Located in Washington, DC, Albert Gore has been the director of IT operations at the Kennedy Center for three years. Within his organization, the use of social media sites by employees is a near-requirement. So when business demands dictate an open door to social media sites, how can an organization defend itself from this increasingly popular threat vector? Gore was kind enough to share his approach to this dilemma.
Center employees have always had access to social media sites – like Facebook, YouTube, and Twitter – said Gore. “Our business model made this a requirement”, he added, “but we started to get viruses and infections on our computers, because most of the Java scripting and Active-X scripting was not being caught by anti-virus products. Malware was usually embedded in the web pages or in other media files.”
Social media use was a business requirement for the Kennedy Center, he reiterates, “but we needed to implement something that would protect our data, especially with respect to PCI compliance”. The Center, on average, processes 5000 credit card transactions every day for items such as ticket sales.
Gore noticed that, every day, it appeared that at least two to three machines at the Center became infected, requiring clean-up and re-imaging. It was something that was taking up the vast majority of the IT department’s time. Of the 600 PCs in his IT environment, Gore says about 80% required re-imaging due to infections during a given year.
In a previous role at another company, Gore had implemented a web security gateway solution from Websense, and he decided to go the same route again after examining a few other options.
At the same time, the Center’s business need for social media use became increasingly important. Using social media also helps the center cut costs, as Gore revealed: “You don’t have to travel to China to look at a performance; you can now do this online.”
“It helps us to make money and increase our profit. As an IT department, in this case, we can’t go back and say ‘Facebook is not allowed’ or ‘YouTube is not allowed’.” Instead they had to allow access to these sites, “but put a robust security solution in place so the Center would not be exposed to infections”.
Gore explains that the technology put in place allows access to necessary social media sites “without headaches” by monitoring, in real-time, for policy violations and potentially malicious scripts. Therefore, it provides access to the sites, but still monitors activities once the user has logged in.
Putting this type of solution in place, he continued, means that his IT department does not have to manage policy from day to day. “I have an enterprise background with different companies, Gore shares, “but [the Center] is the first organization I have been with that allows access to nearly every site while web browsing”. It may seem like a lawless environment, he adds, but that is far from the case. Working quietly in the background is the web gateway security solution.
The results of the new approach have been clear: a decrease in helpdesk call volume, fewer alerts, and less time spent with virus/infection issues. And a year and a half after implementing a technology solution, Gore cannot recall any new infections within the Center’s IT environment.
“The most valuable thing in our environment is my time, and my team’s time”, Gore asserted. “Now they can actually focus on improving things, rather than running around and cleaning up machines.”
And when it comes to usage policy, Center employees are free to browse web pages for personal purposes, so long as it does not interfere with their primary job function or performance, Gore noted. Yet the Center still monitors every browsing session for violations of acceptable use and potentially malicious sites.
“It’s a very relaxed environment” Gore observed – perhaps the most relaxed he has ever encountered. “But it still needs to be secure”, he assured.