The reality of the workplace today is that employees are sometimes free to browse on any website, surf from the cafeteria or a private cubicle, and consume megabytes of data off the corporate Wi-Fi network. But what if they abuse that in one of the worst ways possible?
Surfing for pornography at work is one of the most controversial, least understood (in terms of actual data about the problem), and most technologically challenging issues facing IT admins.
- This is everything you need to know about the UK porn block
It's controversial because not everyone has the same definition of what constitutes "not safe for work" material, laws protect the freedom of speech, and it can be difficult to address web surfing violations in business (i.e. whether the employee really visited inappropriate sites).
The problem is severely misunderstood because most companies do not share any data about those who have been "caught" surfing for pornography. And, it becomes a technical challenge when web filtering products weed out malware and block sites commonly known to disseminate pornographic material, but don't prevent access to seemingly innocuous blogs.
Eric Cowperthwaite, the vice president of advanced security and strategy at Core Security (and the former CISO of Providence Health and Services), says the issue is multifaceted and IT admins, company heads, and other leaders have to be smart about their approach.
"There is a legal issue, a management and productivity issue and a security issue," he says. "Each one of those can, and should, be dealt with differently."
Of course, the best solution in any company is to deal with the problem of employees surfing for porn by blocking access to well-known sites entirely. This is mostly a security issue. Interestingly, most of the security companies who block malware and other harmful agents declined to discuss blocking strategies related to pornography because of the free speech issues and how people define the topic.
At the same time, many products exist that will block sites and filter harmful (and inappropriate) content, from the Cisco Web Security Appliance to products from companies like FireEye, Symantec, McAfee, and Sophos.
"It is a fairly well understood reality that many of the internet systems serving up pornography don't have good security themselves," says Cowperthwaite. "They are low margin operations run in locations and by organisations that really aren't overly concerned about good security. Their servers are often compromised by bad guys and are serving up malicious software, man-in-the-middle attacks, credit card breaches and the like.
"This is a significant threat to corporate security. However, the bottom line is that you deal with this sort of issue just as you would any other security issue. You put controls in place to prevent users from accessing known bad internet sites, malicious software, their session data being hijacked, and so forth."
Management and employee retention issues
The reality for most companies is that security precautions are not always 100% effective. In some cases, a site might contain "not safe for work" images and videos that sneak through the corporate firewalls or may not always be deemed pornographic. Yet there are serious management issues related to blocking this material that could still be considered offensive.
"If your users are accessing pornography at work, then there are a bunch of policy and productivity issues," says Cowperthwaite. "Even, potentially, issues involving a hostile workplace. I once dealt with a senior manager looking at porn in ways where his junior female employees could see it. That's a pretty hostile workplace.
"The issue is that security often gets pulled into (or puts itself into) the position of being the enforcer of behavioural policies that have nothing to do with good security. If an employee is surfing pornography at work there are productivity, policy, management problems. And that is who needs to deal with the issue. Security teams should run from being an HR enforcer if at all possible."
Outright violation of well-established guidelines for surfing the web should be enough to terminate an employee, says Rob Enderle, a well-known tech analyst. "Generally the best practice is that if someone is caught viewing porn in the workplace their employment is terminated and they are visibly walked out of the building," he says.
Privacy and legal issues
Lastly, companies have to deal with the legal ramifications of viewing pornographic material in the workplace. There's the more obvious violations – such as surfing for child pornography – and other issues related to surfing in a workgroup setting in front of other employees.
"The inherent problems of porn in the workplace are well-known and documented," says Charles King, an IT analyst. "It's disrespectful and divisive, often sparks and contributes to employee hostilities, and can also expose the employer to legal liability in a variety of forms. In other words, it's inappropriate on virtually every level so employers have the right and responsibility to protect themselves and their employees.
"Creating clear policies on the subject would be the first order of business, followed by ensuring that every worker understands the issues and consequences. Finally, it's critical for companies' HR and legal departments to develop fair, objective methods of enforcement in cases where employees violate those policies."
Cowperthwaite adds: "There have been cases, mostly not ever discussed publicly, where corporate resources have been used by people dealing in child pornography. This is one of the CISO's worst nightmares. The systems the CISO is entrusted with safeguarding have been compromised (usually by an insider) and then used to break the law. To make it worse, it is one of the worst forms of law-breaking in our society.
"The solution is straightforward, however. If you have good security controls that protect against your networks being breached and exploited by bad guys, then you have the right controls in place to deal with this issue."
In the end, technology can help, but most of the experts agreed the issue is really one that IT leadership has to confront and manage on a case-by-case basis.