Strict enforcement of acceptable use policies (AUPs) can dramatically reduce risk to corporate data, a new report by Israeli security firm Allot Communications shows.

The report is based on an analysis of data collected by Allot over a five-month period between November 2014 and April 2015. The information came from large enterprises and from service providers who provide Internet connectivity to small and medium businesses.

Doing an End Run Around AUPs

The data showed that much of the traffic blocked on corporate networks came from users attempting to access Web applications and services that were prohibited by their employers. Allot discovered that almost 92 percent of blocked Web traffic stemmed from employees trying to use social networks, online file-sharing services, consumer instant messaging tools and anonymizing services at work in violation of corporate AUPs. Just 8 percent of traffic was blocked because it contained malware.

Allot discovered that just having an AUP in place does not discourage employees from trying to work around it anyway. On average, employees in the study tried to access social networks more than six times per day, with Facebook being the most common attempted destination. Additionally, Allot counted an average of 1.5 attempts per day by employees to access sites containing content inappropriate for the workplace, such as gaming and dating sites.

Threats to Corporate Data

Traffic from employees using or trying to use prohibited instant messaging services was blocked 10 times more frequently than other Web content because of a relatively high prevalence of malware. Interestingly, Allot’s data analysis showed that employees use anonymizing services on enterprise networks to access websites and conduct transactions without revealing too much information. When compared to regular Web traffic, this anonymized traffic is blocked far more frequently because of potentially malicious content.

The results highlighted the risks to corporate data posed by employees attempting to access applications outside of the business’s policy, said Yaniv Sulkes, assistant vice president of marketing at Allot, in comments to Security Intelligence. Many of the commonly accessed Web applications — such as instant messaging, file storage, social networking applications and anonymizers — pose risks that may not be readily apparent, he said.

High-Risk Web Application Categories

Both social networking sites and instant messaging applications can be used for file sharing. Many of the file types prevalent on social media networks are also highly susceptible to malware, Sulkes said. In fact, 30 percent of the blocked malware in the Allot study came via JavaScript files, while 20 percent was courtesy of image files like .jpg, .png, .gif and .ico, he said. Employees can even use online storage services like iCloud and Dropbox to store sensitive corporate data right alongside personal information.

Similarly, the use of anonymizing services by employees can pose substantial risks to enterprise data, the report noted. Employees need to install software on their client devices in order to use an anonymizer. The software creates a virtual proxy that connects to a proxy network or public proxy server. The tools can be used by employees to evade enterprise firewalls and access Web accounts or services that are not permitted. From its study, Allot discovered that an average of 58 attempts are made per day to access anonymizer applications and related tools from within small and medium businesses.

Such trends highlight the need for companies to not just have AUPs, but also a way to enforce them, Sulkes said. Rather than focusing on perimeter-centric tools, enterprises need to be thinking about application-specific controls for mitigating risks posed by inappropriate use of risky Web applications in the workplace.