businesses feel that the use of monitoring equipment is the best solution, so that whether or not calls are actually recorded, there is a deterrent in place that minimises abuse of the guidelines.

The internet, however, is a different matter, and no one should be surprised if people who are on eBay and newsgroups all evening are tempted to have a little peek while they're at work.

But, just as with the telephone, effective solutions can be put in place to prevent time-wasting during company time, scaled to suit the company involved.

Access to websites that are generally accepted as no-go areas can be automatically prevented, or people can only view websites that are identified as being relevant to the workplace.

Time controls can be put into place, too, so that employees can only connect to sites that are not work related outside working hours.

That sounds great, but the telephone analogy falls down in one vital respect. Whereas the problems generated by employees making unauthorised phone calls generally don't extend beyond wasted time and money, unauthorised use of the internet and email has a far greater potential to cause damage.

Viruses can get in by people picking up web-based email, which bypasses virus scanning. People create back doors to the network by personal use of modem dial-up, which bypasses firewall protection.

A couple of ill-advised clicks from a member of staff casually browsing can download viruses, and cause havoc by infecting the PCs the company thought were so well protected.

But help is at hand. Control mechanisms are keeping pace with the miscreants. Technology solutions that are suitable for organisations large and small can protect the business against hackers, virus developers and the purveyors of spam, as well as its more sinister counterpart: virus-spam.

But with all that outward looking protection the danger is that the enemy within becomes the source of greatest risk.

Employees therefore need to be well schooled in the problems that can be caused if security measures are bypassed, and given unambiguous guidelines for the use of technology.