Security Fears Prod Firms to Limit Staff Web Use

Carl Bialik from WSJ writes "Companies are limiting employees' use of free Internet services, such as Skype and video downloading, to protect themselves from viruses, communications traffic jams and regulatory missteps, the Wall Street Journal reports. ABN Amro's global head of strategy and engineering tells the WSJ, 'I'm not allowing Skype because I don't know what it does.' Some colleges and departments at Cambridge University also ban Skype. The limits affect executives as well as the rank-and-file, the WSJ finds: ' "I used to think nothing of checking my Yahoo mail several times a day," says Global Crossing Chief Marketing Officer Anthony Christie. Now that he can't, his long workday makes it hard to avoid using his work email account for personal messages, he says.'"

Oh noes

[Anonymous Coward]

Now that he can't, his long workday makes it hard to avoid using his work email account for personal messages, he says.'"

What's next? Complaining that you can't use company funds to go on a vacation? Complaining that you can't use company computers to play games?

Job Qualifications

[saihung]

This guy should write legal policy in Burma: ... tells the WSJ, 'I'm not allowing Skype because I don't know what it does.'

I mean, just, wow. And here I thought that the "anything I don't understand must be bad" school of management was going out of style.

I'm putting on my hat...

[garcia]

"I used to think nothing of checking my Yahoo mail several times a day," says Global Crossing Chief Marketing Officer Anthony Christie. Now that he can't, his long workday makes it hard to avoid using his work email account for personal messages, he says.

Sometimes I wonder if this is exactly what companies *want*. They don't want people to use outside e-mail (especially ones running over https) because then they can't easily monitor what their staff is doing.

If people are using their work e-mail for their personal use, the company gets to see exactly what, where, how, and when their employees are spending their own time. If the employee opts to not use their work e-mail for anything personal, the company knows that they now have the other added benefit of possible added productivity.

I'm just glad I can use SSH and tunnel everything over that. If I can't do that, I have GPRS service on my mobile device and I *could* use that for AIM, e-mail, and browsing instead.

A message from your employer

[pubjames]

Dear employee,

We hope you enjoy working here. Please work hard and do some great work for us!

Thanks,

Your employer.

P.S. WE DON'T TRUST YOU.

Block by default.

[blowdart]

I'm not allowing X because I don't know what it does does not necessarily equate to X is bad

Banning an unknown service from a network is the more sensible default decision for a corporate network to take. Firewalls should block everything by default, corporate desktops should stop installations of anything not checked and cleared. Why should skype be any different?

At least he's honest

[Anonymous Coward]

You have to admit that honesty is a rare quality, even if he is a bad manager.

We've always done this

[PinternetGroper]

I've always prevented my users from downloading *any* program from the internet. There are a multitude of reasons: spyware, bandwidth issues, etc. I just think it makes good sense to limit the crud that can be put on machines. I don't have to wonder if the problem a user is having is due to something they downloaded. Being Healthcare, I'm also bound by HIPAA. My interpretation of it is what I just mentioned above. It actually gets me in a frizzle (word?) when I see the junk my father's company allows them to put on their machines. They aren't healthcare, but I would think the hassle of tech support would be magnified many times over...

Re:A message from your employer

[Tenareth]

A vast majority of security breeches are from internal users. Users have proven themselves to be untrustworthy.

Sorry, but people seem to do really really stupid stuff when they are feeling "put upon" by the "man". Or, just plain greed. Most Company's #1 security problem is their employees.

Sensible

[Bogtha]

If your employees only need particular websites and particular applications to do their jobs, then why would you willingly open up additional attack vectors? It's a completely unnecessary business risk.

If you have employees complaining about needing to use personal email (what did they do before email in the workplace was common?), then simply set up a shared cheap PC in the coffee room for them to use on their lunch break. Firewall it off so that when all the inevitable crap gets onto the machine, it doesn't affect any important systems.

