We are all aware of the growing numbers of unsolicited e-mails containing pornography that are getting through to our inboxes every day. We are also aware of the explosive growth of pornographic material available across the web and that this material is getting harder to block with conventional gateway filtering systems, which often have limited capabilities and can be easily bypassed through a number of well documented techniques. Add to this the growth of multiple data entry points (USB, DVD, Wireless, Firewire etc) and we begin to understand the current scope of problems that are associated with control of illicit image material.
From a cultural perspective it appears that a custom has now evolved where the style of communication used in e-mails can be informal, and that there is no perceived actual or moral difference between an employee using their own computer at home and using their employer’s computer system for identical purposes at work. This attitude in itself increases the risks to any organisation from its employees interaction with pornography.
Inappropriate image material, introduced into the workplace can place an organisation at serious risk in a number of ways. Largely these consist of sexual harassment, unlawful discrimination, distribution of pornography or obscene material and the holding or publishing of paedophilic images.
However one looks at the risks that are associated with IIM in the workplace, it will always come down to legal liability, financial loss and damage to corporate brand and reputation.
Depending upon the event in question, each of these risks might occur in isolation or as a combination. Where they combine, any organisation would certainly risk serious repercussions at the most senior management level, given that company directors or senior managers can now be held personally and criminally liable for the actions of their employees.
Any form of sexual harassment is capable of amounting to unlawful discrimination for which the employer will be liable. Harassment by e-mail containing inappropriate images, or the showing of these images, fall squarely into this arena. It is irrelevant if another employee considers the same e-mail image to be amusing or otherwise inoffensive, the point is that if an employee finds the image offensive, and if the material in it is sexual, then it becomes unlawful harassment, thus allowing an employee to seek a claim for unlawful discrimination to an employment tribunal.
The e-mailing of inappropriate images therefore brings considerable risks, once you consider that a single e-mail might be sent to dozens of colleagues or even worse, to employees of your clients or suppliers. Each instance is easily capable of generating multiple claims that would almost certainly have the effect of damaging the corporate brand, creating financial loss and may include legal liability.
Alongside the risks from e-mail use, there is also the risk of sexual harassment and criminal liability from inappropriate images residing anywhere on the corporate network, which, of course includes mobile computing devices and mobile phones. Employees often seem to forget that their mobile phones are company property and are subject to the same acceptable use as their PC; or at least they should be.
My own group recently disciplined one of its employees as a result of a random forensic examination of one company mobile phone that identified a ‘home made’ pornographic video, containing sexually explicit images of him and his wife. It was interesting to note that as a part of our investigation into this matter, the employee accepted that what he had done was against our acceptable use, but because the content was home made, he had not realised the seriousness of what he had done and its potential consequences.
Zentek carry out occasional and entirely random forensic examinations of its mobile phone resources in order to deter and to reinforce its acceptable use policies. Finding something as we did, provided a useful reminder to all of the staff that this behaviour is unacceptable on our phones as well as our computers, and that it will not be tolerated. Needless to say that we don’t expect to find too many instances in the future.
There have been numerous examples over the past few years where various organisations have had to deal publicly with the fall out from identifying pornographic images across their enterprise network. In the UK there has been the Department for Work and Pensions, where they found over two million images, Orange sacked 40 staff for downloading Internet porn, as has Rolls Royce and even one of the largest UK police forces sacked a member of staff responsible for bringing over 7000 images into their organisation. There are equally high profile examples of sacking of staff in relation to the transmission of pornographic and offensive e-mails, such as the DVLA, Royal and Sun Alliance and even Merrill Lynch.
This activity can potentially be undertaken at all levels within any company, clearly demonstrated when the Chief Executive of the Bank of Ireland was forced to resign during 2004, for reportedly accessing not only pornography but also a Las Vegas escort agency.
This is not just a problem in the UK. The American Management Association reported that 27 percent of Fortune 500 companies have suffered sexual harassment claims resulting in employee use of corporate email and Internet systems.
Although this is clearly a global problem, many jurisdictions deal with the issue of inappropriate image material in differing ways. Those companies that have offices in the UAE, for example, are now subject to the ‘cyberlaw’ that was implemented in 2006. Here the criminal penalties are much stiffer than the UK and the potential for financial loss is even greater, where the authorities have been given the powers to imprison people responsible for “breaking family principles and values”, and that is likely to include sexual harassment through pornography.
The direct financial loss to a company could be through the time and investment required to deal with employment tribunals and the cost of recruitment, should employee’s be dismissed as a result of this type of issue. There is also the initial cost of the employee’s time having been spent carrying out the IT misuse in the first place, when they should have been working. Then there are any tribunal awards that are made against the company for claims that are upheld.
Indirectly, there will inevitably be a cost associated with damage to corporate reputation and brand. This is impossible to quantify, although it is safe to say that this can have serious and long-lasting financial repercussions.
Where inappropriate activities were found to be centred around paedophilic images, and we know that this does happen, the costs to an organisation would certainly be significant. Not only, the loss of reputation, but also in such a case there could be a strong likelihood of criminal proceedings, possibly against senior individuals within the organisation.
The risk of this type of liability can be mitigated if the correct approach is taken. The most important aspect is to instil the correct corporate cultural attitude towards IT misuse in general; including IIM. There are a number of specific steps one must take to enforce a cultural change on ones employees, and let us be very clear here; enforcement is what it will take, and it won’t happen overnight.
This is not just an IT issue or one that relates to HR. It must involve further co-ordination between departments that have a stake in addressing the issues, which includes IT, HR, Risk and Governance and Legal. Overall responsibility should sit with a committee of the senior management, with no one person in overall control.
It will take a co-ordinated approach to using the latest technological solutions, such as image interdiction and user monitoring software. Obvious steps would be the implementation of a robust AUP, which takes account of emerging threats and technologies and sets out clearly the requirements of the business and the responsibilities it places upon itself and its staff. Include the mobile computing devices fully into the AUP and include your mobile phones, which is something people often neglect to do.
Once this is all in place scan the corporate network for any existing IIM and then I would use the technology solutions to enforce compliance across the enterprise, thus reducing the opportunities for this material to be reintroduced. To use the statutory defence against harassment and discrimination, the employer must show they have taken all reasonably practical measures to prevent it. We believe that image interdiction technology is the newest reasonably practical measure which must be taken and that without it, a defence is more likely to fail.
Ravi Sisodia is the Sales Manager for Zentek