« Email Disclaimers and the Road to Hell | Main | Say What? »

January 22, 2007

All Tangled Up in the Greynet?

Greynet_4 This past November, FaceTime Communications released Employee Use of Greynets: 2nd Annual Survey of Trends, Attitudes & Impact (free download but registration required).  Greynet is the term given to applications that users download to the PCs without the permission of IT network administrators and without an awareness to the possible security implications.  I discovered this report through 2 very recent online articles.  Joe Wilcox reported on this in Don't Get Caught in the Greynet at microsoft-watch.com and made some suggestions on how to deal with this.  Brian Prince at eWeek.com wrote Risky Employee Behavior on Web Threatens Corporate Networks summarizing the report.  Both articles generated a couple of interesting comments.

The FaceTime report indicates key greynet application categories are:

  • Instant messaging (e.g. AOL Instant Messenger, MSN Messenger, Yahoo! Messenger)
  • Web browsing/surfing (including streaming media and RSS)
  • Peer-to-peer file sharing (e.g BitTorrent, Kazaa, etc.)
  • Peer-to-peer collaboration (e.g. WebEx, PlaceWare
  • Anonymizers and proxies (e.g Tor, Ghostsurf)

The problem with greynets is real.  FaceTime reports that 75% of the surveyed IT managers reported spyware and adware attacks resulting from greynets.  In addition 57% reported viruses, trojans and worms.  Other problems included malware and rootkits.

So what do we do about this?

Although there were a not lot of comments in the articles they did tend to fall into 2 stereotypical categories.

  • Typical IT response - Those clueless users don't really know what it takes to run the network and how much harm these applications can cause and besides they don't really need the software.  They just need to follow the rules and don't download anything and if we determine they need an application we will get it to them when we have time.
  • Typical User response - These applications are useful.  We download them for convenience, speed and productivity improvements.  We don't review them with IT since they simply either say "No" or don't respond in any reasonable timeframe.

As Joe Wilcox recognized, users will download greynet applications and it is unrealistic to think we can stop it.  All the ranting, policy writing, withering looks and severe frownings won't stop it.  We need to figure out a way to deal with it.  I propose the following:

  1. Recognize that much of this software is really useful and it is the user not IT that determines the usefulness.  So if the usefulness isn't apparent to you - get over it.
  2. Make employee awareness of security issues a key part of your security program.  As I indicated in an earlier post this is key to making your security program work.  As John Colley stated:

    "We need to remind ourselves again and again that information security is not a technology issue – it’s a people issue. We are reliant on people, their awareness, ethics and behaviour, and we must understand what they want to achieve if we are to accomplish the goals of business. This includes the employees that deliver our services and the customers that take advantage of them, as well as the senior executives and board room directors that grant us our budgets."

  3. Provide a way for users to run an application by IT and get a quick response in terms of any security issues.  The review is security oriented only, it is not for IT to judge the usefulness.  Leave the usefulness issue to the user and his or her supervisor.

If you make employees aware of the security issues and provide them away to quickly get the applications they determine they need while complying with security requirements you'll have a lot more success.

Poker So what about the guy that wants to download video poker?  Admittedly, they may not want run that by IT even if we are non-judgemental.  I am pragmatic, we won't get the opportunity to review all greynet apps but we can catch most.  Additionally, by providing a simple way for users to get the applications they need and meet security concerns managers are more likely to support our efforts to stop truly un-necessary greynet applications from being installed.

If this topic was of interest, you might also like these:

Technorati Tags: , , , , , , , , , , ,

Posted by Mike on January 22, 2007 in Customer Service , Internet , PCs and E-Mail , Technology | Permalink edit post button

Tell a Friend       View blog reactions       

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/t/trackback/1102168/7569819

Listed below are links to weblogs that reference All Tangled Up in the Greynet?:

Comments

Post a comment

If you have a TypeKey or TypePad account, please Sign In

About Mike

  •  In The News
  •  About Mike
  •  Tell a Friend About Mike's Blog

Site Search


Creative Commons License 
This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 2.5 License.

Recognition

My photos on
www.flickr.com
This is a Flickr badge showing public photos and videos from Mike Schaffner. Make your own badge here.

Powered by TypePad
Member since 10/2006

Rankings

  • Beyond Blinking Lights and Acronyms at Blogged
  • Blogarama - The Blog Directory
  • Technology Blogs - Blog Top Sites
View blog authority

Blogs I Read

Subscribe to Articles
Read My Articles via RSS feed
 

Read the Feed on Your Mobile Device

To Receive a Daily Email of new Articles
Enter your email address:

Delivered by FeedBurner


Join the Conversation
Subscribe to Comments
Join the Conversation (Comments RSS Feed)
 AddThis Feed Button

To Receive a Daily Email of Comments on Posts
Enter your email address:

Delivered by FeedBurner

Archives

Recent Posts

A Few of My Favorite Posts

Categories

Recommended Books