Millions of people use BitTorrent networks every day to obtain and share all kinds of media, from the latest movies and TV shows to music and even research papers. The majority do so from the comfort of their own home but that’s not always the case.
People who spend a lot of time at work, whether that’s in a regular office, factory, warehouse or even shopping environment, often get access to the Internet. And, if rules don’t explicitly or technically prohibit it, some will use that access to share files online.
This kind of activity isn’t always welcomed by employers, with concerns ranging from the productivity of staff to the security of networks, both from technical and legal standpoints.
This morning IT security rating company BitSight Technologies brought these issues into focus with a new report titled “Peer to Peer Peril: How BitTorrent File Sharing Impacts Benchmarking and Vendor Risk.”
According to the report, out of more than 30,700 companies and organizations rated by BitSight for security performance, 23% demonstrated some online activity using the BitTorrent protocol.
“Many organizations explicitly ban this activity, yet there is evidence that in some industries over a quarter of companies are currently sharing files over the BitTorrent protocol. While some of these files are likely legitimate, many of them are labeled as movies, games and other copyrighted material,” the company explains.
To identify trends in each sector, BitSight has broken down industries into various categories including Media/Entertainment, Education, Government, Retail, Energy/Utilities etc. The rates of sharing are shown in the image below.
Unsurprisingly, educational establishments come out on top (or bottom, depending on perspective) when it comes to BitTorrent usage with around 58% of organizations demonstrating some level of participation. It’s worth noting that only one instance of sharing in the past six month is enough to appear in BitSight’s report.
That being said, BitSight reports that around 32% of government entities demonstrate some level of file-sharing with close to 28% on BitTorrent. The media and entertainment sector is also an eye-opener, with around 23% of companies showing BitTorrent activity. Whether that’s due to employees sharing content or spying on others while doing so is impossible to say.
The BitSight report goes into some detail when it speaks of the risks of file-sharing in the corporate space, not least the dangers of employees downloading copyrighted and potentially malware-infested content. The company carried out its own tests and concluded that “43% of applications and 39% of games were carrying malicious code.”
The big question, however, is BitSight’s motivation to produce this kind of report. Obviously threat analysis is its business but information accompanying the report provides a more immediate answer – BitSight has a new module available within its Security Ratings platform.
According to the company the module allows customers to “monitor and assess” BitTorrent activity on their own and third party vendor networks. In fact, the module goes a whole lot further than providing a basic outline of employee activity.
“An overview of observed file sharing activity including applications, books, games, movies, music, TV and other files is now available to all customers using the BitSight platform,” the company explains.
“Users can also subscribe to additional forensic information, allowing them to identify torrent names, event dates, peer IP information and other details.”
It seems likely that when employees know that they are being subjected to this level of scrutiny, many will seriously consider changing their behavior.
The report (pdf), which also attempts to associate BitTorrent usage with botnet prevalence, might yet achieve that.
Update: Statement from BitSight
“BitSight does not divulge specific IP addresses or details about any of the files other than a broad category to any third party. Companies can only see the IP address for their own network and nobody else will get that level of information,” the company informs TF.
“BitSight’s interest is in the correlation of BitTorrent activity with other indications of network hygiene and security policies. [BitSight] has no interest in shaming individuals or tracking any specific transfers or copyright infringements or any privacy concerns like that.”