June 8, 2015 By Jaikumar Vijayan 2 min read

Strict enforcement of acceptable use policies (AUPs) can dramatically reduce risk to corporate data, a new report by Israeli security firm Allot Communications shows.

The report is based on an analysis of data collected by Allot over a five-month period between November 2014 and April 2015. The information came from large enterprises and from service providers who provide Internet connectivity to small and medium businesses.

Doing an End Run Around AUPs

The data showed that much of the traffic blocked on corporate networks came from users attempting to access Web applications and services that were prohibited by their employers. Allot discovered that almost 92 percent of blocked Web traffic stemmed from employees trying to use social networks, online file-sharing services, consumer instant messaging tools and anonymizing services at work in violation of corporate AUPs. Just 8 percent of traffic was blocked because it contained malware.

Allot discovered that just having an AUP in place does not discourage employees from trying to work around it anyway. On average, employees in the study tried to access social networks more than six times per day, with Facebook being the most common attempted destination. Additionally, Allot counted an average of 1.5 attempts per day by employees to access sites containing content inappropriate for the workplace, such as gaming and dating sites.

Threats to Corporate Data

Traffic from employees using or trying to use prohibited instant messaging services was blocked 10 times more frequently than other Web content because of a relatively high prevalence of malware. Interestingly, Allot’s data analysis showed that employees use anonymizing services on enterprise networks to access websites and conduct transactions without revealing too much information. When compared to regular Web traffic, this anonymized traffic is blocked far more frequently because of potentially malicious content.

The results highlighted the risks to corporate data posed by employees attempting to access applications outside of the business’s policy, said Yaniv Sulkes, assistant vice president of marketing at Allot, in comments to Security Intelligence. Many of the commonly accessed Web applications — such as instant messaging, file storage, social networking applications and anonymizers — pose risks that may not be readily apparent, he said.

High-Risk Web Application Categories

Both social networking sites and instant messaging applications can be used for file sharing. Many of the file types prevalent on social media networks are also highly susceptible to malware, Sulkes said. In fact, 30 percent of the blocked malware in the Allot study came via JavaScript files, while 20 percent was courtesy of image files like .jpg, .png, .gif and .ico, he said. Employees can even use online storage services like iCloud and Dropbox to store sensitive corporate data right alongside personal information.

Similarly, the use of anonymizing services by employees can pose substantial risks to enterprise data, the report noted. Employees need to install software on their client devices in order to use an anonymizer. The software creates a virtual proxy that connects to a proxy network or public proxy server. The tools can be used by employees to evade enterprise firewalls and access Web accounts or services that are not permitted. From its study, Allot discovered that an average of 58 attempts are made per day to access anonymizer applications and related tools from within small and medium businesses.

Such trends highlight the need for companies to not just have AUPs, but also a way to enforce them, Sulkes said. Rather than focusing on perimeter-centric tools, enterprises need to be thinking about application-specific controls for mitigating risks posed by inappropriate use of risky Web applications in the workplace.

More from

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today