Re:Oh noes

[kfg]

What's next? Complaining that you can't use company funds to go on a vacation? Complaining that you can't use company computers to play games?

Complaining that the shackles won't let you move more than 3 feet from your desk?

Tell ya what, if I can't use the company phone/email to make that doctor's appointment or let my wife know I'll be home late, well, I'm leaving for the day, and you can fuck your deadline and TPS reports.

I work because it is necessary to maintain my life. I do not work so I can maintain yours. If we cannot formulate a reasonable social contract where we both benfit our lives by pooling our resources you will have to do without me. I am neither your mommy nor your slave.

KFG

KFG

Re:Oh noes

[voice_of_all_reason]

A seriously heavy-handed comparison, but I can't resist posting this quote from Rita Hayworth and the Shawshank Redemption. Ever wonder why Andy was allowed to keep posters in his cell given how religious the Warden was?

The prison administration knows about the black market, in case you were wondering. Sure they do. They probably know as much about my business as I do myself. They live with it because they know that a prison is like a big pressure cooker, and there have to be vents somewhere to let off steam. They make the occasional bust, and I've done time in solitary a time or three over the years, but when it's something like posters, they wink. Live and let live. And when a big Rita Hayworth went up in some fishie's cell, the assumption was that it came in the mail from a friend or a relative. Of course all the care-packages from friends and relatives are opened and the contents inventoried, but who goes back and re-checks the inventory sheets for something as harmless as a Rita Hayworth or an Ava Gardner pin-up? When you're in a pressure-cooker you learn to live and let live or somebody will carve you a brand-new mouth just above the Adam's apple. You learn to make allowances.

Same goes here. Bad employee morale is definitely bad for business, because it's across the board. The guy who spends all day browing google video will eventually get discovered when his productivity tanks. It's not worth it to make everyone else in the company unhappy.

Re:I'm putting on my hat...

[Anonymous Brave Guy]

If the employee opts to not use their work e-mail for anything personal, the company knows that they now have the other added benefit of possible added productivity.

Because we all know that treating staff as machines, and expecting them to work constantly throughout the day without taking the odd couple of minutes as a break now and then or dealing with an important personal matter, is definitely the way to increase productivity, right? :-/

Re:I'm putting on my hat...

[PFI_Optix]

If people are using their work e-mail for their personal use, the company gets to see exactly what, where, how, and when their employees are spending their own time. If the employee opts to not use their work e-mail for anything personal, the company knows that they now have the other added benefit of possible added productivity.

I don't think that's the case at all. Most companies could really care less what an employee does in their off time so long as it doesn't harm the company. What they do care about is things like trade secrets going out via an anonymous hotmail account or employees wasting hours talking to their significant other and circumventing the phone system monitoring by using Skype.

I'm just glad I can use SSH and tunnel everything over that. If I can't do that, I have GPRS service on my mobile device and I *could* use that for AIM, e-mail, and browsing instead.

I think that's where things should be headed. A cell phone doesn't have easy access to corporate documents (though cameras do facilitate that to an extent) and typing a lengthy e-mail is difficult, so trade secret theft (intentional or otherwise) by employees might be reduced significantly.

Good plan

[TomatoMan]

ABN Amro's global head of strategy and engineering tells the WSJ, 'I'm not allowing Skype because I don't know what it does.'

I expect a few hundred flames of this statement, but it's a rock-solid security policy. Yes, this guy probably "should" know what Skype is in most people's opinions, but his default "deny" policy for anything he doesn't know is correct, and that attitude WILL prevent trouble. On a corporate network, especially one potentially carrying any kind of sensitive data, anything not specifically allowed should be denied. If employees can make a case about what any new service is and why they need it, it can be evaluated and perhaps allowed, but it should be denied by default.

Re:Oh noes

[Volante3192]

whatever happened to only giving people what they need to get their job done?

