IT Security: New copyright act has a silver lining?|
by Andy Prow, MD, Aura Security
Some businesses are concerned that the new Copyright (Infringing File Sharing) Amendment Act 2011 now means they are liable for the errant Internet usage of their employees.
This can indeed be the case, and with the Act now enforceable, companies can't afford to ignore it.
However there may be some positive, albeit unintended outcomes to the legislation. With some preparation and a little vigilance, companies can use the Act to firm up their own Internet security policies and operations, which can only be a good thing.
Lack of vigilance now costly
The reasons are obvious: businesses now need to be more vigilant about their employees' Internet usage, as they face fines of up to $15,000. Account owners are liable for all copyright-infringing files being downloaded or uploaded on peer-to-peer file-sharing networks by anyone using their network even if such activity was unauthorised by the business itself.
Ironically, it seems that companies that provide Internet access as an "incidental feature of [their] main business activities" such as cafes, hotels and councils, are oddly defined as ISPs as opposed to specific "Internet Protocol Address Providers" or IPAPs like Telecom.
Because of that, they are potentially exempt from liability for what their users are downloading. This was presumably how the recently rolled-out Wellington City Council free Wi-Fi network was legally justified.
However, businesses that provide Internet access on their wired or wireless networks to their employees are considered to be IPAP "account holders" by the Act. As such, they are liable for everything that's shared on the Internet, especially on P2P networks.
How it used to be
Before the Act, employee file-sharing might have been overlooked by a company, especially on networks where users can plug in their own devices or install their own software. Now, however, if your employees repeatedly download copyright material that rights holders take exception to, your company could be liable for damages.
This could be a problem particularly for smaller businesses that don't have the resources to lock down or continually monitor their Internet traffic.
What can you do for your company?
First and foremost, have an acceptable Internet use policy that covers file sharing. Second, make sure that all staff on your network are familiar with this policy.
I know most corporates don't see updating their policies as a top priority and most staff don't have "reading the company's HR polices" on their "top 10 things I must do today" list. With the potential impact of this new law it's time to change that.
At a technical level, every company these days should have a web-proxy that requires authentication. This forces all outbound web-traffic through a monitored choke-point.
However, peer-to-peer file-sharing applications use a whole range of ports. You need to ensure that your corporate border-firewalls have clear rules to block all outbound traffic unless specifically required.
Even with these measures, dedicated and tech-savvy copyright infringers can tunnel out over encrypted channels using for instance Secure Shell or SSH port-forwarding over port 443. For that reason, look out for excessive or consistent HTTPS traffic; if you detect anomalous traffic, investigate it immediately.
How about Wi-Fi?
Of course Wi-Fi security is more important than ever, especially with corporates that allow personal and unmanaged laptops and mobile devices onto shared corporate Wi-Fi networks.
I predict that in the wake of the Copyright Amendment Act, more unsecured or poorly-secured business networks - especially Wi-Fi networks - will be compromised for the purposes of downloading copyright material. If this happens to your company you won't just be facing excess bandwidth costs which might otherwise go unnoticed.
Instead, you could be facing a much nastier surprise in the form of a hefty fine from the Copyright Tribunal. Forewarned is forearmed, so plan to tighten up your Internet policies and security now before it's too late.
All of the above steps aren't just to stop unwanted downloads of copyright material. They're also good practice from a security perspective.
Make the most of the new legislation; if you've ever needed a reason to better secure your corporate network, or needed the business case to justify it, then the new Copyright Infringement Act is the perfect excuse.
Andy Prow is the managing director of Aura Information Security
« Previous Article (Timeline)
Next Article (Developing developers instead of creating users) »« Return to Contents
Contributed content is the opinion of the author only, and not necessarily the view of IITP.