Social media platforms are becoming increasingly popular even within the workplace and although such sites may turn out to be great promotional tools, and therefore blocking them completely would be counterproductive, reports have shown that social media platforms (such as Facebook and YouTube) host malware – besides being a means for employees to procrastinate during working hours.

Why should the rise of social media in the workplace concern you?

There are three very good reasons:

1. Abuse of Company Internet Connection – There are cases where employees both spread inappropriate content or view and download illegal, illicit material from their workstation.  This can create legal liabilities for your business – therefore an unnecessary expense.
2. Cyberslacking – In 2007, around 233 million hours were lost every month in the UK as a result of employees’ time wasting on social networking sites. To add insult to injury, some entertainment businesses now seem to be accommodating cyberslacking; an example is Playboy’s plans of a work-friendly website. And if lost productivity was not enough, non work-related Internet activity is also dangerous for your corporate network because of web threats.
3. Bandwidth Hogging – Streaming video, for example, can lead to problems such as slow access to outsourced application services and corporate email. In addition, since the bandwidth used would be for non work-related purposes, it would work as an unnecessary expense as it would be consuming your business’s resources for something irrelevant.

How can you deal with these issues?

Controlling Internet usage saves you a great deal of money, firstly because a solid web monitoring solution would usually check that any files downloaded are free of malware, as well as offer the alternative to block certain hazardous or offensive sites. Secondly, if your company faces legal charges for illegal or illicit material, you would be able to provide records to prove your case as a comprehensive Internet monitoring software saves the web activity that takes place on your network. Thirdly, it controls and reports on bandwidth usage – preventing bandwidth hogging and identifying abuse.

Studies explain how, knowing that their Internet usage is being monitored, employees surf less on non work-related sites. This not only means that productivity is increased, and therefore also ROI (Return of Investment), but it also means the possibility of them clicking on sites which could be smokescreens for malware to gain access to your corporate network is lowered.

But it doesn’t stop at simply investing in a good Internet usage monitoring software and informing employees that their web activity is being controlled. Drawing up a good Internet usage policy and educating employees about the risks the Internet presents (and how to prevent them) is also important, not only because it teaches them about Internet safety, but because it helps them realize that their web activity is controlled for their security and not because they are not trusted.

1. Never use the same passwords that you use at work on a social networking site.
2. Limit usage of social networking sites to personal use only. Do not write about work issues. Always assume everyone in the world will be able to see what you’re writing even if the site limits your post to your friends exclusively.
3. Try to avoid mentioning where you work; so that if you mention something you thought innocent (but that might be valuable information for hackers) they will not know who to target.
4. Be wary  of what you’re posting, if you use your pet’s name as a password anywhere do not post about it on your social networking sites naming it.
5. Do not log on to your social network page from public computers such as internet cafés where someone might have installed a key logger and would later get access to your credentials.
6. Do not automatically trust that posts are from who they claim they are; if your workmate sends you a private message asking for some confidential information first verify that he/she did really send you that message as their account might have been compromised.
7. Do not send confidential information through a social networking site even if someone who has legitimate access to that information asks you to. See point number 2.
8. Beware of what links you click and what software you download and install. Do not trust links/software sent by your friends implicitly as they themselves might not be aware it includes malware or their account might have been compromised.
9. Always be sceptical and wary. If someone asks to be friends on a social networking site and the profile appears to match a work mate, check personally with that person before accepting him as he could be an imposter. Also be sceptical of any offers or prizes you might have been told you won, they might actually be phishing attacks.
10. Ensure your computer is up to date and has good antivirus protection; social networking sites are frequent targets of malware attacks.

If you have any more tips which are not mentioned above feel free to share them by leaving a comment below.

1. Insider intrusion

• Employees tend to hate remembering passwords especially if they’re forced to change it periodically. Many times they get around this by simply writing the password down and sticking it to a monitor thus giving other employees who might have bad intentions ammunition
• Talking with their co-workers about their password policies
• Opening shares  and not properly securing them
• Unintentionally executing Trojans

2. Virus Infections

• Bringing software into the company from home on portable storage together with a virus infection
• Accessing sites that are infected while at work
• Downloading software
• Opening shares on their machine without proper security

3. External intrusion

• Installation of a Wireless Access Point
• Using company infrastructure from a public computer in an internet café while travelling
• Falling victim to phishing, social engineering attacks
• Unknowingly installing Trojans

4. Stolen data

• Sending confidential data home (even innocently to continue working from home) where this, in turn, gets intercepted on the way or stolen from the home computer which some hacker might previously have compromised
• Losing laptops or pen drives with confidential data
• Not encrypting confidential data
• Installing software infected with malware
• Mistakenly share confidential data after installing P2P software

5. Legal Liability

• Downloading copyrighted material
• Sending jokes via email that might be racist or discriminatory
• Accessing pornographic content from work which might be illegal
• Posting slanderous comments on forums from work

In most of the cases educating employees can help reduce the indents listed above to a minimum.  Periodic network monitoring and access control can also help protect against incidents such as unauthorized software installation.

Have you encountered other scenarios which are not listed above? Feel free to leave a comment and share your experiences.

One look at the email, its content and the name of the person sending the email should be enough to convince email users that the trash can is the best place for it. In theory yes, but there are still people who open spam emails, click on the links or visit spammer-recommended websites.