Sound in theory, but what if your paid to be on call for 8 hours? Help desk type stuff. I'd go batshit insane if everything was locked down so hard that I couldn't relax a bit in the lulls between calls.

And don't say "work on other projects" because when you have to be able to break off your thought process at the sound of a ring, it's nigh impossible to really focus on something complex.

You start finding little things made out of spare stationary and writing materials. The dolls made out of staples. Pencils stuck in the ceiling. Contests to find out who can let the match smoke the longest before setting off the fire alarm. Jungle voodoo orgies...

When all I need is my sudoku fix...

Not necessarily as ignorant as it sounds

[Beryllium Sphere(tm)]

Skype is closed source, the binary is full of obfuscation, and you can't examine the network traffic. "Trust but verify" is replaced by "trust".

You could use Filemon to make sure Skype's not reading your disk, and other tools to check whether it's keylogging, but a busy paranoid could be excused for not taking the trouble.

I sure wouldn't want to pay a sysadmin who allowed things on the network without knowing what they did.

(I use Skype at home but I'm not risking someone else's network by doing so).

Re:A message from your employer

[Serapth]

Depnds on the type of trust you mean. Blocking outside access to possible security risks because you dont trust your users technical abilities is defensible. Would you give each user administrative rights? No of course not. This is much the same action on a much smaller scale. In all honesty, I dont really see it affecting employee morale. There arent many reasons not to put such restrictions in place if you have the IT resources to do so.

Now, we dont trust you, applied to things like... cant surf normal HTML pages as they dont trust the employee not to waste company time. Or, doing random audits on the contents of an employees email. These things will make a knowledge worker feel oppressed and will affect morale. Putting these kinds of things in place though is a much harder decision. There is a direct correlation between employee happiness and employee freedoms. That said, alot of employees fuck the dog pretty bad. The big difference is, the earlier actions tend to be an IT initative, whereas the later tends to come down from the top.

He said "know what it does"

[Angostura]

Note, he is not saying that he doesn't know what Skype is he is saying that he doesn't know what it does. That's fair enough; I've read a fair number of accounts by people who have attempted to work out exactly what Skype is up to on their networks, and very few people outside of skype know exactly what Skype does.

It uses a proprietary closed protocol, nicely encypted; is adept at getting through firewalls and most important can turn office PCs into high-traffic relays without warning and without the ability to stop the relaying behaviour from the client.

In related news, the submitter conflates the Internet and the Web. Which is pretty annoying.

Re:Oh noes

[Anonymous Coward]

"Nobody needs AIM at work."

Are you sure? Nobody? Ever? Must be nice to live in such a simple world. Using AIM to keep in touch with family very often saves me a lot of time out of the office. Using AIM to contact some work associates that are not on our network IM system, or with friends who can sometimes answer a technical question quickly, can often save me and the company lots of time and money.

I suppose there a lots of things we don't strictly need at work that make us more productive, more satisfied in our jobs, more connected to others. Let's get rid of them all, and just take the easiest head-in-the-sand approach. But while we're at it, we'd better also strip search everybody leaving the building, because people can carry an awful lot of sensitive information out on floppy, CD, flash, etc.

Maybe it's just easier to blame the technology.

Re:Oh noes

[drsquare]

Sound in theory, but what if your paid to be on call for 8 hours? Help desk type stuff. I'd go batshit insane if everything was locked down so hard that I couldn't relax a bit in the lulls between calls.

What do you think people did before computers, or today in places where there are no computers to play on? When your employer buys you a computer, it's a tool to do your job, you can't expect anything more, no more than you can expect entertainment from a screwdriver or a hole puncher.

OMG, when will it end....

[zappepcs]

Some companies see giving employees small perks as part of keeping a happy and productive work force... can anyone remember the stories of the environment at EA? Now, we have tin foil hat stories about companies that give their employees pens and paper, but warn them to only write in block letters because anything else is a waste of company resources, or could lead to dangerous events in the file cabinets.

