Controlling the abuse of illegal and inappropriate images in the workplace is an increasingly important part of managing risk for an organisation. Private use of company computer resources for pornography can lead to a whole host of problems, from lost productivity, wasted computer resources and e-viral infections through to serious business interruption and even civil and criminal lawsuits. But with the a proliferation of plug-and-play storage devices such as portable hard drives and USB keys, high speed modern connectivity protocols and more out of office unmonitored activity is it possible to eliminate the risk

What are the risks? Legislation in the UK is clear, company directors and the managers they appoint can be held personally liable if negligence is found in the management of data and images on company computers. Neglect is defined simply as a failure to take steps that should have been taken to prevent an incident happening. Prosecution can be carried out under various pieces of legislation including Child Trafficking and Pornography Acts, Sexual Offences Acts, Obscene Publications Acts and Civil and Human Rights Acts.

Legislative exposure Clearly the problem of managing inappropriate or illegal images in the workplace is growing. And while many companies use technology to prevent employees visiting pornographic sites this is only part of the problem. Images can now get onto desktops and the corporate network through an increasing number of new entry points. These include laptops, CDs/DVDs, USB keys and digital cameras.

But it is not just illegal images that are a risk. In the US the American Management Association reported that that more than 27% of Fortune 500 companies have battled sexual harassment claims stemming from employee use of corporate email and Internet systems. So if an employee is exposed unwittingly to inappropriate images, it could prove very costly indeed.

Cyber-skiving in itself is a huge problem in terms of lost productivity with 90% of US workers admitting to surfing on the job in a recent BusinessWeek survey. If this surfing inadvertently or deliberately includes sexually explicit material other staff may see it and unwanted exposure to pornography at work not only risks costly civil action but fosters an unproductive, hostile working environment.

The issue of reputational risk is hard to quantify but if a company is found to have allowed illegal pornography on to its computers, or is sued for sexual harassment it can have serious and long-lasting financial repercussions. Corporate and social responsibility is an important part of business life and this means protecting employees, creating an environment that everyone feels comfortable working in and being seen to be a responsible part of the business community.

A growing problem Results of a recent survey of 400 public sector organisations by the public spending watchdog the Audit Commission, found a 16% increase in cases of staff accessing pornography and that inappropriate material now accounts for almost half of all incidents of computer misuse.

The scale of the problem was also reflected by the incident in the UK Department of Works and Pensions last year. It was disclosed that, after an investigation, 2 million inappropriate images and more alarmingly 18,000 illegal images were discovered on its computer systems, leading to a series of dismissals, disciplinary action and prosecutions.

With the risk of a prison sentence, in many jurisdictions, for bosses who do not do enough to stop illegal images getting onto the corporate network, and with the threat of expensive sexual harassment claims, it is surprising that so many organisations remain complacent about the problem. Many organisations do little more than install gateway-based web filtering systems and think they are covered. However, these only go part way to addressing the problem. They are easy to bypass and do nothing to stop pornography coming in from other sources such as CD/DVD, USB key, digital camera or unsecured wireless networks.

Reducing the risk an irish company has developed a five step Risk Assessment Methodology to help organisations identity and mitigate the threats posed by illicit images stored on corporate PCs.

Step 1: Review – of corporate legal and HR policies to gauge vulnerabilities for employee abuse.

Acceptable Use Policies need to be reviewed to ensure they are clear and explicit in terms of what is acceptable or explicitly where possible what is not acceptable. Pornography doesn’t get onto the corporate network from only email and Internet, so it is important that the policy embraces all data entry points for illicit image material. The review must also ensure the company has disciplinary procedures in place to deal effectively with the discovery of illegal or inappropriate images.

Step 2: Assess – the quantity and severity of illicit images on a company’s network to determine the level of corporate exposure to threats of illegal and inappropriate images.

At this stage in the risk assessment process, software tools are used to assess the current state of company resources. Email accounts, Exchange Server, user home accounts, Desktop PCs and Citrix servers should all be scanned and any illicit images in emails, zip files or image files, along with Word, PowerPoint and Excel documents will be detected. Following the scan a report should be generated so that the situation can be assessed and the reported images reviewed for severity.

Step 3: Align – policies and procedures to meet company strategic goals while minimising risk to the corporation.

Once policy has been reviewed it is essential it is updated in light of what has been found in the audit of the network. This ensures the risk of exposure to illicit material is handled properly and that the company can not be accused of being negligent. The resulting computer usage policy must clearly state what content is not acceptable and that its presence on corporate IT assets breaks the policy no matter how it came to be there.

Step 4: Communicate – to all staff ensuring employees understand new policies and procedures and the repercussions if disregarded.

A means of comprehensively communicating the company’s new acceptable usage policy must be put in place. This can take the form of a series of presentations, making sure that users sign the policy or even making the policy something that has to be accepted each time users log on. But most important of all, it needs to be made as easy to understand as possible so there can be no confusion.

Step 5: Enforce – an enterprise wide process using monitoring and auditing software to provide ongoing detection reporting and case management.

By doing this the company clearly demonstrates that it is endeavouring to employ best practice by preventing illicit image abuse reoccurring and enforcing compliance to the new policy. It is not enough to simply issue a new policy and tell people about it, it has to be enforced.

Typically organisations use a mixture of auditing and monitoring in order to ensure compliance.

Regular audits are essential in order to keep track or the overall situation and reviewing compliance with policy. However, most corporate networks comprise a mixture of servers, desktops and laptop computers. While servers and desktops are relatively easy to audit since they are always physically connected to the network, laptop computers are regularly removed from site, operate in stand alone mode or connect to other networks such as home or unsecured WiFi networks which increases the risk of illicit images making their way onto the computer. On high risk corporate computers such as laptop computers or open access internet PCs, monitoring is a more effective strategy. Deploying screen based, image scanning software, which remains resident in memory, such technology assesses screen content no matter where the computer is, what type of network to which it is connected or whether the file has been encrypted or uses steganography to disguise the image it contains; once an image is displayed on the screen such technology will capture it.

As a part of the enforcement plan, employers may decide to grant an amnesty period so employees can dispose of inappropriate content. After that period any illicit images found on their machines or that they have viewed will lead to potential disciplinary measures. The results of monitoring must be regularly reviewed and if any cases arise suitable, pre-defined procedures for dealing with image abuse should be followed. Regular audits are also essential. These will measure how effective the new policy is and identify if anything needs to be done to further promote a better working environment. Reducing the risk of illegal and inappropriate images should not be a one off activity; it has to be part of a continual improvement program.

Alarmingly despite technology being commercially available that can proactively monitor image content, regardless of source, a recent survey undertaken by the Chartered Institute of Personnel and Development and an irish company showed that nearly 70% of organisations have not installed desktop solutions to identify improper images.

It is only through a combination of good policy, procedures and enforcement technologies that a company can demonstrate best practice and show that it is doing its utmost to minimise the risk of exposure for both the company and its employees.

Certainly, with the ready availability of software tools that can stop illegal and inappropriate images entering the corporate network, it is harder for companies to argue that they have not been neglectful. With the consequences of that neglect ranging from fines, costly harassment cases to custodial sentences companies must move now to address the risk.

About Author

Colm Doherty

This article was written by Colm Doherty of Pixalert – http://www.pixalert.com Data Loss Prevention | Email Monitoring Solution. PixAlert is the market leader in products and services that provide detection of critical data for corporations.