The importance of effective peer-to-peer policies

Peer-to-peer programs like Kazaa and eDonkey are popular ways to share files over the Internet, but they present huge security and legal threats to your organization. Here's why having an effective peer-to-peer file-sharing policy in place is important.

Napster. It all really started with Napster. Free music, seemingly. Download a small program, grab a broadband connection and begin sharing all the music you could want. All for free.

Then reality--and the lawsuits--hit. Everyone, from students to parents, was sued. Napster, forced to close, would later re-emerge as a legitimate company with an actual and viable business plan.

Unfortunately, not all peer-to-peer networks followed the same road. Many file-sharing applications, particularly those leveraging entirely distributed networks, lived to thrive on the Internet. In addition to frequently trading pirated material in violation of numerous international copyright laws, they also serve as a potent distribution channel for dangerous viruses and troublesome spyware.

Consumers still flock to these peer-to-peer networks. Worse, end users may even be using them on your network.

Just say no

It's difficult to see how any peer-to-peer program-- including the popular BearShare, Kazaa, LimeWire or Morpheus applications-- could have beneficial impact within a proper organization. Everyone from the Recording Industry Association of America to the Federal Trade Commission has come out urging consumers to be wary when using file-sharing programs. According to one estimate published by Wired News, some 45 percent of the executable programs accessed on Kazaa contained malicious code.

While there may be a handful of legitimate uses for peer-to-peer file-sharing networks, the disadvantages (often including automatic spyware infestation) typically outweigh the benefits. The vast majority of material traded on these peer-to-peer networks frequently contributes little to the job fulfillment responsibilities of most of your organization's employees.

File-sharing programs, by their very nature, also place your organization's data at risk. Non-technologically literate end users can easily share their system's entire root drive. The result wouldn't be pretty: all of the system's data--including any employee information, medical records, customer data, sales and financial records and other sensitive material--being freely distributed on the Internet.

Rather than run the risk that your organization could be found liable for fueling the trade of pirated content, and to reduce the likelihood of introducing new viruses and spyware and to protect your organization's data, consider banning peer-to-peer application use outright in your firm.

Start with technology

Your organization likely already leverages firewalls, group policies and account restrictions to prevent users from downloading, installing and operating peer-to-peer applications. But technological solutions aren't foolproof.

Countless file-sharing networks work with numerous peer-to-peer applications, so closing the door on every combination proves difficult. Implementing a policy that restricts the use of file-sharing programs will provide blanket coverage in the event an employee discovers a method of circumventing your organization's technological controls.

Implement a policy

Doubtless, many human resources departments will insist on implementing policies. Combined with technology solutions, the one-two punch can prove successful in eliminating peer-to-peer file-sharing applications from your organization's network, systems and equipment.

If you're uncertain whether your organization needs a file-sharing policy, check out TechRepublic's Peer-To-Peer Vulnerability Assessment. The interactive Microsoft Excel spreadsheet will help gauge your organization's exposure. By reviewing specific criteria regarding your organization's industry, technology solutions and culture, and by ranking specific aspects of those criteria, the tool makes it easier to obtain a more objective determination.

Should you need to implement a policy, review TechRepublic's Peer-to-Peer Policy. The ready-made template can be used as-is, or you can customize it to meet specific organization requirements.

However you develop it, your organization's policy should be sure to address several issues, including:

  • Statements that end users are prohibited from downloading, installing or operating peer-to-peer file sharing programs on any organization-provided computers, systems, networks and equipment
  • Examples of prohibited file-sharing programs
  • Acknowledgement that the employee has read and understands the terms of the policy
  • Potential penalties resulting from violations of the policy or any of its tenets

Once the policy's complete, just distributing the document to employees doesn't complete the effort. Information Technology departments must continue to monitor networks, update firewalls, servers and other security appliances as required and enforce the policy.

For more information on implementing effective policies, review the following TechRepublic articles: Use a policy audit to ensure that your policies are followed, Learn how to win support for your new IT policy and Creating an IT policy that works.