Ummm, perhaps its just me, but it is about fscking time that both government and businesses learn the lessons that have been sitting in front of them since about 1991... computers are here to stay, and the advantages and disadvantages of computers are here to stay too.... Its not that hard to limit outside network connections to a specific bandwidth, or monitor all packets in and out... this is not rocket science. Using draconian measures to squeeze every drop out of the company resources is not good for business... see Boycott, Company Stores et al, slavery,

I guess my point is that anything that stifles free and unfettered flow of information and ideas is going to stifle business productivity and innovation. I don't have links, but I thought this was pretty much already scientifically proven... or at least proven in the advent of F/OSS and what it has done to the computer and software markets. Just as the *AA needs to wake up and find a new business model, most of the rest of the business world has some work to do... its just common sense. Anything else usually involves putting holes in your feed with lead ladden projectiles.

Re:Job Qualifications

[fishwallop]

He's not saying he doesn't understand what Skype claims to do (i.e. provide an internet telephony service), but that he doesn't know what it does (e.g. install malware, open up security holes or intentional backdoors by virtue of running as a server app; forward copies of your mailbox to skype.com for international corporate espionage...) With Microsoft you may not care; if it goes wrong there are deep pockets to sue. With open source you don't care, because you can verify it for yourself. With Skype/Yahoo, your confidence level may vary.

This type of admin is the bane of users

[blueZ3]

"Locking down" machines, which usually means preventing users from installing or running software that the admin hasn't "approved" is far more likely to reduce productivity than anything else. I can't tell you how many times I've been frustrated by the admins who have the idea that they know better than I do what tools I need to do my job... In fact, it's something that I ask non-manager employees when I interview: "Do you have admin privileges on your box" (working in software, I usually get a sensible response).

Listen, all you genius admins, I don't tell you what firewall software to use, you don't tell me what file conversion software I need to get the Windows line breaks out of text files, Ok? I don't what you're using for an anti-virus tool, and I don't expect you to know about my use of FrameScript to automate FrameMaker. The MicroType FM extensions make me about 10% more efficient in my work, and if I can't download and install them, I'll see if we can't backcharge IT for that extra hour a day.

A sensible policy is that "unapproved" applications are unsupported. This means that if something I install causes problems, I have to resolve them or have my box re-imaged. I'm fine with that. Don't "lock down" my machine, prevent me from doing my job efficiently, and then crow about how you've saved the company money.

Re:Oh noes

[oGMo]

Exactly, what happened to only giving people what they need to get their job done?

Yeah, people could be chained to their desks and allowed 3 5-minute bathroom breaks and a 15-minute lunchbreak. That's all they need, think of the productivity increase! We could use children, too!

Oh wait, I think they have labor laws now.

What happened to having a pleasant workplace where you enjoy what you do? Little things make a lot of difference. I'm not talking dot-com era overindulgence, but personal email access is not too much to ask.

Most people spend at least 8 hours of their waking day, during the prime of their wakefulness, at work. It should not be too much to ask for this to be a pleasant time: people who enjoy being at work get stuff done and are more loyal than those who hate where they are, what they do, everyone around them, and the company.

Re:Job Qualifications

[Mindwarp]

His answer should have been "We're not allowing Skype because we're an investment bank, and the S.E.C. says that we're not allowed to use any form of communication that isn't logged and audited."

Re:Oh noes

[Khammurabi]

Nobody needs AIM at work.

Actually, the company I work for requires it. It's very intrusive and time consuming to either walk over to someone's office, or call the person up right then and there. The person could be in a meeting or busy, and your walking over or calling can be very disruptive.

IM is just a faster form of e-mail, and (just like e-mail) it requires discipline not to fritter away the company's time "talking" on it all day. But there have been quite a few instances where my COO or a trainer shoots off an IM during a presentation with a question. IM is useful in that it is quick and discrete.

