Gallery

The truth is out there

Posted on 11 May 2007 at 11:57

Davey Winder searches for aliens in the enterprise while wondering whether anyone's listening when it comes to the AUP debate.

In a recent case, a Canadian woman died after buying anti-anxiety pills this way. It turned out that they were laced with dangerous quantities of uranium, strontium, selenium, aluminium, barium and boron. The lessons to learn from this are to buy your prescription drugs through an licensed outlet, even if it costs a little more, and to keep your website up to date with security patches and implement best-practice security processes, regardless of the scale of your web operation.

Fashion retailer TJX, which operates as TK Maxx in the UK, should have taken this advice. The company has now revealed the true extent of the hacking that provided illegal access to credit and debit card transactions since July 2005. Although this intrusion was discovered in December 2006, it took a few months of digging to determine exactly how much data was vulnerable to the hackers following their successful installation of monitoring software a couple of years ago. The rather shocking answer is "at least 45.6 million cards". Those cheap designer labels don't feel like such a bargain all of a sudden.

What did you do at work today, Daddy?

I remember writing my first article about the need for companies to implement an Acceptable Use Policy (AUP) for online activity in the workplace. It was well over a decade ago now, and not long after that - as one of the first to champion the need for such things in the UK - I was helping companies and their solicitors draw up these documents. Back then, few companies understood the risk they were exposing themselves to by giving employees unfettered access to the internet, without any official policy to say what activities were deemed acceptable and otherwise. Despite superficial evidence to the contrary, I have to say that not much has changed.

Certainly, larger businesses with in-house legal departments, IT support structures and experience of damaging employee litigation will have taken the necessary "best practice" steps to protect themselves and staff. But move down the corporate food chain to the realm of smaller businesses and it really is a case of SNAFU (and if you don't know what that means, Google it, as it's too rude for this family-friendly mag). Even if there's a hastily assembled list of internet commandments, there's rarely a proper process for dealing with breaches, and still fewer systems in place to ensure users adhere to it in the first place.

So it's no great surprise that when web security specialist ScanSafe (www.scansafe.com) published its latest monthly Global Threat Report, it highlighted the shocking state of corporate web usage that exists today. ScanSafe operates a web-traffic scanning and blocking service among other things, and it's this traffic that can be analysed to extract an insight into the way the world works on the web. Or, rather, the way it doesn't work.

Where should I start? How about the fact that 49% of the web traffic analysed during February 2007 was classified as non-productive? That could mean anything. Much of my web access is non-productive, especially when I'm having a bad research day or simply can't get a grip on exactly what a client expects me to produce for them.

But ScanSafe helpfully breaks the data down to reveal that 14% is spent clicking through adverts, 12% engaging in IM chats, 10% using webmail clients and 4% each on browsing pornography, music downloads and gambling. These figures are even more alarming when you look at the data for the percentage of companies with users attempting to access the following blocked categories, and realise the true extent of our AUP education problem: porn 68.1%; webmail 53.8%; gambling 51.8%; IM and music 46.2% each; and advertising 36.9%. It doesn't take a security or law expert to look at those figures and appreciate the risk these companies are exposing themselves to by allowing such activities to take place from their equipment and premises - everything from brand damage to legal liability and disclosure of confidential information springs to mind. And let's not forget the compliance minefield, while we're at it.