Skeeter Spray is a blog for the common Information Security Professional. Why Skeeter Spray? See Post #1

Saturday, June 8, 2013

Where Work-Life Balance Meets Information Security

With people being more connected with their job through laptops, tablets, smart phones, etc… it seems that more companies are worried about work life balance.  Some companies may define work life balance as giving employees more “privileges” with their company-owned computing assets.  By privileges I mean that they may allow the employees to do more with the company owned laptop or loosen the restrictions on what websites can be visited on the company network.

For example, some companies may let employees check personal, web-based email while on the company’s network.   Other companies may allow employees to visit Facebook while others block it. As companies come to expect employees to be connected 24/7 to work, I understand the need to allow employees some freedom at work to get away from the daily grind for a few minutes.  But allowing the freedom comes with some risk, and that risk needs to be discussed before the decisions are made.

By allowing employees to visit Facebook, the company has opened up a new attack vector into the company’s network.  Before opening it up, maybe a company needs to evaluate the reliability of their desktop protection software or look at a solution that will detect malicious traffic at the network border.  The same issues are present if a company allows employees to check personal email at work.  Additionally, if the connection is SSL, is the company going to break the SSL connection and monitor the traffic? What traffic is off-limits to monitoring?  What websites will be blocked and does the proxy server / service have a good track record of classifying websites? I suspect the HR and Legal will want to weigh in.  

I am not saying what is right or wrong, but management must include Information Security in the discussion prior to making decisions based on what is allowed on the network and what employees can do on their company-owned computing devices. 

Until next time...

No comments:

Post a Comment