Tuesday, February 3, 2015

The internet might be for porn, but not on work computers


I spent yesterday working from home, as Cleveland got socked with nearly a foot of snow and my kids had the day off from school.

While working from home, I came across an article from Crain’s New York Business, entitled, Porn and the snowbound workforce. The article argued that winter storms lead to increased software security violations, including those on company-owned computers that employees are using to work from home, including a spike in malware infections.

[I]ncreased levels of malware infections go almost hand-in-hand with increased traffic to porn sites. Adult-content platform Pornhub reported a 21% increase in traffic from New York City-based users during this week’s storm…. For randier New Yorkers who might have been home with work-provided laptops, the blizzard malware infections could cause more than just an uncomfortable chat with human resources.

Companies should want employees to have the flexibility to work from home during inclement weather. It’s certainly safer than having them traverse icy or snow-covered roads. Moreover, it enables you to capture some of the productivity you would otherwise lose from childrens’ snow days and other weather-related days off. Companies must, however, make it clear to employees that work computers are for work, and not for play, even if the employee is using the computer at home.

Consider the following Telecommuting Principles, from the Emory WorkLife Resource Center:

  • The user’s local IT unit must provide, maintain, and support a computer with an approved Emory configuration defined by the Local IT unit. The configuration must address the Information Security Requirements for Telecommuting Arrangements which includes items such as current security updates and anti-virus capability, removal of administrative rights, proper firewall configuration, and security incident reporting requirements.
  • Telecommuters must use only the Emory provided computer for telecommuting.
  • Telecommuters must protect the computer issued to them and any sensitive data that it might contain.
    • Telecommuters may not store sensitive information on the computer unless authorized to do so, and even then, telecommuters must only store the absolute minimum required.
    • Telecommuters must encrypt or password protect documents that contain sensitive information when possible, and upgrade to Full Disk Encryption when an enterprise solution becomes available.
    • Telecommuters may not transfer sensitive data to non-Emory owned systems or removable media, and they may not allow unauthorized users to use the computer issued for telecommuting.
  • Users must immediately notify their manager and local IT support if a system used to telecommute is lost or stolen or if the system is compromised or suspected of being compromised by a computer virus or hacker.

These types of policies cannot guarantee a malware-free IT infrastructure. They will, however, provide you some sense of security in knowing that your employees are aware of the issue, while at the same time providing you the ammunition you need to support action against a employee who misuses your computers.