Security Fears Prod Firms to Limit Staff Web Use 242
Carl Bialik from WSJ writes "Companies are limiting employees' use of free Internet services, such as Skype and video downloading, to protect themselves from viruses, communications traffic jams and regulatory missteps, the Wall Street Journal reports. ABN Amro's global head of strategy and engineering tells the WSJ, 'I'm not allowing Skype because I don't know what it does.' Some colleges and departments at Cambridge University also ban Skype. The limits affect executives as well as the rank-and-file, the WSJ finds: ' "I used to think nothing of checking my Yahoo mail several times a day," says Global Crossing Chief Marketing Officer Anthony Christie. Now that he can't, his long workday makes it hard to avoid using his work email account for personal messages, he says.'"
Oh noes (Score:3, Insightful)
What's next? Complaining that you can't use company funds to go on a vacation? Complaining that you can't use company computers to play games?
Job Qualifications (Score:3, Insightful)
I mean, just, wow. And here I thought that the "anything I don't understand must be bad" school of management was going out of style.
I'm putting on my hat... (Score:5, Insightful)
Sometimes I wonder if this is exactly what companies *want*. They don't want people to use outside e-mail (especially ones running over https) because then they can't easily monitor what their staff is doing.
If people are using their work e-mail for their personal use, the company gets to see exactly what, where, how, and when their employees are spending their own time. If the employee opts to not use their work e-mail for anything personal, the company knows that they now have the other added benefit of possible added productivity.
I'm just glad I can use SSH and tunnel everything over that. If I can't do that, I have GPRS service on my mobile device and I *could* use that for AIM, e-mail, and browsing instead.
A message from your employer (Score:4, Insightful)
We hope you enjoy working here. Please work hard and do some great work for us!
Thanks,
Your employer.
P.S. WE DON'T TRUST YOU.
Block by default. (Score:5, Insightful)
I'm not allowing X because I don't know what it does does not necessarily equate to X is bad
Banning an unknown service from a network is the more sensible default decision for a corporate network to take. Firewalls should block everything by default, corporate desktops should stop installations of anything not checked and cleared. Why should skype be any different?
At least he's honest (Score:1, Insightful)
We've always done this (Score:2, Insightful)
Re:A message from your employer (Score:4, Insightful)
Sorry, but people seem to do really really stupid stuff when they are feeling "put upon" by the "man". Or, just plain greed. Most Company's #1 security problem is their employees.
Sensible (Score:5, Insightful)
If your employees only need particular websites and particular applications to do their jobs, then why would you willingly open up additional attack vectors? It's a completely unnecessary business risk.
If you have employees complaining about needing to use personal email (what did they do before email in the workplace was common?), then simply set up a shared cheap PC in the coffee room for them to use on their lunch break. Firewall it off so that when all the inevitable crap gets onto the machine, it doesn't affect any important systems.
Re:Oh noes (Score:5, Insightful)
Complaining that the shackles won't let you move more than 3 feet from your desk?
Tell ya what, if I can't use the company phone/email to make that doctor's appointment or let my wife know I'll be home late, well, I'm leaving for the day, and you can fuck your deadline and TPS reports.
I work because it is necessary to maintain my life. I do not work so I can maintain yours. If we cannot formulate a reasonable social contract where we both benfit our lives by pooling our resources you will have to do without me. I am neither your mommy nor your slave.
KFG
KFG
Re:Oh noes (Score:5, Insightful)
The prison administration knows about the black market, in case you were wondering. Sure they do. They probably know as much about my business as I do myself. They live with it because they know that a prison is like a big pressure cooker, and there have to be vents somewhere to let off steam. They make the occasional bust, and I've done time in solitary a time or three over the years, but when it's something like posters, they wink. Live and let live. And when a big Rita Hayworth went up in some fishie's cell, the assumption was that it came in the mail from a friend or a relative. Of course all the care-packages from friends and relatives are opened and the contents inventoried, but who goes back and re-checks the inventory sheets for something as harmless as a Rita Hayworth or an Ava Gardner pin-up? When you're in a pressure-cooker you learn to live and let live or somebody will carve you a brand-new mouth just above the Adam's apple. You learn to make allowances.
