How much should HR be involved in IT [security] decisions?
And how do you decide what shouldn’t be allowed at work?
Since I started in IT, I have been either managing or working with content-based security solutions that can limit & restrict which sites employees (and guests?) are allowed to browse to while on the corporate owned networks.
On-prem proxies, cloud proxies with all the SASE buzzwords, next-gen & UTM firewalls and DNS security solutions all have one thing in common:
You can decide to allow or block domains&websites based on which content category they belong to.
In majority of cases, these solutions are purchased to complement and maintain the security posture for the company, so the starting point is somewhat straightforward and everyone agrees on.
We should block:
🚫 Malicious sites
🚫 phishing
🚫 C&C
And we should allow:
✅ News
✅ Government/politics
As we go down the list, we may find categories that aren’t strictly security-related, but the company policy has already mentioned as being prohibited, so we continue:
🚫 Pornography
🚫 Peer-to-Peer / torrents / …
But then you reach categories such as “Adult” and “Nudity”, sometimes this includes lingerie, and sometimes the solution has a separate category for lingerie.
Should the company block those pages? Should employees be allowed to shop for lingerie on-line during work hours?
This isn’t a security question, so the full category list is sent of to HR for review.
And sometimes the result is for the following categories to be blocked or potentially blocked.
⁉️Adult, nudity & lingerie
⁉️ Gaming
⁉️ Illegal sites
⁉️ drugs
⁉️ dining & drinking
⁉️ gambling
⁉️ social media
⁉️ cheating
⁉️ dating
⁉️ humor
⁉️ weapons
⁉️ violence
The justification is along the lines of: ”They don’t need this for work.” or “They shouldn’t be viewing these sites while working.” or “these sites can be distracting.”
We’ve reached far beyond the security discussion at this point, we’re blocking because we can, not because we need to.
And in a few months time we’re going to have a lot of all kinds of exceptions.
We’ve banned pharmaceuticals, the local lottery, company facebook page, sports outlets, CEO’s favorite restaurant page.
Did we improve security? No.
Did we annoy employees that might starting look for ways to bypass these measures, thus weakening security? Likely.
My opinion is to focus on the security aspect, the rest really doesn’t matter in most cases.
Exceptions can be POS terminals, [industrial] management and such, but not employee workstations.
And when someone argues that “but our employees might be playing online solitaire or chess all day, so we need to block gaming.”
I usually respond with: “technology doesn’t solve employee issues.”
And in my experience, high-performing employees, and the CEO, also use these sites when catching a break in-between projects & meetings.
What’s your view on this, should companies prevent access to non-work-related websites?
Leave a comment on my LinkedIn post on this subject: https://www.linkedin.com/feed/update/urn:li:activity:7283820170551148544/