The Farnum who stole Christmas - Bah Humbug!
My friend Michael Farnum, is I know a good person. Though we have never met in person, from the many times we have spoken and exchanged emails, I know Michael is a straight shooter with a good sense of humor and most of all takes his responsibility as a security professional very seriously. However, the road to hell or in this case to Christmas is paved with good intentions gone bad. Michael has crossed the line here with his article about how companies should be responsible Internet community members, by stopping their employees from online shopping with company resources. I think he is off base here and using all the wrong reasons to justify his position.
Really, it comes down to two reasons to limit employees online shopping during the holiday season. The first is a productivity issue. This is not the business what so ever of the security or network admin. This is strictly a management decision. Personally, if someone is not abusing the privilege, I think there is nothing wrong with letting an employee use the companies internet connection to do some online shopping. The alternative of shutting it down, I think will do more to hurt company morale and spirit and wind up costing you more in productivity.
The second reason is for security purposes. Frankly, I see some merit in this. But if you have defenses in place, I think you have to give more credit to the user that they are not going to do something totally stupid. On top of this, I think it is more than potential phishing attacks which you have to be careful for. Are they downloading any spyware, key loggers or botnets. However, good security in place for this type of malicious traffic should do the trick here, without having to prohibit online shopping. I have not seen enough evidence to allow the security arguments to outweigh giving the users the right to surf for holiday shopping. Of course I would monitor to make sure no one is abusing this.
In any event, what really ticks me off are people who really want to limit on line usage by employees for productivity reasons and hide behind the security issue to justify it. Releases like the one by St. Bernard that Michael refers to are the perfect example of this. They don't make a clear case for either productivity or security but try to lump them together with a little FUD thrown in. In any event, come on Michael, show your Christmas spirit and keep the employees happy! Ho, Ho, Ho Merry Christmas ;-)