Soft serve defense

How do you keep fast-food employees from using line-of-business computers to play online games, visit MySpace sites and download malware that crashes critical systems?

If you're Mike Stump, director of information technology for Roundtable Corp., which operates 51 Dairy Queen franchises in New Mexico, Oklahoma and Texas, you do it with a managed security service from ScanSafe. Stump says the strategy has not only eliminated untold hours of malware-related downtime, but saved thousands of dollars in associated travel-related expenses to get those crashed systems back online.

With the Lubbock, Texas-based company's Dairy Queen outlets scattered throughout mostly small towns in the rural Southwest, Stump has had to overcome an unusual security management dilemma. On the one hand, he must grant employees access to the store's back-end server so they can clock in and out of Roundtable's web-based attendance-tracking application.

Unfortunately, that system not only gave them unsupervised access to the internet, it houses each store's business-critical applications, including the software that workers use to clock in and out every day. That back-end computer also runs the point-of-sale (POS) system that manages each restaurant's cash registers, as well as an inventory reporting application that allows managers at corporate headquarters to find out how many chocolate shakes they sold that day and to check, in real time, how well a promotion is working, says Stump.

Before deploying the managed security service from ScanSafe about two years ago, that shared access strategy had become problematic. In a nutshell, it gave the company's employees access to the internet via the store's server. As these employees were, according to Stump, mostly teenagers and those in their early 20s who live in the middle of nowhere with no computers at home, this meant nothing but trouble.

Not surprisingly, they weren't content to merely clock in and out of their shift after logging into the back-end server, Stump says. With little supervision from often absent managers, they naturally took the opportunity to visit a variety of internet sites, including MySpace, and to play online games, he says.

“Inevitably, they'd get a virus on the back-office system, which would take the computer down,” Stump explains. And that was bad news all the way around. For one thing, with the server controlling the front-end POS systems out of operation, the cash registers in the front were shut down, effectively halting business operations, says Stump. Moreover, the server lost communication with corporate headquarters. That meant it couldn't deliver regularly scheduled reports – sales dollars and unit totals, employee attendance records, and other key information critical to operating each franchise outlet.

The crash would also force Stump to send someone out to clean up the virus and get the server up and running again. With the company's 51 franchise outlets distributed over a wide geographic area, that meant Roundtable's IT staff spent plenty of time on the road fixing crashed systems, sometimes up to two days for the more far-flung locations.

Solution for bad infections
Stump says the malware infections “got really bad” when the company  –  which is not affiliated with the California-based pizza company that shares the Roundtable name – migrated from a traditional time clock for attendance tracking to the web-based system two years ago. With employees having unsupervised access to the internet, malware issues inevitably began popping up, forcing the company's support staff to make weekly trips to various franchise locations to clean up an infected server.

A web search pointed Stump to ScanSafe. He says the company's web-filtering and malware-scanning system met his requirements on several fronts.

First of all, it didn't edit any Windows Sockets API (Winsock) properties, says Stump, eliminating one potential source of problems [see sidebar, right]. In addition, deployment was simple and the rollout did not require Stump to change the configuration of any of the company's computers.

“It took 10 minutes,” Stump says, merely requiring the running of a batch file on each Roundtable computer connecting to the internet. The batch file provides instructions that pointed the computers to ScanSafe's proxy server, rather than the internet, for web access.

“In operation, the ScanSafe product takes traffic from the static IP [internet protocol] address at our locations and runs it through the ScanSafe proxy server,” says Stump. The proxy scans internet traffic looking for and quarantining malware, such as viruses and trojans.

“Parental” supervision
The ScanSafe product gives Stump the tools to limit employee internet access to specific sites, including the HR system for attendance tracking.

“We've pretty much blocked access to everything but our site, so managers can see sales data and the like,” he says. Among those sites he's blocked are social networking, pornographic and music download sites, he says.

The bottom line, Stump explains, is that malware infections have become non-existent. “Now, that's the biggest benefit Roundtable has seen,” he says.

That, in turn, translates to major return-on-investment advantages. “First, I would say it has probably saved us around $100,000 a year in travel and equipment required to fix crashed servers,” Stump says.

It has also stopped the occasional malware infections passed from one of the store's back-end servers to a server in the Lubbock headquarters. “We don't have that anymore,” he notes.

Finally, web traffic filtering helps with productivity in all the stores, Stump explains. “When the manager isn't there, no one is surfing on the internet or playing games – they just can't.”


Try, try again: Custom defense

Mike Stump, director of information technology for Lubbock, Texas-based Roundtable Corporation, was searching for a way to keep his young employees from surfing the net during office hours and inviting malware onto the corporate network. He initially tried a solution from a company offering a proxy-based system for controlling internet access. “But that didn't work out well – we had all sorts of problems,” he recalls.

Chief among them: The proxy system edited the Windows Sockets API (Winsock) file that Windows uses to manage communication with TCP/IP-based networks. Windows, however, “would automatically fix the edit, and eventually something would become corrupted and we'd lose internet access,” Stump explains. “We used that system for about a week,” he says wryly. – Jim Carr

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.