Same goes here. Bad employee morale is definitely bad for business, because it's across the board. The guy who spends all day browing google video will eventually get discovered when his productivity tanks. It's not worth it to make everyone else in the company unhappy.
Re:I'm putting on my hat... (Score:3, Insightful)
Because we all know that treating staff as machines, and expecting them to work constantly throughout the day without taking the odd couple of minutes as a break now and then or dealing with an important personal matter, is definitely the way to increase productivity, right? :-/
Re:I'm putting on my hat... (Score:5, Insightful)
I don't think that's the case at all. Most companies could really care less what an employee does in their off time so long as it doesn't harm the company. What they do care about is things like trade secrets going out via an anonymous hotmail account or employees wasting hours talking to their significant other and circumventing the phone system monitoring by using Skype.
I'm just glad I can use SSH and tunnel everything over that. If I can't do that, I have GPRS service on my mobile device and I *could* use that for AIM, e-mail, and browsing instead.
I think that's where things should be headed. A cell phone doesn't have easy access to corporate documents (though cameras do facilitate that to an extent) and typing a lengthy e-mail is difficult, so trade secret theft (intentional or otherwise) by employees might be reduced significantly.
Good plan (Score:5, Insightful)
I expect a few hundred flames of this statement, but it's a rock-solid security policy. Yes, this guy probably "should" know what Skype is in most people's opinions, but his default "deny" policy for anything he doesn't know is correct, and that attitude WILL prevent trouble. On a corporate network, especially one potentially carrying any kind of sensitive data, anything not specifically allowed should be denied. If employees can make a case about what any new service is and why they need it, it can be evaluated and perhaps allowed, but it should be denied by default.
Re:Oh noes (Score:2, Insightful)
Sound in theory, but what if your paid to be on call for 8 hours? Help desk type stuff. I'd go batshit insane if everything was locked down so hard that I couldn't relax a bit in the lulls between calls.
And don't say "work on other projects" because when you have to be able to break off your thought process at the sound of a ring, it's nigh impossible to really focus on something complex.
You start finding little things made out of spare stationary and writing materials. The dolls made out of staples. Pencils stuck in the ceiling. Contests to find out who can let the match smoke the longest before setting off the fire alarm. Jungle voodoo orgies...
When all I need is my sudoku fix...
Not necessarily as ignorant as it sounds (Score:3, Insightful)
You could use Filemon to make sure Skype's not reading your disk, and other tools to check whether it's keylogging, but a busy paranoid could be excused for not taking the trouble.
I sure wouldn't want to pay a sysadmin who allowed things on the network without knowing what they did.
(I use Skype at home but I'm not risking someone else's network by doing so).
Re:A message from your employer (Score:3, Insightful)
Now, we dont trust you, applied to things like... cant surf normal HTML pages as they dont trust the employee not to waste company time. Or, doing random audits on the contents of an employees email. These things will make a knowledge worker feel oppressed and will affect morale. Putting these kinds of things in place though is a much harder decision. There is a direct correlation between employee happiness and employee freedoms. That said, alot of employees fuck the dog pretty bad. The big difference is, the earlier actions tend to be an IT initative, whereas the later tends to come down from the top.
He said "know what it does" (Score:3, Insightful)
It uses a proprietary closed protocol, nicely encypted; is adept at getting through firewalls and most important can turn office PCs into high-traffic relays without warning and without the ability to stop the relaying behaviour from the client.
In related news, the submitter conflates the Internet and the Web. Which is pretty annoying.
Re:Oh noes (Score:1, Insightful)
Are you sure? Nobody? Ever? Must be nice to live in such a simple world. Using AIM to keep in touch with family very often saves me a lot of time out of the office. Using AIM to contact some work associates that are not on our network IM system, or with friends who can sometimes answer a technical question quickly, can often save me and the company lots of time and money.
