Do you know how often your employees are using the Internet to check personal email, pay bills or watch streaming video during company time? If not, you are setting your company and its employees up for significant security risks.
According
to a new survey of about 1,600 computer users from Trend Micro, a Cupertino,
Calif., Internet security company, organizations with less than 500 employees
are much more likely to have employees who do all of those things, plus others,
creating undue risk.
The
study found that among companies with under 500 employees, 74% checked personal
email, 51% browsed websites not directly related to their jobs, 43% conducted
personal online banking or bill payment, 38% watched or listened to streaming
audio or video, 35% made non-business related online purchases, 32% downloaded
executable files, 20% visited social networking sites, and 13% downloaded music
or movies.
The
last is particularly troubling, said David Perry, Trend Micro’s global director
of education, because one of the biggest rising threats on the Internet is the
drive-by download, where users only must look at a web page for an attack to be
carried out.
The
study also found that smaller companies are more subject to plague like spam
and spyware; 82% of U.S. small business employees have reported spam, versus
73% in larger companies. Similarly, 36% of small business employees in the U.S
have reported spyware encounters, versus 26% in larger companies.
There
are several reasons smaller companies are more subject to these types of
threats, Perry said, including absence of a corporate policy and lack of an IT
department. In fact, the study found that less than 50% of end users within
small companies said they had an IT department.
“Many small and mid-sized companies are outsourcing IT, so there
is nobody internal,” Perry said. “In a previous survey, we found that small
companies sometimes had their IT being handled by their accountant, since they
were considered most likely to follow precise rules.”
Smaller
companies also were less likely to have corporate policies in place to prevent
these issues; 43% of companies with less than 500 employees in the United
States had such a policy in place, versus 66% of larger companies. Policies are
likely to spell out important things like what is considered acceptable use,
and what constitutes confidential company data. In fact, the survey found that
just 33% of small business end users were aware of what constituted
confidential company data, versus 46% from larger companies.
Such
policies are key, Perry said, to fixing the problem. But it’s unlikely to
change until there are commercial awareness programs available that small and
midsized companies can adopt wholesale, he said.
“I
ran a panel at Gartner recently and there were lots of questions about how to
develop awareness and education programs for employees. And that was for the
enterprise space,” he said. “I don’t think you’re likely to see activity in the
SMB segment until there are commercial awareness programs they can pick up.”
In addition to developing and implementing
corporate policies and having an on-site IT presence, companies would be
well-advised to implement some type of Internet filtering and monitoring tool,
either in software or Software-as-a-Service (SaaS) form, Perry said. On a per
user basis, such tools start at about $30 per user per year and rise depending
on the features and level of service desired.
