If you work in security for one of those "cool" companies that lets employees use the corporate network to surf the Web on their own time, you might want to think about becoming a killjoy.
According to a study of 200 companies published earlier today by IDC Denmark, Web surfing has surpassed email as the most prevalent method of spreading worms and viruses. (See IDC: Private Internet Use Insecure.)
"There is a common misconception that emails constitute the biggest security threat from the Internet," says Per Andersen, managing director at IDC Denmark. "But the survey shows that up to 30 percent of companies with 500 or more staff have been infected as a result of Internet surfing, while only 20 to 25 percent of the same companies experienced viruses and worms from emails."
The study involved some 200 Danish companies with 500 or more employees. Of these, almost 40 percent reported that they had been infected with a worm or virus in the previous year.
Some 75 percent of the respondents to the IDC survey said they have established policies for Internet use, and "the vast majority" allow employees to use company Internet access for personal reasons, the research firm says. Even among companies that don't allow Web surfing for private purposes, about 30 percent said staff use the Internet for personal reasons anyway during business hours.
Website-borne viruses, worms, and Trojan horses don't always come from "red flag" sites such as those that offer pornography, experts observe. Any unknown site accessed over the corporate network -- even over a VPN or other home office connection -- could be a malware carrier, notes Preben Andersen, general manager of the Danish Computer Emergency Response Team. A Danish company was recently infected by a Trojan horse attached to a help file on a poker Website, he states.
The study raises the question of whether enterprises should build stronger policies against surfing the Web over company links. Companies that allow personal browsing have a higher incidence of infection by worms and viruses than those that don't, according to the research. Some companies have established hard-line policies that disallow users from using the Internet for any non-business reason.
But IDC's Andersen doesn't recommend this approach. "Today our work and private lives are so interlinked that it is unrealistic to think in terms of a ban on the use of company Internet connections for private purposes," he says.
A good Web behavior monitoring tool can help enterprises analyze surfing patterns and discourage users from straying to known problem sites, IDC's Andersen says. "And it can certainly be done in such a way that it does not constitute outright monitoring of the actions of every member of the staff," he says.
Tim Wilson, Site Editor, Dark Reading