With people being more connected with their job through
laptops, tablets, smart phones, etc… it seems that more companies are worried
about work life balance. Some companies
may define work life balance as giving employees more “privileges” with their
company-owned computing assets. By
privileges I mean that they may allow the employees to do more with the company
owned laptop or loosen the restrictions on what websites can be visited on the
company network.
For example, some companies may let employees check
personal, web-based email while on the company’s network. Other companies may allow employees to visit
Facebook while others block it. As companies come to expect employees to be connected
24/7 to work, I understand the need to allow employees some freedom at work to
get away from the daily grind for a few minutes. But allowing the freedom comes with some
risk, and that risk needs to be discussed before the decisions are made.
By allowing employees to visit Facebook, the company has
opened up a new attack vector into the company’s network. Before opening it up, maybe a company needs
to evaluate the reliability of their desktop protection software or look at a
solution that will detect malicious traffic at the network border. The same issues are present if a company
allows employees to check personal email at work. Additionally, if the connection is SSL, is
the company going to break the SSL connection and monitor the traffic? What
traffic is off-limits to monitoring?
What websites will be blocked and does the proxy server / service have a
good track record of classifying websites? I suspect the HR and Legal will want
to weigh in.
I am not saying what is right or wrong, but management must include Information Security in the discussion prior to making decisions based on what is allowed on the network and what employees can do on their company-owned computing devices.
Until next time...
~Skeeter