SMB - Attacks pushing Web controls

Large financial services companies have been known to enforce strict controls over the range of sites that their workers are allowed to visit

Significant debate has recently been given over to the topic of whether or not younger workers will eschew jobs at companies that attempt to limit their access to popular Web sites and online applications, but some companies are already responding to rising security threats by blocking their employees from using work machines to move about the Internet freely.

Large financial services companies have been known to enforce strict controls over the range of sites that their workers are allowed to visit for years, banning everything from Web mail sites and file-sharing systems that could be used to steal data, to sports and entertainment sites that are viewed as potential drains on user productivity.

But some businesses outside the high-security, strictly-regulated financial industry are following suit merely to keep malware from clogging their computers and to protect sensitive data from falling prey to the keyloggers, Trojans, and other threats that are increasingly being distributed via infected Web sites.

Security vendors are marketing the technologies used to ban sites, online programs, and messaging systems as "applications control" tools.

Some end-users say that they have been shocked at how long unfettered Internet access in the workplace has been allowed to exist as common practice.

"I'm actually surprised that applications control hasn't become a larger concern for more companies. To their own detriment, companies have sacrificed security for employee preferences," said William Bell, director of information security at ECSuite, a maker of e-commerce software. "We see our company resources as a means to performing work, although we care about our employees, we want them to be as productive as possible and to ensure that we're protected as an organization."

ECSuite gives its approximately 400 workers access to Webmail, but it has limited access to other sites, including file-sharing systems and social networking tools.

The company isn't as concerned with losing credit card data or other sensitive information over the Web, based on its use of other technologies aimed at that issue, as it has been bothered by the rising cost and related headaches of trying to keep its machines clean from malware.

ECSuite is using Lumension's Sanctuary Applications Control technology, which can be utilized for everything from URL blocking to preventing the installation of instant messaging clients and other Web-borne software.

After limiting Web access in its call centers, the company saw a 74 per cent reduction in the amount of computers it needed to replace compared to the number of devices it had previously been losing to malware attacks.

Bell said that the results of adopting applications control have been dramatic.

"We were replacing computers right and left, our anti-virus system was catching attacks, but so much was still getting through that was causing a lot of hours spent replacing images, and it was a situation that just wasn't working for us anymore," he said. "People want to have as much control of their computer as possible, but whether they need or not isn't clear."

Having executive endorsement of site blocking from the company's CEO also kept any user pushback to a limit, he said.

And other companies are doing the same with some going so far as to ban everything but their own sites and those URLs seen as absolutely safe and necessary for worker productivity.

At Roundtable, which runs some 46 Dairy Queen restaurants across the southwest US, the IT department has blocked everything but the company's internal pages and sites that offer weather reports.

The reasoning behind the draconian level of control is a matter of simple economics, said Mike Stamp, the company's IT director.

Page Break

"Our biggest problem was that people were going to sites and downloading all sorts of shareware and spyware that was effectively killing our machines, which is a big deal because the computers in our store offices are connected to our point-of-sale systems, so these attacks were actually effecting our registers, which was obviously a huge operational issue," Stamp said.

Using technology from ScanSafe, which offers hosted applications control tools, Roundtable blocked access and immediately saw its malware problems disappear, Stamp said, which also lowered the sheer number of visits that its IT staff had to make to its store locations, which are spread across a number of large US states.

"It was already in our code of conduct that the computers weren't to be used for this type of thing, but the tools actually allow us to enforce that," Stamp said. "It's been a huge difference. All the malware has pretty much stopped, and now when we have a failure, of which there were many before, it's usually related to hardware, not viruses."

Experts debate to what extent so-called knowledge workers -- whose primary role is to work with information and who clearly need some broader level of access to the Web -- will be forced to deal with Web site and applications control, but security vendors claim that they are hearing about more aggressive plans from many different types of companies.

With security departments being pushed to become more proactive in protecting their organizations, the enforcement of less liberal Web access is likely inevitable, some experts believe.

For most workers, their level of Internet access will likely be driven by the type of job they do, the sort of business they work for, and their company's tolerance of online risk, said Doug Camplejohn, chief executive of security appliance maker Mi5 Networks.

One of Mi5's customers recently engaged in a discovery project to determine how limiting site access might affect its operations, touching off a range of new concerns.

"This bank would love to block MySpace and sites where they've seen issues from productivity and security, but it's also an interesting HR dilemma; MySpace and ESPN are among the top sites they saw in their traffic audits, and they were worried that if they block MySpace, but not ESPN, if that would be age discrimination on some level," Camplejohn said. "It will be really tough for most companies to do all or nothing; I think we'll see more of an approach whereby access is determined by who you are, and what type of work you do."