Combating the Enemy is Within

The vendor sued by Microsoft distributes celebrity screen savers, which apparently are quite popular. According to the folks over at McAfee, something like 15 million screen saver searches are conducted each month. This afternoon, I used my daughter's MacBook and Firefox to search for "screensavers." McAfee's SiteAdvisor flagged about half the entries on each search page as either suspicious or malicious.

The holidays are good reason for spirit of the season and people dressing up their PCs with cheery screen savers or desktop wallpapers. Many of those downloads will bear unexpected gifts, such as spyware or Trojans. IT managers may assume that if employees are prohibited from downloads, the corporate network may be fairly safe from malicious software. What if that employee downloads a free screen saver at home that backloads malware and connects the PC to a botnet? If, as part of a botnet, your employees' PCs are spewing out spam our denial of service attacks at your servers, the enemy works for you.

The IT organization can take some action for a spammer--even if inadvertent--that is an employee. One response is to provide free or low-cost security software to workers for home PCs. A few months ago, I asked a security software vendor about such an option. A marketing manager told me that in fact some of the security vendor's enterprise consumers had site licenses that allowed home distribution of the software. But he knew of no customers that had used the option. Enterprises didn't want to support the software on home PCs, he said.

Microsoft and Mozilla rapidly improve browser security features, such as anti-phishing tools or pop-up blockers, and make drive-by downloads more difficult. Those tools don't necessarily prevent malware installed with freebies that users choose to download.

Some actions that IT organizations can take:

• Liven up the holidays by guiding employees to Websites known for safe software, even if for use on only a home PC. Microsoft's Windows Marketplace is one starting place. The company claims that all software available there is malware free.
• Periodically send out employee e-mails with the links for free spyware and virus scans. Most major security vendors offer online scanning tools. The e-mails can raise security consciousness outside the firewall and maybe generate some good feeling for the IT organization.
• As mentioned earlier, enact some program that puts security software on workers' home computers. With more people occasionally working from home, employees' personal PCs potentially pose increasing risk.

These suggestions aren't rocket science. But is good IT policy ever that hard?