File-sharing risk a company's responsibility to restrict

FTC report says sensitive files exposed through P2P intrusions

The Washington Post published an alarming story today about the risk to company computer networks from employees who visit file sharing sites to acquire music, software or videos for personal use.

Network World also reported on the story. The Post story was based on a report from the Federal Trade Commission, which said Monday it sent notices to 100 organizations, including businesses, universities and local governments, that sensitive information about their company and customers was exposed by unregulated use of peer-to-peer network (P2P) services by workers. The FTC is conducting deeper investigations into other companies whose customer or employee information has been exposed on P2P networks and may violate FTC regulations on protecting certain data.

"For example, we found health-related information, financial records, and drivers’ license and Social Security numbers--the kind of information that could lead to identity theft,” said FTC Chairman Jon Leibowitz, in a news release. "Companies should take a hard look at their systems to ensure that there are no unauthorized P2P file-sharing programs and that authorized programs are properly configured and secure."

The FTC did not identify any of the entities to which the letters were sent or that are being investigated further.

The Post story added that consumer and privacy advocates have long lobbied for tighter restrictions on P2P networks, particularly for such frivolous uses as downloading music from a Web service such as BitTorrent, BearShare or LimeWire. "Those and other peer-to-peer protocols allow users to grab unsecured files from other users' computers. Unless a company protects its data, many sensitive files could get in the wrong hands," the Post explained.

Since a large percentage of business and enterprise computer networks run on Microsoft Windows, network administrators should look to them for guidance, as there are features in Windows software designed to protect data from P2P breaches.

The new Windows 7 operating system for PCs, for instance, offers a feature called BitLocker that "encrypts your Windows hard disk to help keep documents, passwords, and other important data safe. Once you turn on BitLocker, any file that you save on that drive is encrypted automatically," according to a Microsoft product description. That will prevent an interloper from seeing what's in a file they're not supposed to be looking at in the first place.

And Windows Server 2008, the OS for businesses and other enterprises, warns on its support page against unrestricted use of file sharing and advises the use of Internet firewalls to secure the corporate network. "If you use the same network connection to connect to both the Internet and a home or office network, use a router or firewall that prevents Internet computers from connecting to the shared resources on the home or office computers," Microsoft advises.

I was surprised to see that 100 companies have to be told by the FTC that their networks were at risk because employees were using P2P services to access such trivial content as music and videos.

Don't IT administrators have policies or restrictions in place prohibiting use of the company network for personal reasons?

And don't the employees have work to do?

Related:

Copyright © 2010 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022