The reality of the workplace today is that employees are sometimes free to browse on any website, surf from the cafeteria or a private cubicle, and consume megabytes of data off the corporate Wi-Fi network. But what if they abuse that in one of the worst ways possible?
Surfing for pornography at work is one of the most controversial, least understood (in terms of actual data about the problem), and most technologically challenging issues facing IT admins.
It's controversial because not everyone has the same definition of what constitutes "not safe for work" material, laws protect the freedom of speech, and it can be difficult to address web surfing violations in business (i.e. whether the employee really visited inappropriate sites).
The problem is severely misunderstood because most companies do not share any data about those who have been "caught" surfing for pornography. And, it becomes a technical challenge when web filtering products weed out malware and block sites commonly known to disseminate pornographic material, but don't prevent access to seemingly innocuous blogs.
Eric Cowperthwaite, the vice president of advanced security and strategy at Core Security (and the former CISO of Providence Health and Services), says the issue is multifaceted and IT admins, company heads, and other leaders have to be smart about their approach.
"There is a legal issue, a management and productivity issue and a security issue," he says. "Each one of those can, and should, be dealt with differently."
Of course, the best solution in any company is to deal with the problem of employees surfing for porn by blocking access to well-known sites entirely. This is mostly a security issue. Interestingly, most of the security companies who block malware and other harmful agents declined to discuss blocking strategies related to pornography because of the free speech issues and how people define the topic.
At the same time, many products exist that will block sites and filter harmful (and inappropriate) content, from the Cisco Web Security Appliance to products from companies like FireEye, Symantec, McAfee, and Sophos.
"It is a fairly well understood reality that many of the internet systems serving up pornography don't have good security themselves," says Cowperthwaite. "They are low margin operations run in locations and by organisations that really aren't overly concerned about good security. Their servers are often compromised by bad guys and are serving up malicious software, man-in-the-middle attacks, credit card breaches and the like.
"This is a significant threat to corporate security. However, the bottom line is that you deal with this sort of issue just as you would any other security issue. You put controls in place to prevent users from accessing known bad internet sites, malicious software, their session data being hijacked, and so forth."