False Sense of Entitlement

[Anonymous Coward]

What everyone here is missing, from what I was able to read, is that for some strange reason employees feel they have some inate rights/entitlements to company owned resources. This simply is not the case. People are paid to do work, not engage in a social event, regardless of what it is. This is no different from limiting phone use to business only calls, or preventing people from making copies for non-business related items. There is no difference. But, as the computer culture and pervasiveness of instant gratification continues to expand, people believe that the computer is exempt from these long standing ideas. Your work time is for work. Your social time is for other things and use of any equipment or resources, regardless of what it is, lies solely with the policy and discretion of the employer.

The "I can do X on my home computer" does not work, nor should it be allowed to work as some catchall for enabling and allowing those uses in the workplace. I have a saw at home. If I worked as a carpenter that doesn't give me the right, nor the expectation, to use a company provided saw as my own to work on personal projects. Try that on a job site and watch yourself fired in no time flat. Your at work....work. If your employer allows you to use company resources for other things, count yourself fortunate and be happy with what you can do while getting paid.

It's very simple

[TheCabal]

I'm one of the head network honchos at a Very Large Company... things like AIM, MSN Messenger, Skype, Limewire and BitTorrent are all banned and blocked. We monitor our employee web usage, block just about every outbound network port except for 80 and 443. Why? Because even though we know why Skype is, our policy forbids users from installing software that we don't provide. We certainly don't want users utilizing our 100Mbps lines for donwloading pr0n, MP3s and warez. We don't want support calls from users who have bolloxed up their machines by installing $UNAPPROVED_SOFTWARE_PACKAGE, diverting valuable resources to try to fix this. We don't want the worms, viruses, spyware and other crap that comes with some of these packages. Every employee that uses a computer reads and signs our usage agreement, so they know what we expect from them. Some of them try, and some get to see the man when they do.

Because of all the attack vectors, we have to spend many tens of thousands of dollars on antivirus, monitoring software, desktop security agents, intrusion detection, firewalls and what have you...

Things like SOX and HIPAA make it extremely hard for us to "just let users be". We can't allow unmanaged VoIP or instant messenging. FTP? Blocked. SSH? Blocked. Our data could easily walk out of here, which is why on top of the layer 3 blocks, we block USB access as well. Our users are given the tools they need to get their jobs done. And if data can walk out of here, there is certainly possiblity that something nasty could come in. We'd rather not have to deal with that possibility, so we make sure we don't have to.

It's the company's network, they can dictate how its used. Don't like it? Don't use our network. Go home, do whatever you want on your equipment, but when you're in my house, it's my rules.

Re:This type of admin is the bane of users

[Generic Guy]

Listen, all you genius admins, I don't tell you what firewall software to use, you don't tell me what file conversion software I need to get the Windows line breaks out of text files, Ok? I don't what you're using for an anti-virus tool, and I don't expect you to know about my use of FrameScript to automate FrameMaker.

Listen you selfish malcontent, letting you put whatever the hell you want on the company computers potentionally puts the company and its directors at risk. When your P2P music crap, or cracked shareware linefeed-corrector gets noticed by the suppliers it can cause huge problems and expenses for the company just to satiate your little cubicle fiefdom. IT admins and directors need to worry about far more than just your "getting the job done" easier. The reality is there is a lot of damage and liability these days which can come out of users free-reign over the office computers.

Don't like it? Fine, resign and start your own consulting business. Then you can put whatever crap you want on your own equipment.

Re:I'm putting on my hat...

[hotspotbloc]

I consult for a small company that had a problem with an employee IMing all day. The rule (with my recommendation) was "IM/IRC/browse all you want so long as it doesn't effect your work". Well, she would IM almost constantly and rarely did her job. Solution: we signed her up with AIM/gmail accounts specific to work, logged all text (we use gaim) and told her she couldn't use any other IM accounts or clients. In a month they'd review her work and decide to either: return full IM services (with logging only on the company account), keep the restricted account or kick her to the curb.

