Sunday, July 12, 2009

Dealing With The Internet In The Workplace.

Most companies, since companies began to be the preferred business unit, have wanted just a few things from their employees:  Be as young and energetic as possible; Be as experienced as the older staff; Spend 100% of your time working, no meal or toilet breaks would be just bewdiful thanks; Work for junior rates doing a senior job.

After all, it's not much to ask, is it?  And yes yes yes I'm being sarcastic.  The work day for all critters seems to be a big long but amusing search for food interspersed with intervals of work, not the other way around.  Articles like this one demonstrate the efforts that management have to go to, in order to try and get that work/leisure/effort/effect balance right.  Do you open the Internet?  Block most of it? Have company firewalls, or secure application servers?

Let me put it this way - twenty years ago, how did companies prevent the equivalent circumstances?  Instead of a firewall, there was a mailroom that inspected stuff going inbound and outward.  Long employee chats with colleagues were examined for whether they were relevant to work or not, and then controlled as needed, by supervisors. And try as they might, employers had no way of preventing employees from walking out with company secrets firmly engraved in their brains, any more than they have a way today to prevent a company database walking out on an iPod or MP3 player or memory stick or card...

The thing that worked best, it turns out, is maintaining watchfulness.  So here's a thought, given freely after nearly two decades of dealing with users and technology:  Watch, Decide, Act.

Watch what happens in your office and on your LAN.  Are your servers logging and flagging unusual events? That's the first thing you should be watching - and in order for the "unusual" flags to apply, you have to decide what constitutes "usual" and "unusual."  Capture all traffic and put it through transparent proxies.  not to prevent, but to record it.  Experiment with the output of the logfile. A good analyser program will soon start telling you which machines spent how much time surfing what, where, and when.

Similarly monitor all accesses to your own servers and workstations. Is that new person poking around on the Sales VP's machine?  That might be deemed "unusual," unless they are the SVP's secretary or PA.  Is someone repeatedly trying to send malformed traffic to your SQL server?  Time to check that they're not hacking you, or that their workstation might not be compromised by a Trojan.

As has been repeatedly pointed out, you can't prevent sufficiently determined employees from doing all the above and more.  Shutting the barn door after the horse has bolted may well lose you a horse, but shutting it before the horse bolts, prevents anything from happening in the barn at all.  Making the door more person sized means all your chickens will still be able to escape, and raising it still won't prevent the rats and pigeons from using it...

The problem lies in working out what's usual and useful, compared to unusual and harmful.  Block YouTube or FaceBook? Fine, but some people actually use those in the course of their duties.  I might find it easier to post a video and let a sales prospect know about it via their FB account.  On the other hand, I might also be using those two to dig up dirt on colleagues to coerce their cooperation with a pet project or a project to steal data...

In all the time I worked in IT and system and network admininstration, the problems such as the above were always "unusual," and that's generally how they were picked up, precisely because they were unusual.  Locking down access and traffic generally resulted in less bandwidth, but no discernible change to the risk/benefit ratio.  I became a great logfile reader, and picked up no end of minor breaches that way.  There are now programs that do what I did, but they need to be trained and set up, and usually the person that has to do that is the system admin.

In an age where personal electronics is everywhere, it's also possible for an employee to place company data onto their personal multimedia device, then connect right up to the Mcdonalds hotspot right outside your office and upload that data - it takes only minutes, or even seconds given a suitably skilled person - and all your logs would show is that employee "Z" accessed the payroll database for a bit longer than normal.

That information didn't - and can't - help you at the time, but it will form a trail that can be backtracked on when you discover that your best people have been headhunted at salaries that are just the right margin above the salary you were paying them...

"Blocking" the external WiFi hotspot?  You may as well try and hold back water with a flyscreen.  And indeed it may well be illegal to block wireless communications, in some places, and with certain forms of wireless.  (You may not, for example and as far as I'm aware) block mobile phone signals at any time, and what if your superduper "cellphone buster" that you've placed in operation to block employees from spending all their time calling friends and family also blocks cellphone access to the company next door?  And if you reduce the range of the quencher, then you'll find knots of employees in the areas that the signal misses...

My personal belief is that keeping people engaged, involved, rewarded, and stimulated is the best way to command loyalty, and watchfulness to make sure that this loyalty doesn't waver is is the second step.

No comments:

Email Subscriptions powered by FeedBlitz

Subscribe to all my blogs at once!

Your email address:

Powered by FeedBlitz