Security Fears Prod Firms to Limit Staff Web Use

Carl Bialik from WSJ writes "Companies are limiting employees' use of free Internet services, such as Skype and video downloading, to protect themselves from viruses, communications traffic jams and regulatory missteps, the Wall Street Journal reports. ABN Amro's global head of strategy and engineering tells the WSJ, 'I'm not allowing Skype because I don't know what it does.' Some colleges and departments at Cambridge University also ban Skype. The limits affect executives as well as the rank-and-file, the WSJ finds: ' "I used to think nothing of checking my Yahoo mail several times a day," says Global Crossing Chief Marketing Officer Anthony Christie. Now that he can't, his long workday makes it hard to avoid using his work email account for personal messages, he says.'"

Re:Oh noes

[toleraen]

Exactly, whatever happened to only giving people what they need to get their job done? Where I work we have several services block...I don't even bother trying most things. It's locked down, which it should be. Nobody needs AIM at work, you don't need access to bittorret, etc etc. Better to lock stuff down than get your network owned by some idiot that can't stop talking to MSN bots.

If your company doesn't do this

[Anonymous Coward]

If your company isn't doing this, please let me know who you work for. I want to be extra careful with any of your products before I consider them for use.

Locking down net access at work makes sense

[rbanzai]

I just started as IT manager for a small advertising agency. The systems were wide open before and it seems like every machine has Limewire, skype, five different IM programs... and lots and lots of problems.

When these items cause problems that reduce productivity they have to go. It's that simple.

Due to unrestrained (and uninformed) users I now have to go over all 50 machines with a fine-tooth comb to scrub off the bad stuff. Several of these machines are probably going to have to be wiped. This is 100% due to user loaded "personal" software.

As I fix each machine they are getting locked down. I've been directed by management to prevent users from pirating music on company machines or using filesharing to share pirated music. I don't see anything unreasonable at all about that.

Any app that is well-behaved and does not expose the company to liability is fine with me. Otherwise it has to go.

Bandwidth always a worry at Cambridge

[Brunellus]

The banning of Skype at some departments and colleges at Cambridge comes as no surprise to me.

I was at Cambridge during the late 90's-early Noughties, and I seem to recall a number of stern warnings to students about bandwidth usage from both College and University computing authorities. One of them even included a plea to use European or British mirrors as much as possible.

The shame is that while the Cambridge University Data Network [cam.ac.uk] had bandwidth to burn within Cambridge, it seems that the trouble was always further upstream on JANET [ja.net].

Things got so bad that there were rumours at the time that the poorer colleges were going to start charging their students for bandwidth. I never heard anything of it, and it didn't stop the proliferation of p2p (both in the form of Napster and samba shares) in my time there.

IM and Web blocking at GE

[OzPeter]

TFA makes it seem like GE has just started blocking IM and external email systems. But in the GE division where I have been contracting it has been like that for at least the last 5 years.

And I can understand why. By only allowing communications through official chanels, the companies can better protect themselves by doing such things as applying corporate wide virus checking on emails. It also provides a log as to what communications occurred when. Though I do admit that flash drives and take home laptops can easily bypass any of these measures.

One downside to this is that the corporate policies also block VPN accesses, so I can not get to my offices servers while at the GE location.

One amusing anecdote relating to this is that where I work there is an analog phone line kept for the times when you really need to dial up a system. One lunch time I was using it to send some private email and also to chat with some friends (MSN messenger I think). When I was done I just picked my laptop up and walked back to my desk and plugged into the corporate lan without powering down. I was surprised when 20 minutes later one of my friends initiated a chat session with me. After the shock of chatting from my desk wore off, I realised that the chat program used two separate protocols/ports: 1 for logging into the chat system, and another for the actual chatting. The corporate IT people had only blocked one system and not the other, perhaps in the belief that that was all that was necessary. Combined with the chat system not timing out during the walk back to my desk, I had effectively bypassed their strong security.

I installed Skype while working for a Swiss bank

[AugstWest]

I was stuck in a hotel all weekend and wanted to talk to my wife, so I installed it, and within 5 minutes I got a call from security saying that my machine was scanning the network. It was Skype trying to find a way out.

When I got back to work on Monday, my Thinkpad was taken away and reformatted, and handed back to me -- without local admin privileges.

Now I work for a University. It's a whole other world.

What is happening

[99BottlesOfBeerInMyF]

Here is my take on what is happening. As network management tools become easier to use and more widely deployed, more and more people are starting to have a real understanding of their management and business networks. It used to be that the network engineers might or might not have a good idea about what kinds of traffic were flowing where. Now, a middle manager with only the most basic idea of how networks work can log into a Web interface and see what programs are being run by what people, connecting to what sites. As a result, they are more prone to hand down policy decisions based upon this new information.

At the same time, the workplace has become much more mercenary. Companies don't take care of their employees and employees just want to milk companies for as much as possible. No one trusts anyone. Managers want to get as much work out of their hirelings as possible and many don't care about the health, stress, happiness, etc. of those employees. In sociological terms, they are imposing physical barriers in an attempt to replace crumbling social ones. The problem for them, is they are usually way behind the technology curve. An employee who wants to play hardball can probably raid the company for all the info they want and carry it out on their cellphone or iPod. It's like moving from an honor system where captured soldiers swear they will stay until ransomed, to a military jail with as many bars as possible, except the prison is designed by a bureaucratic committee, each member of which is just trying to make as much money off of kickbacks and saved funds as possible. Time will tell which is more effective.

Right On Man

[reformed BOFH]

I worked for ABN Amro as a Server Admin until recently. The security guys in the UK and global Tech Risk Management departments were and still are extremely anal about security. However I usually agreed with them one hundred percent. Any outage caused by any form of malware causes major league losses for financial companies. VoIP, messaging, freemail and IM are all good fun until every user in the building starts to use them and your whole network collapses in a heap. Or worse a major security flaw gets discovered in a product like Skype. A big corporate network might have hundreds or thousands of unmanaged installs of Skype floating about. This constitutes a major headache for administrators, like me, who spend enough weekends patching stuff as it is. In addition there is the law of unintended consequences to consider. Take iTunes, a harmless fun application that all users should be able to enjoy. Nope. iTunes has a wonderful tendancy to store all downloaded music in the My Documents\My Music folder on every user's profile. As soon as that user logs off the entire contents of the users roaming profile including the My Documents\My Music folder gets copied to the network file store. I recently saw all the free space on a multi-terabyte file store vanish in the space of a morning becuase of itunes. Harmless. Yeah right. We now have a complete ban on iTunes for all staff, enforced by Group Policy restrictions.

Re:This type of admin is the bane of users

[Knara]

IT admins and directors need to worry about far more than just your "getting the job done" easier.

Actually, by and large that is, indeed, the job of IT admins and directors. To allow the people who are actually creating the stuff (or marketing it, or selling it) to do their jobs in a way that optimizes the employee's time.