Workplace Web Browsing: Do Employees Put You At Risk?
When it comes to your company’s browsing policies, make sure you’re safe—not susceptible
Threats come at your business from every angle, including malicious parties lurking in cyberspace. As a smart small business, though, you have the security basics covered to protect you from viruses, spam, and other attacks. But as it turns out, security is often breached in more mundane ways—such as ordinary on-the-clock web browsing.
You may think your current web browsing policy is sufficient. After all, you have all the necessary restrictions in place, like no access to risky (or risqué) sites, limited or no access to social media and gaming sites, etc. Realistically, though, you can’t control your employees’ Internet use 100 percent of the time. For example, according to the Wasting Time at Work Survey by AOL and Salary.com, 22 percent of employees waste about 2 hours per day (14 percent waste three or more hours!), often browsing personal sites that could pose a threat to your business. And according to a Cisco security report, among customers surveyed about employee use of Facebook, seven percent spend an average of 68 minutes a day playing the popular social media game Farmville.
So how do you protect your business from the potentially harmful effects of employee web browsing? First, you need to dispel some common myths:
- We block sketchy sites. It’s a common misconception that simply enforcing a strict no porn-and-gambling policy at the office will keep you protected from malware. Although banning these sites in a business setting is pretty standard, it doesn’t mean you’re in the clear. In fact, 83 percent of malware comes from hijacked sites, meaning you can be “served” from sites you trust and use every day.
- A lock icon means you’re safe. Unfortunately, hackers have found yet another way to mislead you. That little lock icon indicates Secure Sockets Layer (SSL), which is an encrypted connection between the browser and the server. But having a secure connection doesn’t necessarily mean you’re protected from malware. Plus, the icon can be faked, luring you to enter confidential information when it’s not safe to do so.
- Individualized web browser use prevents crossovers. Using different browsers for different tasks—like financial transactions on Firefox and Wikipedia searches on Internet Explorer—may seem wise, but there are no safety guarantees. This practice offers only limited protection from viruses or malware. Don’t be lulled into a false sense of security by individualized browser use.
Next, follow these three best practices for safer web browsing:
- Encourage dedicated password management. It’s common knowledge that you shouldn’t use the same passwords for all your online presences. But there are only so many combinations of your pet’s name combined with your wedding anniversary that you can create—let alone remember. Provide your employees with some password-generating tips. A good practice is to create a particular passphrase that can be augmented slightly for each website that you visit. For example, if your passphrase is “I love my dog Rex,” insert some numbers where appropriate and a special character or two and you have “iluvmyD0Gr3x!” and then add some characters reflective of the website being visited. For example, you could use the first two letters of the website being visited, creating a password of “ciiluvmyD0Gr3x!” where the “ci” are the first two letters when visiting the cisco.com website; and the password “liluvmyD0Gr3x!” when visiting the linksys.com website, and so forth. Your choice of what you use.
- Employ antivirus and antispam protection. Be aware of targeted attacks. Firewalls aren’t enough to protect your business from such threats. To make web browsing safer, make sure to have continually updated antivirus and antispam protection, such as Cisco ProtectLink Web. The security solution limits what and where employees can surf on the web, preventing them from perusing banned sites, like porn and gaming. ProtectLink Web also continuously updates at the firewall level, blocking dangerous third-party sites that infiltrate by way of acceptable web browsing, like a banner ad on a legitimate site.
- Create and enforce an Acceptable Use Policy. Every company should employ a well-drafted Acceptable Use Policy AUP. An AUP is a company-specific set of rules that plainly explains how the company network can be used by all employees and contractors. The document should also include rules regarding specified Internet use. A good AUP should also spell out the consequences for rule-breakers so offending parties cannot claim ignorance. The goal of your AUP is to keep all employees informed so that they neither accidentally nor intentionally introduce network security risks to your company.
- Keep employees in the security loop. Education and communication are key to keeping your employees compliant, making them aware of their actions, and preventing accidental breaches. Educating and creating awareness among employees also helps them feel vested in your company’s strategy and helps them understand how their online behavior affects security. Try creating a feedback loop wherein employees and IT executives work together to create ongoing awareness about company security issues. This is also useful for giving kudos to those who report suspicious activities or speak up with concerns.
If you’re under the misconception that only naïve browsers suffer from malware and virus exposure, you’re mistaken. Sometimes just visiting a site can trigger “drive-by downloads,” rendering your company—and its critical information—compromised. To guard against these events and enhance network security, a content management system, such as the one in the Cisco ASA 5500, can help.
What does your small business do to stay safe in the face of employee web browsing?