In general, organizations are finding a need to strike a balance between restricting employees’ use of the Internet (for reasons of security, liability or productivity) and allowing such use in order to create a more agreeable work environment. I wrote about this in my report “Assessing Secure Web Gateway Technologies”, saying:
” With all the Web’s risks, liabilities and time-wasting opportunities, employers might block all non-business-related Web categories but for constraining forces. One such force is social networking. Another is work-life convergence as millions of workers spend a significant amount of time traveling or telecommuting. Workers who are traveling can’t completely leave their home life behind; they may need to download personal email, shop, check online bank accounts and so on. Telecommuting gives workers more flexibility but tends to expand the number of hours they must be available to work or be “on call.” Workers tend to want more flexibility as part of the bargain. Employers must be careful not to create adverse conditions for morale or retention through appropriate use policy (AUP) enforcement. For organizations that want to embrace social networking and/or work-life convergence, secure web gateways (SWGs) are the technological equivalent of a knight in shining armor that enables liberal policies while still providing some opportunity for control.”
The question of whether to provide relatively permissive web filtering environment is a close cousin of the questions around bring your own device (BYOD) usage. We’ve written about that extensively in “Creating a Bring Your Own Device (BYOD) Policy” and other documents.
At the same time, establishing a relatively permissive web filtering approach can increase the security risks of malware infection via malicious web sites, data leakage and liability to the organization from inappropriate use of the web. Generally organizations seek to strike a balance so that they can gain the benefits of an employee-friendly web filtering policy but mitigate the risks.
Some of our business clients have tried blocking most categories of web sites used for personal reasons while whitelisting a few on an exception basis. While leading vendors such as Bluecoat or Websense do provide a capability of whitelisting, managing it can be problematic. For example, one client I spoke to had tried blocking all unknown sites until exceptions could be whitelisted but didn’t find the vendor’s functionality for this satisfactory. More typically, organizations take a blacklisting approach to block specific categories such as pornographic sites. Those most concerned about liability should weight a capability to perform dynamic classification highly in their evaluation criteria for an secure web gateway (SWG) solution. Leading vendors have the dynamic classification capability. For more information, see my report “Selecting and Deploying Secure Web Gateway Solutions.”
Note, however, that even with advanced web filtering it will be difficult to keep a user that’s highly motivated to access the illicit content using a blacklisting-by-category approach. For example, I’m familiar with a case involving an employee at a government agency where pornography was blocked; this individual had over 500 attempts to access pornography blocked but a review of the logs found that he also got through the filters hundreds of times. Perhaps the web filtering wasn’t very good, but it is hard to imagine perfection in the face of such determined persistence on the part of a user. Web filtering technology must be supplemented by personnel training and management policies to deal with such cases, which typically represent only a small minority of users.
When allowing web sites such as youtube.com, facebook.com or gmail.com that are used for personal entertainment, social networking or email there is an increased risk of contracting malware. Although these are “legitimate” sites they have a great deal of “user-generated” content that may not be legitimate. Organizations concerned with malware infection to endpoints via the web should weight a capability to perform advanced malware scanning, or content inspection (in addition to URL filtering), highly in their evaluation criteria.
Social networking, personal email and other sites can pose a risk of data leakage in two ways. First, a malicious or policy-violating user may deliberately upload confidential company information to the sites. Note, however, that draconian web filtering policies will not be effective in preventing determined data leakage since such users can find many other avenues for exfiltrating the information.
Second and more insidiously, well-meaning users can facilitate the intelligence-gathering efforts of adversaries (such as financially-motivated cybercriminals, or fraudsters) simply by disclosing seemingly-innocuous information about themselves or colleagues such as indicating they work for “Company X” in their profile and then by posting something about their role as an “SAP administrator.” This and other more personal information could be used to craft spear phishing attacks against that user.
In order to deal with the risk of data leakage over the web, organizations should consider SWG data loss prevention (DLP) features for the web channel in their evaluation. Organizations should also evaluate SWGs’ application control features, such as the ability to allow users to read Facebook but not post, or to scan posts to Facebook or Twitter for certain keywords, or to allow Facebook but block certain applications available through the social network. But understand that such features are only part of the DLP puzzle. Organizations must also address the business processes for promoting user awareness of appropriate use of social networks with business discretion through training, investigating DLP-related incidents, and classifying sensitive information to prevent its unnecessary spread.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.