Spam numbers

According to a survey released in July by the Messaging Anti-Abuse Working Group (MAAWG), one in six consumers “responded to a message they suspected might have been spam”.

Although one in six is a relatively small number in terms of those using email, we should not forget that spammers send out hundreds of millions of emails; economies of scale ensure that even though a very, very low percentage actually ‘buy’ something, it is enough to generate millions of dollars in revenue.

Another survey by the University of California showed that the number of people who actually bought something after receiving a spam email is extremely small. They monitored three spam campaigns for a total of 350 million messages; of these just over 10,500 visited the advertised site and only 28 tried to purchase. According to the university, this represents just 0.000081%. The researches, however, they did make it clear that even at such a low rate, up to $3.5 million could be generated in annual revenue.

Good enough reason for keep spammers to stay in business.

Spam is no longer limited to email delivery. Spammers are maximizing the potential offered by new technologies and communication methods such as social networking sites, instant messaging, blogs, search engine searches and so on to disseminate spam.

Combine all the methods and platforms and you quickly get an idea of the reach and versatility that spammers have. It also explains why spam is more than just huge volumes of unsolicited commercial mail – spam is a huge load of trouble if not properly dealt with.

Controlling spam

Unfortunately, it is impossible to eradicate spam, but that doesn’t mean companies should sit back and look on helplessly. Whilst legal attempts to stop spammers have had little success so far due to the inherently unregulated nature of the internet, there are other options.

The first step is to install anti-virus and anti-spam software at the server level. Anti-spam solutions come with a variety of technologies – IP filtering, Bayesian filtering, whitelists and blacklists, for example – each one identifying and stopping different types of spam.

The next step is to educate users on the use of email, social networking sites, basic internet security and how to protect their data using strong passwords, for example. Unfortunately, employee awareness is often given low priority by IT professionals, especially in small organizations with limited IT human resources. Yet, with the bulk of spam targeting end-users and their inquisitiveness and/or fear of legal-sounding content, employees need to be told what the dangers are. The message that needs to filter down to employees is:

1. Be wary of any emails that come from unknown sources.
2. Do not open attachments that you were not expecting or where the sender is unknown.
3. Do not reply to spam email. Replying only verifies that the email is active, resulting in more spam.
4. Do not click on links in emails.
5. If it’s too good to be true, it probably is not. Just hit the delete button.
6. Do not provide personal details, passwords or credit card details in reply to genuine-looking emails from banks or other well-known online merchants. These organizations never ask for such details via email.
7. Forward all suspicious emails to an IT administrator to have it checked.

Spam will not go away on its own – it has proved too successful – and will remain the bane of every email user. Reducing spam is as much a question of technology as it is an issue of education and employee awareness. Together, they can be a successful weapon in the fight against spammers and spam email.

And if recent reports are anything to go by, more and more employees will ignore a company’s security policies if that either means getting work done faster or if they need some form of insurance in case they receive that dreaded, recession-driven ‘thank-you-but-you-are-fired’ letter.

If employees are going ignore the IT department and by-pass security policies anyway, what’s the use of spending unproductive time trying to educate people and writing policies that won’t be read by anyone let alone adhered to?
Waste of time, money and resources? Or are we missing the point altogether?

There are two schools of thought.

The first school believes that employee awareness is a waste of time. There is no point in security awareness, critics argue, if no one is going to listen. They argue further that tech savvy employees – and they are increasing in number – will always find a way around any obstacle the admin IT puts in their path. The best course of action, they conclude, is to simply plug as many security holes using group policies and software/hardware to protect the network.

The second school, however, believes that security education has been a failure because the approach has been flawed from the outset. For years there has been a serious disconnect between IT, Management and employees. Same company, same goals but each one talking a totally different language. And here, I think, lies the problem.

Employees (and non-IT managers) cannot be given a ‘do not’ list and be expected to follow each item to the letter. People – and this is an important word – are not machines that accept instructions without question. People would like to understand (even if they disagree) what they are being asked to do… and it makes a huge difference in terms of both the relationships with managers and IT personnel and how employees go about their job.

When properly administered, security awareness in an organization can make a difference. You cannot expect EVERYONE to heed your wise words but an explanation using everyday language will hit home. If five out of every 10 employees start paying greater attention to what attachments they are opening or what links in emails they click on, the IT helpdesk, for example, stands to benefit from fewer ‘there are pop-ups all over my screen – what am I going to do?’ calls.

Some employees will totally ignore anything their IT manager says – they either don’t care or they are too tech savvy to be ‘educated’; but there are others who will appreciate being told why they need to use a complex password and not their mother’s maiden name or their surname.

The key is to relate security to something they can associate with; an issue that could affect them personally. Weak passwords are easily hacked… if employees use weak passwords for all their accounts / memberships their data / identity is at risk – personal data too. People are apt to change attitudes when the problem is closer to home than they realized.

Education alone will not shore up a network’s defenses. Security policies, software or hardware security measures are a must (woe betide those who think otherwise – and they are many). Raising awareness about security among employees and non-IT staff is not something to be ignored.

With proper planning, some incentives and senior management’s backing, security education will have a positive impact over time.