I suppose there a lots of things we don't strictly need at work that make us more productive, more satisfied in our jobs, more connected to others. Let's get rid of them all, and just take the easiest head-in-the-sand approach. But while we're at it, we'd better also strip search everybody leaving the building, because people can carry an awful lot of sensitive information out on floppy, CD, flash, etc.
Maybe it's just easier to blame the technology.
Re:Oh noes (Score:3, Insightful)
What do you think people did before computers, or today in places where there are no computers to play on? When your employer buys you a computer, it's a tool to do your job, you can't expect anything more, no more than you can expect entertainment from a screwdriver or a hole puncher.
OMG, when will it end.... (Score:4, Insightful)
Ummm, perhaps its just me, but it is about fscking time that both government and businesses learn the lessons that have been sitting in front of them since about 1991... computers are here to stay, and the advantages and disadvantages of computers are here to stay too.... Its not that hard to limit outside network connections to a specific bandwidth, or monitor all packets in and out... this is not rocket science. Using draconian measures to squeeze every drop out of the company resources is not good for business... see Boycott, Company Stores et al, slavery,
I guess my point is that anything that stifles free and unfettered flow of information and ideas is going to stifle business productivity and innovation. I don't have links, but I thought this was pretty much already scientifically proven... or at least proven in the advent of F/OSS and what it has done to the computer and software markets. Just as the *AA needs to wake up and find a new business model, most of the rest of the business world has some work to do... its just common sense. Anything else usually involves putting holes in your feed with lead ladden projectiles.
Re:Job Qualifications (Score:2, Insightful)
This type of admin is the bane of users (Score:2, Insightful)
Listen, all you genius admins, I don't tell you what firewall software to use, you don't tell me what file conversion software I need to get the Windows line breaks out of text files, Ok? I don't what you're using for an anti-virus tool, and I don't expect you to know about my use of FrameScript to automate FrameMaker. The MicroType FM extensions make me about 10% more efficient in my work, and if I can't download and install them, I'll see if we can't backcharge IT for that extra hour a day.
A sensible policy is that "unapproved" applications are unsupported. This means that if something I install causes problems, I have to resolve them or have my box re-imaged. I'm fine with that. Don't "lock down" my machine, prevent me from doing my job efficiently, and then crow about how you've saved the company money.
Re:Oh noes (Score:4, Insightful)
Yeah, people could be chained to their desks and allowed 3 5-minute bathroom breaks and a 15-minute lunchbreak. That's all they need, think of the productivity increase! We could use children, too!
Oh wait, I think they have labor laws now.
What happened to having a pleasant workplace where you enjoy what you do? Little things make a lot of difference. I'm not talking dot-com era overindulgence, but personal email access is not too much to ask.
Most people spend at least 8 hours of their waking day, during the prime of their wakefulness, at work. It should not be too much to ask for this to be a pleasant time: people who enjoy being at work get stuff done and are more loyal than those who hate where they are, what they do, everyone around them, and the company.
Re:Job Qualifications (Score:3, Insightful)
Re:Oh noes (Score:5, Insightful)
IM is just a faster form of e-mail, and (just like e-mail) it requires discipline not to fritter away the company's time "talking" on it all day. But there have been quite a few instances where my COO or a trainer shoots off an IM during a presentation with a question. IM is useful in that it is quick and discrete.
False Sense of Entitlement (Score:1, Insightful)
The "I can do X on my home computer" does not work, nor should it be allowed to work as some catchall for enabling and allowing those uses in the workplace. I have a saw at home. If I worked as a carpenter that doesn't give me the right, nor the expectation, to use a company provided saw as my own to work on personal projects. Try that on a job site and watch yourself fired in no time flat. Your at work....work. If your employer allows you to use company resources for other things, count yourself fortunate and be happy with what you can do while getting paid.
It's very simple (Score:3, Insightful)
Because of all the attack vectors, we have to spend many tens of thousands of dollars on antivirus, monitoring software, desktop security agents, intrusion detection, firewalls and what have you...
