Surfing a bigger risk than spam to company networks
Nearly 40 percent of the 200 Danish companies surveyed said their systems had been infected by a virus or worm, despite the fact that 75 percent had implemented a security policy, IDC Denmark said in its report, released Wednesday. But the malicious software in question is no longer primarily making its way through e-mail, as in the past.
"There is a common misconception that e-mails constitute the biggest security threat from the Internet," Per Andersen, IDC Denmark's managing director, said in a statement. "But the survey shows that up to 30 percent of companies with 500 or more staff have been infected as a result of Internet surfing, while only 20 to 25 percent of the same companies experienced viruses and worms from e-mails."
The risk of infection is about five times greater for companies that allow Internet usage by staff to go on unhindered and unmonitored, Andersen said.
The problem doesn't go away for companies that ban private Internet use, because often such policies aren't enforced, IDC found: About 30 percent of managers at such companies said staff accessed the Internet for personal use during working hours.
IDC believes that banning personal Internet use isn't realistic, particularly as a long-term solution. Instead, the research firm recommends closer monitoring of employees' Internet use and using tools that give management an overview of time spent and behavior patterns online.
"It can certainly be done in such a way that it does not constitute outright monitoring of the actions of every member of staff," Andersen said.
Attacks can come from relatively innocuous online sources, Andersen said. He cited the case of a poker Web site that placed a Trojan horse on users' PCs when they downloaded the site's help program.
Matthew Broersma reported for ZDNet UK in London.