From a security management aspect (how's that, Brad?), you should have a
strict policy against the use of any such products on your corporate
network, and executive management has to enforce that policy. P2P
applications have little or no business value and should therefore be
banned from your network entirely. There are technological ways to do
this, but the first step should be a formal decree.
The legal risks and productivity impact will have a measurable effect on
the business, not to mention potential loss of proprietary data or
confidential records. If you have to "sell" this concept to management,
ask if they think it's a good idea to allow assault weapons in the office.
You should also draft a detailed explanation to all employees as to why
this stuff is bad, and be sure to explain that it drastically increases
the risk of identity theft. In other words, make it personal.
In my experience, your biggest challenge will probably be in stopping the
IT department from using and abusing the network for their own personal
use. 90% of the time, these are your biggest culprits. Unfortunately, IT
security people often have to play the part of the "Internal Affairs
Bureau", which can be awkward.
Good luck.
"Beauford, Jason" <jbeauford@EightInOnePet.com>
12/01/2004 11:35 AM
To
"OBrien, Brennan" <BOBrien@columbia.com>, "Joel Merrick"
<joel@servicestyle.com>, <security-management@securityfocus.com>
cc
Subject
RE: How much does P2P cost businesses?
Cost per hour can be determined by looking at your bandwidth costs per
month.
How long does it take for REAL work related network tasks to complete
because of bandwidth issues; how much time wasted in waiting?
Fines from BSA upwards around $250,000 per incident if pirated software
is found on your network. What about STORAGE and Backup times. Where
are your users storing this crap? How much money are you throwing at
your servers/desktops to increase their storage so the OS will run. Are
you backing this crap up? How MUCH longer is it taking to backup. With
regards to business continuity, it will take THAT much longer to recover
lost WORK Data as the tape needs to filter through the recorded files.
Also, tapes themselves cost money. If you are backing up 150GB and half
is .mp3's, movie files and other pirated/cracked software, you are
wasting money on tape and storage costs.
Additionally, how much TIME are you the admin spending repairing
problems caused by these programs? Are things like SPYWARE and ADWARE
plaguing your network. If so, P2P like Kazaa, Limewire, Morpheus etc
include SPYWARE with their programs. So not only is your network
bandwidth reduced due to file transfers, but also due to constant
connection of spyware and adware. This slows down the desktop too and
causes ridiculous amounts of pop ups. If you are spending time battling
that, it must be factored in.
But that is the minor stuff. Brennan hit it on the head with
confidential corporate exposure. However 1% probability might be too
lenient on the end user. By default these programs can create a
sub-folder under MY DOCUMENTS (in Windows obviously). How many people
save important corporate data in their My DOCS? It takes one extra
click to navigate to that P2P's default SHARE folder of that P2P.
And geez.. What if some idiot end user looking for that cool Holiday
Screensaver downloads a Virus, Worm or what have you. Now not only is
their PC affected, but the entire Network is at risk.
P2P = VERY BAD for Corporate Networks. Block that crap at the Firewall
via Egress filtering and keep it moving. It's tough enough having to
deal with daily IT functions and keeping systems up and running without
having to worry about all of this P2P.
However I understand the need to prove to management via RISK ANALYSIS.
If you come up with something that can be generalized, maybe you can
share with the forum?
Kind Regards,
JMB
-----Original Message-----
From: OBrien, Brennan [mailto:BOBrien@columbia.com]
Sent: Wednesday, December 01, 2004 11:15 AM
To: Joel Merrick; security-management@securityfocus.com
Subject: RE: How much does P2P cost businesses?
I'd doubt there are any definitive studies on this, but you can
reasonably ascertain the impact...
X number of staff, of which Y% use P2P services, $Z burdened cost per
hour.
Risk: Illegal file sharing leads to lawsuit. 1% probability, huge
cost.
Risk: Users accidentally expose internal confidential information. 1%
probability, moderate cost (potentially high depending on your
environment).
Risk: Lost time spent dinking around with this stuff. 100% probability,
small incremental cost.
Now you've got everything you need to make a valid assessment of impact
(except, perhaps, the back half of the equation -- what you would do to
stop it, and how that would impact the bottom line in comparison to the
original calculation... that delta value is your budget).
Brennan
-----Original Message-----
From: Joel Merrick [mailto:joel@servicestyle.com]
Sent: Wednesday, December 01, 2004 6:39 AM
To: security-management@securityfocus.com
Subject: How much does P2P cost businesses?
Hi all
I'd be interested if anybody has any links to reports or other
quantative info about how much P2P or other file sharing costs
businesses.
I've seen a couple of links in the past, however I can't find them.
Any help would be glady appreciated.
Many thanks,
Joel
--
Joel Merrick
email: <joel@servicestyle.com>
mobile: 07929 208 567
ServiceStyle Ltd. - Manchester's Technology Experts
https://www.servicestyle.com
GPG Public Key - https://www.servicestyle.com/joel_servicestyle.asc
