This snapshot taken on 04/03/2010, shows web content selected for preservation by The National Archives. External links, forms and search boxes may not work in archived websites.

We're creating a single website for everything to do with BIS but, while we do that, you'll find information in three places. > Find what you're looking for

 
 

Inappropriate use of Internet access - case study

The Organisation

The company concerned had a number of subcontracts with various IT firms to support different systems. In this case, a subcontractor was responsible for providing support to desktop PC users.

What Happened

The company had provided staff with Internet browsing access for some time, and it was widely used for research, booking travel, general information etc. Employees were largely trusted to use it responsibly. The company did not have any form of monitoring facility in place, but it did have a mechanism whereby a user had to enter a separate username and password to access the Internet.

In reality the username/password mechanism typically had a username for each department to which several users had access, so there was no real way to trace activity back to individuals - even if some form of logging system had been in place. The mechanism was also hated by users, who found it awkward and pointless.

To improve logging capabilities, and remove the need for a username/password, the company decided to install a proxy server on their network. The aim of this was to allow transparent authentication of the users who accessed the Internet by tying it to their normal network logon. This also meant that any sites visited could be listed and linked back to each user.

By law, the company had to ensure it informed all staff that the system was in place and usage would be monitored.

The day the system was ready, it was turned on. The users loved it; it made access much easier without having to logon each time. The firewall administrators loved it as it made managing Internet access easier. For the first time the systems administrators could see where people were going on the Internet.

Impact

Over a number of days they spotted a number of accesses to a site that offered Eastern European brides to Western men. The hits were all coming from the same subcontractor and he appeared to be continually and repeatedly accessing specific parts of the site.

After a period of inspection the individual was asked about the activity - everyone suspected this to be the work of a lonely individual. The reality was even more intriguing. It transpired that far from looking for a wife online (which in itself would have been unacceptable), the man in question was running the business as a sideline and had been accessing the site to maintain it!

The individual was removed from the contract and his company did not have its arrangement renewed when it came up for renegotiation later that year. As a contractor, the individual was costing the company concerned an hourly or daily rate - so there was a direct cost in this misuse of the system during working hours.

Aside from the dubious legality of the site, there was also a suggestion that by visiting his own page, revenue that the subcontractor received from advertisers may have been artificially high. However there was never any direct proof that this had occurred - no one ever found out how long the accesses had been going on, or what amount of work time had been wasted in the process.

Lessons?

  • You may not know what is happening on your network, or where people are going on the Internet, until you start looking. You might be surprised who is going where. Your bandwidth costs money, make sure it is spent wisely
  • Ensure any use of IT facilities can be traced back to the user. Record the time events occur so you can track what was done if necessary
  • Although you have to trust employees, there are those who will bend or break the rules. Some people may feel that what they are doing is 'harmless fun'
  • Ensure any access to, or storage of, illegal or offensive material is dealt with promptly. There have been cases where female workers have sued for sexual harassment over their male colleagues' continuous access to pornography in the office. Any access to child pornography (apart from being highly distasteful) is illegal and more importantly, if you become aware that someone is doing this and do not report it, you are committing a criminal offence
  • Publish a policy on what is acceptable and what is not. Define as clearly as possible what material is prohibited and also if there are any general rules or time constraints (for example, personal use permitted between 12:30pm and 1:30pm). Make sure your users have read and understood the policy and that activity may be logged and monitored. Include any disciplinary consequences for individuals found to be in breach of policy
  • Avoid using the same username and password for different users. In this example, the company would not have been able to prove (or even identify) the individual concerned if it had not been able to link back to a single login name. Avoid usernames like temp1, contractor4, etc.

© Crown copyright2010