June 8, 2015 By Jaikumar Vijayan 2 min read

Strict enforcement of acceptable use policies (AUPs) can dramatically reduce risk to corporate data, a new report by Israeli security firm Allot Communications shows.

The report is based on an analysis of data collected by Allot over a five-month period between November 2014 and April 2015. The information came from large enterprises and from service providers who provide Internet connectivity to small and medium businesses.

Doing an End Run Around AUPs

The data showed that much of the traffic blocked on corporate networks came from users attempting to access Web applications and services that were prohibited by their employers. Allot discovered that almost 92 percent of blocked Web traffic stemmed from employees trying to use social networks, online file-sharing services, consumer instant messaging tools and anonymizing services at work in violation of corporate AUPs. Just 8 percent of traffic was blocked because it contained malware.

Allot discovered that just having an AUP in place does not discourage employees from trying to work around it anyway. On average, employees in the study tried to access social networks more than six times per day, with Facebook being the most common attempted destination. Additionally, Allot counted an average of 1.5 attempts per day by employees to access sites containing content inappropriate for the workplace, such as gaming and dating sites.

Threats to Corporate Data

Traffic from employees using or trying to use prohibited instant messaging services was blocked 10 times more frequently than other Web content because of a relatively high prevalence of malware. Interestingly, Allot’s data analysis showed that employees use anonymizing services on enterprise networks to access websites and conduct transactions without revealing too much information. When compared to regular Web traffic, this anonymized traffic is blocked far more frequently because of potentially malicious content.

The results highlighted the risks to corporate data posed by employees attempting to access applications outside of the business’s policy, said Yaniv Sulkes, assistant vice president of marketing at Allot, in comments to Security Intelligence. Many of the commonly accessed Web applications — such as instant messaging, file storage, social networking applications and anonymizers — pose risks that may not be readily apparent, he said.

High-Risk Web Application Categories

Both social networking sites and instant messaging applications can be used for file sharing. Many of the file types prevalent on social media networks are also highly susceptible to malware, Sulkes said. In fact, 30 percent of the blocked malware in the Allot study came via JavaScript files, while 20 percent was courtesy of image files like .jpg, .png, .gif and .ico, he said. Employees can even use online storage services like iCloud and Dropbox to store sensitive corporate data right alongside personal information.

Similarly, the use of anonymizing services by employees can pose substantial risks to enterprise data, the report noted. Employees need to install software on their client devices in order to use an anonymizer. The software creates a virtual proxy that connects to a proxy network or public proxy server. The tools can be used by employees to evade enterprise firewalls and access Web accounts or services that are not permitted. From its study, Allot discovered that an average of 58 attempts are made per day to access anonymizer applications and related tools from within small and medium businesses.

Such trends highlight the need for companies to not just have AUPs, but also a way to enforce them, Sulkes said. Rather than focusing on perimeter-centric tools, enterprises need to be thinking about application-specific controls for mitigating risks posed by inappropriate use of risky Web applications in the workplace.

More from

How to craft a comprehensive data cleanliness policy

3 min read - Practicing good data hygiene is critical for today’s businesses. With everything from operational efficiency to cybersecurity readiness relying on the integrity of stored data, having confidence in your organization’s data cleanliness policy is essential.But what does this involve, and how can you ensure your data cleanliness policy checks the right boxes? Luckily, there are practical steps you can follow to ensure data accuracy while mitigating the security and compliance risks that come with poor data hygiene.Understanding the 6 dimensions of…

2024 roundup: Top data breach stories and industry trends

3 min read - With 2025 on the horizon, it’s important to reflect on the developments and various setbacks that happened in cybersecurity this past year. While there have been many improvements in security technologies and growing awareness of emerging cybersecurity threats, 2024 was also a hard reminder that the ongoing fight against cyber criminals is far from over.We've summarized this past year's top five data breach stories and industry trends, with key takeaways from each that organizations should note going into the following…

Black Friday chaos: The return of Gozi malware

4 min read - On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The Black Friday connection Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today