Get Net.Smart -- Internet and E-mail at Work

Security Training Videos:

“Get Net.Smart -- Internet and E-mail at Work”

by M. E. Kabay, PhD, CISSP-ISSMPAssociate Professor, Information Assurance
Dept. of Computer Information Systems
Norwich University, Northfield, VT 05663-1035 USA

This series of short reviews is intended to help security-awareness officers evaluate training videos for their training programs. The author and his employer have no financial interest in or involvement with the companies whose products are reviewed.

* * *

The training video “Get.Net.Smart” from Commonwealth Films < http://www.commonwealthfilms.com > is subtitled, “Using the Internet and E-mail at Work.” The film starts with an introduction to a number of people at "work" who are, respectively,

* looking for a date;

* checking the stock market;

* bidding for a Wonder-Woman lunchbox;

* downloading statistics for a fantasy sports team;

* looking for a new job;

* surfing sites the employee does not want to discuss.

The problem of Internet abuse surfaced through the combination of low productivity with online resource saturation. The analysts explain that as long as all employees are properly warned about possible investigation, any organization can investigate the use of corporate resources. Each of the following incidents includes analysis and recommendations.

In the first vignette, Stephanie complains about not being able to complete her workload; however, analysis of log files showed that half of her time at work is spent on purely personal activities -- shopping, auctions, three-page personal letters about her latest romantic holiday. The analysts comment that in addition to risking termination of employment, such abusive employees may damage their company's credibility in billing for their time. Claiming such personal activities as part of billable work to clients constitutes fraud and may lead to legal action against the employer.

The second story concerns Dave, a low-producing employee who stays at work late every night -- playing a collaborative computer game. His e-mail in-box is full of messages from his friends. Result: world-standing as a master and a pink slip.

A third incident starts with Susan's friend Carol, who sends out a request for electronic birthday cards to a group of people in and out of the company. By noon, the message has been forwarded and reforwarded to so many people that hundreds of messages -- many from complete strangers -- have poured in to the corporate e-mail system. Unfortunately, Carol sets up an automatic response that attaches a huge video file to the outbound messages. The video is so popular that thousands of strangers write in and automatically get sent the video. By 4 pm, the company e-mail system has to be shut down for eight hours.

Linda works hard all day, and whenever her boss stops by, she has a spreadsheet on her screen. Unfortunately, almost all of her work is for her own profit: she runs a commercial service that provides background checks on possible dates; the "spreadsheet" is a screensaver . Worse still, investigation reveals that Linda is using the confidential credit report services paid for by her employer and selling these to her personal clients. Thus in addition to stealing her employer's money by being paid for hours she did not work, she is also putting the employer at risk for violating their clients' privacy.

Many employees in the company receive pornographic messages from unknown senders; most simply delete the messages, not realizing that such incidents should be reported at once to system supervisors and that the messages and files can be used as evidence in investigation and prosecution. Over the next few weeks, the incidents increase in frequency and offensiveness, and many employees complain of sexual and racial harrassment. Investigation reveals that Frank spends more than half his time visiting forbidden Web sites, downloading pornography and racist jokes. When he is caught, he protests that monitoring his Web surfing is an invasion of privacy and threatens to sue. Wrong: there is no such right to privacy when using corporate resources for Internet access as long as policies are clear.

Annette participates in a chat room and happens to mention that there is a job opening at her company. When asked for details, she unthinkingly reveals that the former job holder, Waldo -- whom she names -- was fired. "Why?" asks someone -- and the situation declines from there. Annette answers that he was fired for incompetence and quotes a line from his performance review; others in the chat room join in with insulting remarks; someone collects them into a humiliating "Job Performance Review" about "Waldo." Within days, the document is circulating through the Internet and reaches millions of people. Waldo sues the company for defamation, slander and revealing personal personnel information. The attorneys track the insulting remarks back to Annette and the employer loses the lawsuit.

Another incident, the technical support crew get an anonymous tip about Harry's use of the company systems. Monitoring shows that almost all of Harry's e-mail messages are encrypted using an unauthorized computer program. Because he works with classified data on a government contract, this behavior is alarming to the investigators; they therefore install keystroke-capture software on Harry's computer. The investigation reveals that Harry may be breaking the law; the company calls in the police and he is arrested.

The film ends with a summary of the importance of respecting corporate guidelines on personal use of the Internet at work -- and a reminder that breaking some laws may result in massive fines and years in jail.

This film was written and directed by Webster Lithgow; the producer was Jennnifer Wry. Technical advisors included Theodore L. Banks of Kraft Foods; Gary Cohen of The Prudential; Douglas David, CRM, CDP of Boise Cascade Corporation; Michael Gerdes, CISSP of AtomicTangerine; Alan Hodel of Compaq Computer Corporation; Thomas Peltier of Netigy Corporation; and Alan Roper of Hughes Space and Communications Company.

Good job, everyone!

* * *

Information about M. E. Kabay, PhD, CISSP-ISSMP< mailto:mekabay@gmail.com > is available at < http://www.mekabay.com/ >.