Managing Illicit Image Abuse
17 February 2010
Andy Churley, Security Advisor to PixAlert, looks at the management challenges and legal responsibilities facing HR departments.
Controlling the misuse and abuse of information technology in the workplace is becoming an increasingly important aspect of HR. Employees’ misuse of company computer resources can open up a whole host of problems for organisations from lost productivity, wasted computer resources and e-viral infections to serious business interruption and security breeches leading to civil and criminal lawsuits. Cyber-skiving is estimated to account for as much as 30%-40% of lost worker productivity according to a BusinessWeek survey and over 90% of US workers admit to recreational surfing on the job (Source Vault.com).
Sometimes this surfing can lead employees to stray deliberately or inadvertently to sexually explicit web sites or those promoting violence and hate. According to a recent survey conducted by the CIPD and PixAlert, over 70% of UK companies have already taken disciplinary action as a result of employees viewing pornographic images at work. This kind of activity can lead to lawsuits, harassment charges and even criminal prosecution. Of the Fortune 500 companies, 27% have battled sexual harassment claims that stem from employee misuse of inappropriate images on corporate computers. And the stakes are high for both employers and employees.
Pornographic e-mails sent around the company cost Microsoft $2.2 million to settle a sexual harassment suit and at Xerox, 40 employees were sacked for downloading pornographic images. The scale of the problem is also reflected by the incident at the UK Department of Works and Pensions that hit the headlines in 2004. It was disclosed that, after an investigation, 2 million inappropriate images and more alarmingly, 18,000 illegal images were discovered on its computer systems leading to a series of dismissals, disciplinary action and prosecutions. And this is not an isolated case; a recent Audit Commission report highlighted a huge increase in the viewing of computer pornography by public sector workers.
Legislative exposure
Clearly the problem of managing inappropriate or illegal images in the workplace is growing. And while many companies use technology to prevent employees visiting pornographic sites this is only part of the problem. Images can now get onto desktops and the corporate network through an increasing number of new entry points. These include laptops, CDs/DVDs, USB keys and digital cameras. But it is still the legal duty of companies to take reasonable steps to eliminate harassing material from the workplace and provide an environment free of discrimination. Failure to do so may result in prosecution under various legislation (depending upon jurisdiction) including, Child Trafficking and Pornography Acts, Sexual Offences Acts, Obscene Publications Acts and the Civil and Human Rights Act. Company directors and managers can be held personally liable for the content of corporate computers, whether they are aware of the activity or not. Under compliance legislation they can be subject to criminal prosecution if negligence is found in the management of data and images on company computers. And, in the UK, Ireland and USA the penalty can be up to five years in prison.
The role HR
The starting point for HR is to ensure that computer usage policies are clearly defined, communicated and understood by all managers and staff. These policies also need to be integrated and aligned with other company policies and practices concerned with protecting the organisation and the value and dignity of employees at work. Many of the specific IT usage pitfalls facing businesses can be avoided by developing and implementing a comprehensive Acceptable Use Policy (AUP). The process and type of policy will vary because of differences in corporate cultures, business requirements and employee capabilities. But the common goals of any AUP are to clarify the organisation’s policy regarding the use of IT, protect the company against potential liability and avoid security threats by promoting awareness and good practice.
The AUP must cover the presence of pornographic or illegal images in the workplace. Employees must know what to do if they unwittingly receive such unsolicited material and the consequences if they are discovered deliberately viewing or storing illicit images on their desktops. An AUP should be part of the overall policy manual and ideally employees should read, understand and sign the document as part of the terms and conditions when they are hired. Training of the ethical, legal and security aspects of IT resources should be ongoing and integrated into other training and development programmes. Regular company-wide emails can also be sent to remind employees of aspects of the AUP policy and ‘e-conscious- raising’ sessions held to update employees about new risks, regulations and related issues. Above all though, the efficiency of the HR policy will depend on leadership, communication, policy enforcement and a commitment to a consistent and cohesive policy.
Although many companies have AUP guidelines, the recent CIPD/PixAlert study suggests that 65% of the policies are “out of date” with regard to the management of inappropriate and illegal images – leaving these companies open to civil and criminal lawsuits. Technology moves fast and a company’s AUP should be regularly reviewed by the HR department together with its IT department to address new threats. It is also important to asses training requirements and examine feedback from employees and managers about aspects of the policy that are not working or preventing the efficient running of the business.
Help at hand
Software has been available for some time that is able to filter some employee email and control the use of the internet. The conventional method of preventing pornographic or illegal images entering the corporate network is by implementing an Internet gateway filtering solution. But these gateway technologies are limited in scope and can easily be bypassed using techniques such as transmission of encrypted files, unrecognisable file formats, images embedded in other documents, compressed files and secure connections through HTTPS. Add to this the ease at which images can enter the network via other devices directly attached to the desktop and it is clear that gateway solutions, while being an essential component, are not capable of preventing illicit image abuse in the workplace by themselves. However, using new high-speed image analysis techniques it is now possible to Audit a complete network in a matter of days. All files on a PC or group of PCs as well as all fixed and removable storage devices can be examined for image content ranked as being above or below a fixed sensitivity level.
Audited images are then presented to an appointed officer and the results analysed. Depending on the types of images discovered and the policy in place a decision then can be taken on the most appropriate action The same technology can be used to monitor PC screens directly in real time to identify any images being viewed that breach pre-set corporate guidelines. There is simply no way to bypass this approach; anything rendered on the user’s screen is checked using advanced algorithms designed specifically to identify pornographic or illegal images. Image details, the machine and user name, date and time and application being used are all recorded. Details are automatically sent to a remote administrator's computer where they can be logged and reviewed and depending on HR policy, a decision can be taken as to the most appropriate course of action. These screen based monitoring agents can work alongside gateway-based filtering software so that companies can assess image material in any format, including embedded and encrypted images that are introduced via sources such as CD’s, DVD’s, MP3 players etc. Monitoring responsibilities should be shared between IT, Risk and Compliance and the HR departments. With the HR department setting out the disciplinary and case investigation procedures within the company.
Case management
Once inappropriate or illegal images have been detected the HR department needs to investigate thoroughly and decide what action should be taken. And in the case of illegal images, the company should take independent legal advice to determine the legal responsibilities of the organisation in the jurisdiction in which it is operating..
The action taken must be consistent with a company’s disciplinary procedure, the local legislative requirements and observe due-process. Any procedure dealing with disciplinary issues must also be rational and fair, with the range of penalties that can be imposed clearly defined and an internal appeal mechanism available. Having a comprehensive, up-to-date AUP that is properly implemented and ensures ongoing education, communication and monitoring will itself, act as a serious deterrent and reduce the number of cases that arise.
Conclusion
Clearly it is time for companies and organisations to take action. The definition and enforcement of policy, regular audits and a visible line of defence at the desktop is the only sure way of dealing with and ultimately putting a stop to this undesirable activity in the workplace. This is one area where the complete solution involves IT working with the HR and Legal departments. To download a free whitepaper “Understanding and Managing Illicit Image Abuse In the workplace”, please visit www.pixalert.com
<- Back to: Resources