When it comes to security, some end users just don't get it, according to many network managers. Intentionally or not, these troublesome users keep jeopardizing security by downloading forbidden attachments or visiting off limits Web sites. When technical interventions alone don't ward off these problems, some administrators are resorting to social sanctions, either informally or through company policies.
Parrish S. Knight is one network manager who's faced down pesky users. "In our particular case, we were infected (with a virus) by someone who refused to follow safe computing practices. Everyone had been warned not to open e-mail attachments from a particular proxy server, but she did so, anyway -- not just once, but twice," says Knight, an Internet and LAN administrator at Market Access International.
Knight's also found himself up against people who eat up bandwidth during peak network periods by spending too much time on Napster.
At other companies, users have left corporate networks wide open to viruses by circulating spam mail, according to Paris Trudeau, product marketing manager for SurfControl.
Knight has dealt with some problems at his company by speaking directly to either the abusers or the abusers' bosses. Also, to "help protect users against themselves," he's using anti-virus software on both a proxy server and users' desktops. The WinProxy server updates its signatures every three hours. The Symanetic desktop software is also configured for automatic updates.
Although individual companies' strategies vary, other frequently used technical interventions include firewalls; asset management and monitoring tools; content filtering software such as SurfControl's products; and subscriptions to signature database lists.
Though not in the same category as antivirus software, SurfControl's tools can be configured to screen out e-mails with.spamlike subject lines and .vbs and double file extensions, for example, Trudeau says.
Often, however, technology interventions themselves aren't enough. For one thing, anti-virus software can't do much of anything to protect against a brand new virus, until the first incidences of that virus have been detected and reported.
"What's most important, really, is a company-wide security policy, in which employees are fully informed and aware of prohibited conduct and proper usage," maintains Zachary A. Slavin of The Slavin Group, a systems and services provider in New York City.
Echoes another administrator: "The potential value of published security policies is reached when something occurs, and you attempt to discipline the employee who has flagrantly breached its conditions."
It isn't necessarily easy, however, to arrive at workable policies around controversial areas such as employee monitoring, personal Web surfing, and personal use of corporate e-mail addresses.
"I think a certain amount of personal e-mail usage is okay -- if users occasionally get in touch with their folks, for instance. But how much is too much? Where do you draw the line?" asks Knight.
"If someone is surfing the Web between noon and 1:00 pm each day, maybe that's not an issue," Slavin says. "If someone is doing nothing but downloading files from 9:00 am to noon, that's probably an issue. But you can't overdo things either, or you can run into problems with productivity and employee retention. You can monitor employee usage, but you don't want to get into a 'keystroke Big Brother' situation. It's a balancing act. If the policies are making people miserable, the company might end up losing money due to high employee turnover."