http://www.paloaltonetworks.com/literature/ponemon_report.html

The above link leads to a report done by the Ponemon Institute, which analyzes the results of a survey they did on the risks of Internet application use in the workplace.

While the study lists their Top Ten risky Internet applications used in the workplace, I'm intentionally NOT listing them here in any particular order; primarily because I don't want anybody to hastily scan the list and draw any particular conclusions about whether or not they are at risk from them.

However, the survey report may or may not include the following applications:

• Skype
• Gmail
• Webex
• Limewire
• Facebook
• AOL Instant Messenger
• Hotmail
• BitTorrent
• eMule
• MySpace
• iTunes

It's an interesting study, but having had the chance to read it and discuss it with some of my peers in the security community, there are some unfortunate conclusions drawn by Ponemon.

It's not that the applications they've identified are not significant risks in the enterprise environment; it's that the list of applications seems rather limited and arbitrary, and the definition of "risk" did not really seem to be nailed down before asking the IT security experts about them in the survey.

Ponemon does some detailed analysis from their plentiful raw data, but might have been better off focusing on gathering info on fewer issues, and allowing for assessment of a wider range of applications.

The result is that many security experts will question the validity of the survey, and therefore, it's conclusions. However, there is no doubt that there is growing concern over the proliferation of web-enabled applications that have overlapping utility for personal and business use; many of them with serious risk attached to them.

It's certainly worth looking at your own organization's situation. My recommendation (off the top of my head) is to try take the following steps, sooner rather than later:

1. Do a firewall log dump of all the domains accessed, and rank them from heaviest use to least
2. Identify which are just "surfing" and which are being repeatedly used by individuals
3. Determine the average usage per day, averaged out per person in the organization (no need yet to panic unless it's clearly abnormal and suspicious use from particular individuals)
4. Determine whether or not the sites are being accessed "for legitimate business use"; now panic if the "average individual non-business usage" is over an acceptable threshold (i.e. 5% of the day, 5% of the web requests, or more than 10 requests/transactions per day - just wild guesses on my part)
   
5. Gather information about risks associated with the top 10 domains from security experts familiar with each one
   
6. Look at the feasibility of using technical safeguards that can limit the risks from ANY type of Internet applications (i.e preventing users from installing software programs, filtering access to specific domains or IP addresses, or using Data Loss Prevention tools to catch specific types of information going out over the Internet, etc.)
   
7. If you decide not to completely block these sites, then at least educate people on the risks of using them and how to use them responsibly.
8. If you do decide to block the sites or applications, consider providing a number of systems as public kiosks that can be used for personal surfing and web-errands. These can be set up to not store personal data, or wipe it clean on a regular basis, for privacy reasons. This not only removes a lot of risk from your operational network, but makes it more obvious when people are doing personal business in the office.
9. Remember, just because a site or application isn't on a particular survey's Top Ten List doesn't mean it doesn't have risks to your organization. It's important to know what sites and applications are being used, and to know the risks they might pose to your enterprise environment.

Please comment if you have any additional recommendations or questions.