Things like SOX and HIPAA make it extremely hard for us to "just let users be". We can't allow unmanaged VoIP or instant messenging. FTP? Blocked. SSH? Blocked. Our data could easily walk out of here, which is why on top of the layer 3 blocks, we block USB access as well. Our users are given the tools they need to get their jobs done. And if data can walk out of here, there is certainly possiblity that something nasty could come in. We'd rather not have to deal with that possibility, so we make sure we don't have to.
It's the company's network, they can dictate how its used. Don't like it? Don't use our network. Go home, do whatever you want on your equipment, but when you're in my house, it's my rules.
Re:This type of admin is the bane of users (Score:5, Insightful)
Listen you selfish malcontent, letting you put whatever the hell you want on the company computers potentionally puts the company and its directors at risk. When your P2P music crap, or cracked shareware linefeed-corrector gets noticed by the suppliers it can cause huge problems and expenses for the company just to satiate your little cubicle fiefdom. IT admins and directors need to worry about far more than just your "getting the job done" easier. The reality is there is a lot of damage and liability these days which can come out of users free-reign over the office computers.
Don't like it? Fine, resign and start your own consulting business. Then you can put whatever crap you want on your own equipment.
Re:I'm putting on my hat... (Score:4, Insightful)
After reviewing the logs for the month of probation we found the idea worked well for the first four days and then she added in her own IM accounts. While I could've made it tough for her to make any changes to GAIM I didn't because I refuse to treat adults like a forth grader. She was told that her IM sessions would be reviewed and not to add or remove any IM accounts, which she did, so she was fired.
The problem highlighted a possible future issue and we decided to require all employees to use a company related IM account just for company business. If they want to conduct personal IM conversations at work then they can use whatever other client they want. If an employee's performance is a problem and personal net access is high then they are put on "restricted access" for a month. So far the restricted access use has worked well and no one else has been fired for excesive personal net usage.
Moral of the story: Management needs to treat their employees like adults and not like children, let them use the net (IM, ssh, irc and most any web site since the only filtering we do is with prioxy) for personal tasks and work with those that don't follow the rules. So far everyone is fine with the rule because it is reasonable, allows for liberal personal net use and not draconian like most places. The only really strict rule is if you download and share any pron at work you're gone (to avoid an expensive sexual harassment suit).
Complete "no personal Internet use" rules just pisses people off and they will almost always find a way around it. Banning personal net access for minor abuses is like banning coffee because someone left an empty pot on a hot burner or a lunch room refrigerator because some people steal other peoples' lunches.
Re:This type of admin is the bane of users (Score:4, Insightful)
Think of it as the "OMG Ponies!" crowd, writ large. You just have no idea how freaking stupid these people can be.
Even in the best and brightest companies I've worked in, there have always been a few that got hired that knew a lot less about their PCs than they thought. In particular, they do not appear to hire salespeople for raw brainpower. The clueless users, especially the ones that don't realize (and never will) that they ARE clueless, cause enormous trouble. Unless the network is internally firewalled (which is getting to be a better and better idea, these days), they're often the vectors for network-wide infection.
The draconian policies of some admins may seem stupid, but remember that admins run on fear. They are, by and large, only noticed when things break, and then everyone is mad at them. When a single user can potentially bring a virus into the network that can stop the entire company dead in its tracks, well... it's a heck of a lot safer and easier to just lock EVERYTHING down and then install what people need, as they ask for it.
Think of it as a default-deny firewall.
Re:Oh noes (Score:3, Insightful)
But that's already the case with both the phone on your desk and the cell phone / gsm in your pocket - and yet most of us don't spend our days yakking with our friends - in fact, we even say things like "I can't talk, i'm busy, i'll call you later." The fact of the matter is that you will never be able to force people to concentrate on their work no matter how well you control their environment. The more you try, the more you're going to piss them off, the more they're going to resent you and the less actual work you'll get out of them.
Hire professionals, treat them like adults, and focus on the results they achieve.
It's not rocket science.
Re:This type of admin is the bane of users (Score:2, Insightful)
Re:Oh noes (Score:1, Insightful)
A Network Admin who knew what he was doing would install a LAN IM client (say..Sametime with in conjunction with Lotus maybe?)and you would only be able to IM your fellow employees and not anyone outside of the firewall.