InformationWeek

"You may want to have different policies for different times of the day," Schrader says. "You may not want to grant access to some types of sites at any time, such as sex, virus, or hate sites. On the other hand, you may not want to block access to sports-related sites 24 hours a day. Perhaps those sites are blocked between 9 a.m. and 5 p.m. and are accessible during off hours."

Using Web Manager, companies can define access based on roles or business rules, Schrader says, but he warns that overuse can backfire. "This kind of technology can cause problems when policies aren't implemented properly," he says. "It can be viewed as a 'Big Brother' approach, which employees don't like."

John Pescatore, director of Internet security at Gartner Group, says blocking pornographic and illegal sites is a great idea (see sidebar story, "Blind Faith Doesn't Make For Good Security"), but blocking sites that hinder productivity is asking for trouble. "It's a huge rat hole," he says. "Employees will quickly become dissatisfied. What's the difference between a visit to Hamsterdance. com and taking a few cigarette breaks? It's hard to enforce."

Pescatore estimates that up to 40% of companies in the United States are blocking URLs. In Europe, he says, even more companies are blocking "productivity sites"--sites that hinder employee productivity. Many companies are turning to software for URL filtering, but companies with existing proxy servers may turn to ASPs, Pescatore says.

ISP Pilot Network Services Inc. uses URL filtering. "Our customers don't want to manage URL filtering at the desktop," says Phil Simmonds, Pilot's director of technical marketing. "We run a proxy and control access to sites using automated controls. However, each company has different requirements. A pharmaceutical company, for example, may not want to filter drug sites."

Simmonds says the biggest issue for his customers is lost productivity. "Our customers don't want to lose revenue because employees are searching for jobs online," he says. "We don't filter productivity sites so much, because our customers aren't asking for it. Most are blocking standard sites like hate, cult, and porn. Beyond that, it's really up to the individual company. They can use the standard list or modify it."

The number of viruses is increasing at an alarming rate, bringing successful E-businesses to a temporary standstill and wreaking havoc on desktops. Trilling of the Symantec AntiVirus Research Center says Symantec discovers as many as 15 viruses every day. The situation is expected to get worse instead of better, making any device connected to the Internet a possible target.

One big factor is the rise of high-speed access technologies. Increased use of digital subscriber line technology and cable modems is expected to fuel the proliferation of viruses that replicate and distribute themselves without human interaction.

"If you're online all the time, you're open to security breaches," Trilling says. "If you can see the Internet, they can see you. You need a multitier solution that informs you of viruses at all levels--PC, file server, and gateway or firewall." Symantec's Norton AntiVirus Enterprise Solution offers protection at all these points. Symantec's product is part of a broader package designed to proactively address viruses.

Schrader of Trend Micro agrees that file-server and gateway solutions can work, but argues against desktop solutions. "Traditional antivirus products came from the desktop for Windows 95. That model falls short," he says. "Desktop-based virus protection just doesn't work for virus and worm outbreaks in a networked environment."

Trend Micro is working with ISPs, ASPs, and systems integrators that scan content and E-mail automatically for their customers before viruses reach enterprise systems. Pilot Network Services is one ISP that's using Trend Micro's products to scan viruses for its customers. "We used to scan weekly for viruses a couple of years ago," Simmonds says. "Now, we scan every day or more often when necessary. Viruses are becoming more prevalent, so we're constantly scanning."

Frank Prince, a senior analyst at Forrester Research, says some companies may be the victims of overconfidence in their ability to keep pace with security. "If you think you know enough to handle security, you don't," he says. "My opinion is you should outsource it to an ASP. Don't do your own security."

Prince also says ISPs should provide infrastructure-level security, but warns that they can't be held completely accountable. "ISPs should provide some types of security at the infrastructure level, and the costs will be paid for by the bulk of subscribers." Ultimately, though, the responsibility for security lies with the people who know what their information is worth. Says Prince, "Companies are responsible for their own security, even when they outsource it."

return to page 1