This is a multi-part series on recommended practices for organizations and their end-users. Additional parts will be included in upcoming newsletters.
End-users browse the web; it’s usually the fastest way to get an answer, search for an item, or make a purchase. But, browsing comes with some risks:
- Potential liability from browsing ill-advised sites at work
- Inadvertent or unintentional download of malicious software
- Waste of company resources: Internet bandwidth, employee time, etc.
To reduce browsing risks, we recommend have these recommendations:
- Set an Internet usage policy
- Monitor and enforce browsing behavior
- Train staff members on safe-browsing habits
A fourth recommendation, configure and patch/update end-point components (operating system, anti-malware software, Internet browser, etc.), will be covered in future articles.
Set an Internet usage policy
Unless we know what is acceptable, how can it be enforced? Some organizations, to limit unproductive time, might restrict access to social-media sites (Facebook, Twitter, etc.), while others (police investigators) may need access to pornographic sites; without a policy, what sites do we monitor and restrict and for whom?
An Internet usage policy should define the dos and don’ts of Internet access; it should be included in the Employee Handbook with a sign-off acknowledgement and should also note that the organization reserves the right to monitor and limit this usage, without restriction. (See a simple Sample Internet usage policy fromGFI. Or, review an in-depth Internet usage Policy from the SANs Institute.)
Monitor and enforce browsing behavior
Paul Wood of Symantec™ studied browsing habits of end-users with these findings1:
- About one-third of users followed the organization’s Internet-use policy,
- The second one-third generated less than 10% of browsing violations, and
- The final one-third had over 90% of browsing violations; about 20% of this group actually had more violations than legitimate usage.
Basically, about 66% of end-users follow an organization’s Internet usage policy most or all of the time, but there is a small group that abuses this policy, which suggests that enforcement efforts should focus on the abusers.
To protect an organization, basic monitoring and enforcement of Internet usage is recommended; a typical monitoring/enforcement software application for small to mid-sized organizations should provide, at a minimum, these capabilities:
- Cluster related sites together (ie: gaming, sports) to set policy by site-groups
- Combine users by department or functional area to enable group restrictions
- Whitelist specific sites (or site-groups) to permit unlimited access
- Blacklist specific sites (or site-groups) to prohibit access
Once deployed, you must continually review the results to inspect what you expect.
Example: Bryley Systems offers our Secure Network™; an onsite, Unified Threat Management (UTM) tool with monitoring and enforcement of web browsing. The results are periodically reviewed and reported by Bryley Systems to the client.
Train on safe-browsing habits
It is important that staff know and understand the importance of an organizations’ Internet usage policy; they have a significant role to play in this effort.
Basic rule is to not click on any site that you do not trust. However, even some trustworthy sites can be hijacked and route an unsuspecting user to an unintended site with unexpected consequences.
Some browsing tips2:
- Do not click on pop-ups
- Do not open links within spam email
- Check a site’s actual address in the address bar; this address should always match the expected site-name (URL)
- When in doubt, shout it out (call for help)
There are also many online, security-training options; we offer a video-training package on a per-user basis through our business partner, Deadbolt Security.
- See Paul Wood’s article “Employee browsing habits, the good, the bad, and the ugly” at Symantec Intelligence.
- Dylan Herix offers “An idiot’s guide to good browsing habits” at AppStorm Guide.