Blocking websites at work…is it essential to your company’s cyber security?
The torrent sharing site Piratebay rose again from the ashes of the internet this month. The site had been shut down in December after a raid at the Nacka station, a nuclear-proof data centre built into a mountain complex near Stockholm, which sounds very James Bond. On 31st January 2015, the site re-emerged, one day ahead of its self-imposed schedule, and immediately started listing pirated torrents for its grateful users. Most of the internet cheered. Certainly, almost all of Reddit were pretty happy.
I then read that only 15% of companies have actually blocked the site from their employees at work, which seems alarming considering how much malware could be accidentally downloaded from corrupted torrents on the site.
For a long time it was thought that blocking websites improved employee productivity. The theory went that if you prevent employees accessing sites when they should actually be working, then output would definitely increase.
Some companies blocked sites due to employees causing network connectivity problems by streaming music and video at work. In 2012 Procter & Gamble shut down access for its 129,000 employees to the streaming music service Pandora and the movie site Netflix. The company discovered P&G employees were watching 50,000 YouTube videos and listening to 4,000 hours of music on Pandora on a typical work day, choking its digital pipeline.
The problem is the fact that blocking social media sites and news websites tends to be counterproductive – especially for those in marketing, research and customer care roles. Of course, this is different to blocking porn and sites extolling the benefits of terrorism. But fearing and preventing access to straight forward social media communication tools tends to backfire.
Innovative companies embrace social media – Facebook, Twitter, LinkedIn are definitely here to stay and forward thinking organisations use these sites to provide authentic company messages, improve their customer service, increase employee collaboration, recruit top level individuals and expand their business. It is also true that social media sites have not evolved to provide the specific security needs of a business, and could be opening up their company network to attack by allowing malicious links to infiltrate their news feeds and posts.
However, IT departments also know that cyber criminals are able to use many websites to infiltrate company’s defences. An organisation can ensure that their website, payment information, CRM database and physical security are completely protected, but allowing access to the entire internet can allow an employee to unwittingly download malware that will quickly spread and infect the whole organisation.
The internet is also awash with sites advising “how to access blocked sites – simple ways to get around an ISP block”. In fact even the well-respected online PC Advisor published a recent article about how to access the PirateBay if the ISP was blocked, although they declared that it was “awkward” to be even suggesting such an action.
So what to do?
Companies who are cyber security aware and switched on about the threats to their security will block the obvious illegal and untrustworthy sites, but on the other hand will allow many of their employees to access social media, news sites and other standard tools.
They will however, also invest heavily in appropriate anti-virus software and organise employee cyber security awareness and training right through all levels of the company – from part time support staff up to Board level.
As Senior Penetration Tester Robin Wood comments,
“Blocking access to certain web sites can be tricky, I’ve seen lots of attempts in companies and they rarely work. White listing fails as they can’t add sites fast enough, black listing misses too much. Relying on others lists doesn’t consider what you need. I think most of the pirate sites are full of nasty stuff and the dodgy stuff is anything executable so pirated software, crackers, key generators, that type of thing are where the real threat is located.
Most of the malware coming from this type of site will be detected by normal anti-virus software so as long as that is run on end points and on the network gateways 99% of attacks will be picked up.
More importantly, good user awareness and training with policies and penalties to back them up are needed.”
Lack of awareness training and employee mistakes are still the top reasons that companies suffer a data breach or cyber security attack. Ignorance of phishing emails, cyber scams, poor BYOD policy and under estimating the threat of social engineering will leave an organisation wide open to even a low level cybercriminal never mind a well-executed and thought out cyberattack.
According to a recent report by the ICO, the main reason for data breaches was employee error or negligence, which betrays a lack of staff awareness and training. One third (32%) of all incidents were due to personal or sensitive data being inappropriately disclosed or sent to the wrong recipient.
People are a critical part of the security process and employee education is a critical component that companies must integrate so that they can benefit from the social media revolution without compromising security.
Here at 2-sec we ensure that our provision integrates user awareness capabilities, allowing workers to prevent security incidents in real time and ensuring that they are put at the heart of the security process. A combination of planning, technology and employee awareness are key to a secure organisation.
So block access to the parts of the internet that are obviously a danger to your company’s security (and certainly PirateBay, at least until it is removed by the next raid). But treat your workers like adults, allow them to access communication and news sites, as long as you instigate effective and regular education programmes on cyber security and invest in suitable up to date security technologies.
For more information on how to manage your company’s cyber security, please contact Tim Holman on please contact us on 0844 502 2066 or email firstname.lastname@example.org