After reviewing the logs for the month of probation we found the idea worked well for the first four days and then she added in her own IM accounts. While I could've made it tough for her to make any changes to GAIM I didn't because I refuse to treat adults like a forth grader. She was told that her IM sessions would be reviewed and not to add or remove any IM accounts, which she did, so she was fired.

The problem highlighted a possible future issue and we decided to require all employees to use a company related IM account just for company business. If they want to conduct personal IM conversations at work then they can use whatever other client they want. If an employee's performance is a problem and personal net access is high then they are put on "restricted access" for a month. So far the restricted access use has worked well and no one else has been fired for excesive personal net usage.

Moral of the story: Management needs to treat their employees like adults and not like children, let them use the net (IM, ssh, irc and most any web site since the only filtering we do is with prioxy) for personal tasks and work with those that don't follow the rules. So far everyone is fine with the rule because it is reasonable, allows for liberal personal net use and not draconian like most places. The only really strict rule is if you download and share any pron at work you're gone (to avoid an expensive sexual harassment suit).

Complete "no personal Internet use" rules just pisses people off and they will almost always find a way around it. Banning personal net access for minor abuses is like banning coffee because someone left an empty pot on a hot burner or a lunch room refrigerator because some people steal other peoples' lunches.

Re:This type of admin is the bane of users

[Malor]

See, you're not the problem; you're a computer professional and, at least in theory, you should be highly expert at using a PC. The problem is Tracy in Accounting and Bob the Receptionist, who haven't a clue what's going on with their machines, and who happily install spyware if it promises something slightly better than a sharp stick in the eye.

Think of it as the "OMG Ponies!" crowd, writ large. You just have no idea how freaking stupid these people can be.

Even in the best and brightest companies I've worked in, there have always been a few that got hired that knew a lot less about their PCs than they thought. In particular, they do not appear to hire salespeople for raw brainpower. The clueless users, especially the ones that don't realize (and never will) that they ARE clueless, cause enormous trouble. Unless the network is internally firewalled (which is getting to be a better and better idea, these days), they're often the vectors for network-wide infection.

The draconian policies of some admins may seem stupid, but remember that admins run on fear. They are, by and large, only noticed when things break, and then everyone is mad at them. When a single user can potentially bring a virus into the network that can stop the entire company dead in its tracks, well... it's a heck of a lot safer and easier to just lock EVERYTHING down and then install what people need, as they ask for it.

Think of it as a default-deny firewall.

Re:Oh noes

[tanguyr]

The problem not with AIM and other similar apps (pure security issues aside) is the (in)ability of people to shut up. It might pose no risk if you chat with a friend for 5 minutes twice a day. But if there are 10 friends and each chat takes 10 minutes, that is not only hours(!) off your work time, but also a concentration breaker.

But that's already the case with both the phone on your desk and the cell phone / gsm in your pocket - and yet most of us don't spend our days yakking with our friends - in fact, we even say things like "I can't talk, i'm busy, i'll call you later." The fact of the matter is that you will never be able to force people to concentrate on their work no matter how well you control their environment. The more you try, the more you're going to piss them off, the more they're going to resent you and the less actual work you'll get out of them.

Hire professionals, treat them like adults, and focus on the results they achieve.

It's not rocket science. /t

Re:This type of admin is the bane of users

[chivo243]

Presto, you have admin status now. Your machine gets borked due to unsupported software, can the company charge you for your time lost on your job, fixing the computer, which is not your job? you brought up billing for lost time ;-} He who opens the can of worms eats too!

Re:Oh noes

[tornsaq]

AIM?! Are you kidding me?


A Network Admin who knew what he was doing would install a LAN IM client (say..Sametime with in conjunction with Lotus maybe?)and you would only be able to IM your fellow employees and not anyone outside of the firewall.