Employee Abuse of Internet Rampant

Before cracking down on Internet access abuse at her family’s 60-year-old auto dealership, the IT director there found a few employees were spending as much as six out of their eight-hour work day on the Internet — playing games, gambling, buying stock and even downloading porn.

“They obviously weren’t doing their job,” says Shawn Vidmar, IT director of Vidmar Motor Co., a $40 million, 85-employee dealership based in Pueblo, Colo. “If they’re trying to trade online and they’re not doing their job, that’s a problem.”

Today, Vidmar is keeping employees in check and off the online playground by throwing everything in her IT arsenal at the problem: new policies, employee education, monitoring software and increased network vigilance. And Vidmar isn’t alone with this problem.

Seventy-eight percent of companies polled in a recent Computer Security Institute/FBI survey reported that they detected employee abuse of their Internet access privileges.

The misuse ranged from playing games in the office to downloading bandwidth-sucking movies or porn, gambling, trading stock, emailing sexually explicit or racist jokes and even sending out critical corporate information.

“It’s a huge problem and unfortunately most companies aren’t doing much of anything about it,” says Brian Dunphy, director of analysis operations at Alexandria, Va.-based RipTech Inc., a security analyst and consulting firm. “A lot of companies have provided free Internet access and haven’t provided guidelines. What is acceptable to one person may not be acceptable to the one paying the bill.”

Productivity Compromised

And Vidmar says once she started really looking into employee use of their Internet access in the workplace, it was a virtual “Pandora’s box” of problems that she was uncovering.

“Productivity was being compromised…And I was worried about corporate liability. If somebody gets offended by an email, they could go after the company,” says Vidmar, who installed Vericept Corp.’s Vericept VIEW for Network Abuse Management, an appliance that tracks and analyzes network traffic. “Sending out an email from here is like sending it out on Vidmar letterhead. I would hate to lose [the business] my grandfather started 60 years ago over a bad Internet joke.”

Bruce Hughes, content security lab manager at ICSA Labs, a division of security consulting firm TruSecure Corp. in Herndon, Va., says Vidmar is smart to realize that workplace Internet abuse goes beyond wasting time playing games instead of finishing a report or helping customers.

“Somebody accesses their Yahoo or Hotmail account from their desk. They get their email and run an attachment and all of a sudden there’s a virus loose in the company,” explains Hughes. “They just bypassed all the security and all the money the company put in to securing its networks…Or maybe they’re downloading the newest movies. You could have legitimate customers who aren’t able to surf your Web site or do queries because this guy is watching movies or even porn.”

At American Electric Power Co., the largest generator of electricity in the United States with about 5 million customers in 11 states, department managers set their own policies regarding what employees can and can’t do with email, instant messaging and Web surfing.

‘Try To Trust Employees’

“Everyone wants to use the Internet and it is a business tool,” says Al Moeller, director of business ethics and corporate compliance at Columbus, Ohio-based American Electric Power. “It’s like the telephone. We don’t tell employees you can’t make a personal call or if you do, it’s only for a few minutes. It’s a good idea to try to trust employees.”

Moeller says they make it clear to employees that all Internet access, data and communications belong to the company since they are on the corporate network using corporate-owned equipment and connections. “While I don’t want to abuse that, we need to maintain our right as a corporation to look at these things,” he adds.

And while they put some trust in their employees, Moeller says his 16- to 20-member security team also keep a close eye on the network. If they spot something suspicious, they investigate. “It’s about taking a look now and then,” he says. “There’s no one who says, ‘Let’s look at these 35 people today and see what they’re doing.’ And I don’t think we need that.”

Some employees, however, have been disciplined for access abuse, Moeller says. And a few have been terminated because of it. “It’s a very small number. Word gets around real quick.”

Other Computer Crime and Security Survey Results

The Computer Security Institute teamed up with the FBI for their seventh annual Computer Crime and Security Survey. Along with the numbers on employee misuse of corporate Internet access, here are a few of the other findings: