Information Security Bulletin

Private Staff Internet Use Threatens IT Security in Danish Companies (DK)

14 Sep 02:50

IT analysis company IDC has recently published a new survey containing some alarming results: within the last year, almost 40 per cent of companies questioned had experienced malware - and the primary source of these viruses and worms is no longer emails, but surfing on the Internet.

Some 200 Danish companies took part in the survey, carried out on behalf of software company Danware.

The survey shows that up to 30 per cent of companies with 500 or more staff have been infected as a result of Internet surfing, while only 20-25 per cent of the same companies experienced viruses and worms from emails. The risk of infection is about 3.5 times greater among companies that allow free, private use of the Internet by staff than for those that do not allow private surfing. The IDC survey paints a picture of Danish companies having great faith in their staff, which consequently means that they expose themselves to greater risk of threats from the Internet.

Even though a good 75 per cent of the companies taking part in the survey have implemented IT policies, the vast majority allow their staff to use company Internet access for private purposes. Among companies that do not allow private use of the Internet, an estimated 30 per cent of management state that staff are using the Internet anyway for private purposes during working hours. A ban on staff use of the Internet for private purposes would be distinctly un-Danish and neither a long-term nor a realistic solution. According to IDC, it would be more expedient to strengthen the monitoring of Internet use by staff and following up on the fine print and agreements in their IT policies, e.g. by using monitoring tools to give management an overview of time spent and behavior patterns of staff on the Internet. This can be done in such a way that it does not constitute outright monitoring of the actions of every member of staff.

[You need three steps, each with a few components: (1) Make appropriate policies, have staff signing them when accepting employment, and communicate that they will be enforced (2) carry out mandatory staff security awareness training. This programme should be realistic, illustrative (e.g. I often used a live copy of the Michelangelo virus when running this type of programme in a recent former life - the attempted reboot after activation sends a gasp through an audience), and followed up with easily accessible accompanying information on the company intranet. (3) Monitor the network for Internet activity, identify policy breaches and follow up on them with added training targeted at culprits - much more efficient than warnings and dismissal, not least because your get to keep potentially good employees. --Ed].

Related links: (Open in a new window.)
www.idc.com

View printable version (opens in new window)
Back

Search ISB News:

Not yet sure you want to subscribe? Download a free sample copy!

Download the much quoted October Editorial

Portal Frontpage
Web Editorial
About This Portal
Contact Info

IS Alerts
General News
Product News
Vendor News
People News
Literature
Events
CHI News

Subscribe Online
About ISB
Publishing in ISB
Advertising in ISB
PR Information

In the current issue:

Security Management
The Importance of Adaptability
Steve Purser

From the Trenches
Reversing Perimeter Defences – a Case Study
Søren Maigaard

Security Architectures
The Self Defending Network: New Trends In ICT Security Infrastructures
Drs. Ing. René Pluis

Subscribe Online!