The Web is a dangerous place, but if you try to keep your employees off it, you’ll only make things worse, says Don Reisinger
It’s very normal in the business world to limit employee Web traffic. At many firms, regardless of their industry or size, IT managers are being asked to block access to some sites and in some cases, limit the amount of time users spend on the Web. By doing so, they can limit the impact malware could have on the network as employees spend time surfing the Web. They also believe that the more employees visit their favorite sites and check their email, the less productive they are. And that translates to poorer business performance.
To some, that argument might make perfect sense. And it’s been bolstered by the recent report that over 40,000 Websites have been compromised in a mass attack.
Nine-Ball gets in under the radar
According to researchers at Websense, an attack called Nine-Ball has targeted legitimate sites and redirected users accessing those pages to a malicious site. The attack is the result of a Trojan that used FTP credentials to input automated bots on the sites. When a Web surfer visits a site that has been infected, they are brought to a page that contains the exploit code. The person is then pelted with drive-by attacks that attempt to exploit Microsoft, Adobe Reader, and QuickTime vulnerabilities. So far, Websense said the Trojan has a very low detection rate.
For some companies, that’s all they need to know. There are real threats on the Web and if an employee even makes one mistake, they can be subject to malware that could put the entire network in danger. The end result could be lost, or worse, stolen data.
But perhaps that solution is nothing more than a quick fix to a much broader issue. The reality is this: more malware than ever is affecting company networks, even though the enterprise is doing everything it can to limit the amount of access employees have to the Web. Doesn’t it stand to reason, then, that if blocking their access was such a smart move, it would actually work to limit company-wide outbreaks?
Education is better than blocking
Companies don’t need to limit the amount of access employees have to the Web – they need to learn how to more effectively deal with the threats.
Nowhere is that more evident than in employee education. Simply blocking an employee’s access to certain sites won’t help the company stay safe. Malware is a real issue today because most people don’t know what they have to do to keep themselves safe. Does a company’s employee know not to open attachments from someone using an unknown e-mail address? Do they know not to visit untrustworthy pornographic sites? Do they know not to click on every link they see without making sure they’re being redirected to the desired page? Do they know what phishing is and why it’s such a major concern? Do they have apps installed on their computer that are designed to warn them about possibly malicious sites? And do they know how to react to those warnings?