September 15, 2006 12:33 PM PDT

Surfing a bigger risk than spam to company networks

Company networks are now more likely to pick up malicious software via employee Web surfing than from e-mail attachments, according to a new study.

Nearly 40 percent of the 200 Danish companies surveyed said their systems had been infected by a virus or worm, despite the fact that 75 percent had implemented a security policy, IDC Denmark said in its report, released Wednesday. But the malicious software in question is no longer primarily making its way through e-mail, as in the past.

related news
The security risk in Web 2.0
Security is an afterthought in rush to add features

"There is a common misconception that e-mails constitute the biggest security threat from the Internet," Per Andersen, IDC Denmark's managing director, said in a statement. "But the survey shows that up to 30 percent of companies with 500 or more staff have been infected as a result of Internet surfing, while only 20 to 25 percent of the same companies experienced viruses and worms from e-mails."

The risk of infection is about five times greater for companies that allow Internet usage by staff to go on unhindered and unmonitored, Andersen said.

The problem doesn't go away for companies that ban private Internet use, because often such policies aren't enforced, IDC found: About 30 percent of managers at such companies said staff accessed the Internet for personal use during working hours.

IDC believes that banning personal Internet use isn't realistic, particularly as a long-term solution. Instead, the research firm recommends closer monitoring of employees' Internet use and using tools that give management an overview of time spent and behavior patterns online.

"It can certainly be done in such a way that it does not constitute outright monitoring of the actions of every member of staff," Andersen said.

Attacks can come from relatively innocuous online sources, Andersen said. He cited the case of a poker Web site that placed a Trojan horse on users' PCs when they downloaded the site's help program.

Matthew Broersma reported for ZDNet UK in London.

See more CNET content tagged:
staff, malicious software, risk, monitoring, e-mail

5 comments

Join the conversation!
Add your comment
Ironic!
I'm reading this while I'm at work! ;P
Posted by dragonbite (452 comments )
Reply Link Flag
lol
me too!

;-)

They don't have to worry much about me though because:

1. I'm careful as to where I go on the internet. "News" sites like
this are one thing, but I'm not playing poker here at work and
refuse to access any porn sites.

2. I have one of the best anti-virus programs out there - I'm on
a Mac running OSX!
;-)
Posted by Dalkorian (3000 comments )
Link Flag
ONLY 20-25%?
If up to 25% of companies have gotten computers infected due to email, how can we say it isn't that big of a security risk? <a class="jive-link-external" href="http://essentialsecurity.com/Documents/article7.htm" target="_newWindow">http://essentialsecurity.com/Documents/article7.htm</a>
Employees get email in their inboxes whether they want it or not. But they can make sure to stay away from malicious sites, which are probably not work related anyway. Until businesses can say that only a few percent of computer related issues are due to email viruses, trojans, etc., email security will remain a critical issue.
Posted by ml_ess (71 comments )
Reply Link Flag
Giving the internet admin privileges
Perhaps the reason that a "poker site" installs a trojan horse is not that the employee was allowed to surf to that site, but that the company's sys-admins configured the employee's account as a system administrator?

People shouldn't work in admin accounts. They certainly should not read email or surf the web with admin privileges. They should not install programs with admin privileges unless needed, and in a corporate environment an employee should get proper permision to install software that needs admin privileges (that would generally rule out a poker site "helper" app).
Posted by hadaso (468 comments )
Reply Link Flag
Yes, it's true... and content filtering is the answer
It can be more dangerous if your company doesn't perform content filtering.

With all of the phished sites, allowing employees the ability to only browse company approved sites has been the way to stave this problem off for several years now.

Walt
Posted by wbenton (522 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.