Web-Surfing Employees, Part 1: Are their Habits Your Legal Liability?

February 26, 2008 - By Justin E. Gehrke

By Justin E. Gehrke, CISSP, MCSA, Security+, A+

Whether your business is located in Puerto Rico or somewhere else in the world, it is very likely that you use internet connectivity to manage some facet of your operations. Even in a business that has only one Point of Sales (POS) computer, internet connectivity is necessary to process or report transactions. Too many times, I’ve reached one of these single, kiosk-type register/computers to find the 16-year old employee casually surfing the web. This obviously brings up issues regarding productivity, salesmanship, and more. Most importantly, though, this seemingly mundane activity can cause major problems for your business. To what am I referring?

Let’s assume that John or Susan has a few other friends who have the same type of job or are bored on their home computers. Web-based versions of Instant Messaging and Chat applications, such as Google Talk, no longer require the user to download and install anything. As long as the internet browsing application was not securely configured during the computer’s installation and features such as Java are enabled, your employee can chat the day away. A worse scenario would involve the POS computer, as a whole, not being securely configured during its installation. Perhaps the user is even using a user account with Administrator privileges. If such is the case, you can be certain at least one third-party, productivity-killing software has been installed by High School-age employees who know far more about your system (and more importantly, circumventing its safeguards) than you could ever imagine. So what is the legal liability relating to these scenarios? Well, it depends on your POS software, version, and related peripherals. Older versions of these systems often stored the credit card information from a customer, when the card is swiped through the reader. Where is the information stored? On the computer of course! The major credit card companies have implemented policies requiring POS systems be updated to newer versions which do not store this information. According to various sources, those companies who do not comply by established deadlines will be penalized, per transaction, until compliance is achieved and verified. Okay, great news, but how would a hacker get the information out of the computer? Well, since your industrious employee ensured he or she was able to install Instant Messaging software (or used the built-in vulnerability known as MSN Messenger), they may now possess the capability to transfer files to and from your cash register. Isn’t that great! Wait, though, you feel comfortable knowing there a good person (or at least not a convicted criminal). They are not the only threat, though. Couple the scenario of internet connectivity with IM capability, a slew of unpatched vulnerabilities (since you decided regular maintenance by a certified computer technician increased your operating overhead unnecessarily), and the resulting Trojan Horse that took root during a file transfer. Now you have the potential to be sued by your (now former) customers for failure to practice Due Diligence, if and when your POS computer is compromised. Due Diligence basically means that you (as a business owner) did not develop, implement, or monitor the performance of a Computer or Network Security Plan. Had you done it, it would surely have included briefing users on their responsibilities, executing Acceptable Use Policies (AUP), and locking down the computer’s operating system and applications tighter than a nuclear silo. This process would not indemnify you from legal liability, in the event of an incident, but it would at least ensure you could take legal action against the employee responsible. Part 2 of this article will address the second major, legal liability and everyone’ favorite: Copyright Infringement, Electronic Piracy, and what you can do to stop it.

Justin E. Gehrke is the founder of Geek Shui Living and an admitted obsessive-techno-compulsive who loves all things Geek. As a right and left-brained, packet-based being, he is available for independent consulting in the areas of IT and Network Security planning and testing, as well as web development and creative design. Send packets to him at GeekusGrandeus@geekshuiliving.com