See no evil

How employing image interdiction measures can insulate companies from risk.

FST. What kinds of threats does the enterprise’s network face from its own staff?
Although the enterprise faces risks from a myriad of external threats like viruses and hacking it’s the internal threats to an enterprise network that can often be the biggest concern. You might be surprised at how many organisations fail to give proper consideration to how their staff are conducting themselves whilst at work.

The misuse and abuse of corporate IT systems across a large enterprise has increased significantly over the past few years. Bodies such as the DTI have conducted studies showing growth in problems like cyber slacking, IP theft, data leakage, copyright infringement, cyber bullying and the accessing of inappropriate material.

An added dimension is the apparent increase in the use of proxy avoidance techniques to bypass perimeter defences and monitoring systems. These techniques effectively allow someone with a little knowledge and a lot of motivation to gain unrestricted access to blocked or inappropriate internet material, without leaving any significant trace. Within the group we have a digital forensics business and they identify this practice on a daily basis.

FST. What are the consequences of misuse within the company? Can you quantify how much a company might lose from cyber slacking for example?
To answer that question fully would fill this whole magazine. However I will try to address in simple terms. The consequences of IT misuse by employees for any corporate entity come down to three things: loss of productivity, legal liability and loss of reputation. All of these ultimately impact on profits.

Let us look at each of these very briefly. Loss of productivity can occur on a significant basis across any enterprise. We can accept the conservative estimate that 10 percent of staff are spending one hour per day accessing websites or holding on-line chat sessions which keep them “off-task”. If the average hourly cost to employ that member of staff is £20 then the cost of cyber slacking to an enterprise employing 10,000 staff would be £4.6M every year.

Putting an exact cash figure on reputational loss is less easy. In most respects it depends on what has happened to generate that loss of reputation, how it has come to light and how the matter has been subsequently dealt with.

Legal liability is a yet more complex area. There are basically two types of liability, criminal and civil. In the criminal liability space a company can be held liable by what is known as the doctrine of identification. This means that in each company a court of law will recognise certain senior individuals as being the company itself. The acts of these individuals when acting in the company’s business are treated as the acts of the company.

Although criminal liability is obviously the most serious matter, civil liability is a more widespread issue in most companies. The most common specific occurrence would be that of sexual harassment through inappropriate image material (IIM). In the main this activity is centred round the introduction of images through email or Internet access, though removable USB devices are also sometimes involved.

Many large institutions are now beginning to understand the nature of this type of threat and how it has evolved. Some of the larger companies that we have spoken to now see IIM as a major vehicle for harassment in the workplace.

Given our involvement in the supply of e-safety solutions we have sought advice from a number of highly regarded sources. Most recently we dealt with Dr Brian Bandey, one of the United Kingdom’s leading experts on computer and internet law. Dr Bandey has recently published a very useful white paper titled Corporate Legal Liability arising by the Misuse of Employer IT Systems by Employees.

Dr. Bandey’s conclusions state that as a matter of law, if an employer takes all reasonably practical measures to prevent discrimination (including harassment) from occurring in the workplace, this will provide a statutory defence in the event that they are litigated against. A vital component of those “reasonably practical measures” is the use of image interdiction technology across the enterprise. He states that the “only avenue forward for employers is to technologically interdict the harassment and the IIM employed therein, so as to stop it reaching the intended target”. He also adds that in the event of a failed interdiction, appropriate and focused insurance must be the last stage in mitigating this considerable exposure.

FST. What approaches can companies take to manage staff’s network use better in order to protect themselves?
Most obviously all companies must implement a robust acceptable use policy for all of their staff. However, this AUP must be actively policed and with any sanctions undertaken on a consistent basis across all levels of staff. The AUP should take account of emerging technologies and should be revisited on a regular basis.

Other than image interdiction technology we advocate a comprehensive user monitoring solution to enforce AUP compliance. A powerful user monitoring module, deployed in the correct manner, will provide an employer with the tools to control the level of inappropriate activity across their entire corporate IT system. This includes the monitoring of instant messenger and chat mechanisms.

USB endpoints must also be tightly controlled in order to mitigate risks associated with data leakage, IP theft and copyright infringement. I believe that many companies in the financial sector have already addressed this issue, although often in isolation.

With the increase in mobile computing leading to a degree of deperimeterisation across enterprise networks these technologies must also be capable of being functional whilst devices are away from the corporate network.

Organisations would be well advised to consider which methods, strategies, products and training should be included and to integrate them into the AUP at the outset. Explain to the staff what the company is doing and why. Implement a whole e-safety strategy, which might include a period of amnesty – say one month - for employees caught out by a new e-safety deployment. Otherwise you might end up having to discipline any number of staff, possibly leading to dismissal and potentially significant costs.

Ultimately, implementing an appropriate, strategic and correctly managed e-safety solution can deliver positive behavioural change in employees. It can also lead on to a change in the culture within the business to one where staff no longer see cyber slacking as acceptable.

Another company within the Group provides e-safety solutions and forensic services to the UK and Middle East education sectors. It is clear to us that, amongst other issues, cyber slacking is now endemic across the majority of schools and colleges. As many as 30 percent of students spend a significant proportion of their day “off-task”. Sadly, this culture is well established and will continue as these students progress into employment. Clearly the problem of IT abuse in the workplace is set to continue increasing and employers must get to grips with the problem before it has an impact on their bottom line.

FST. Can you tell us a little about how your own company’s solutions fit in this space?
We have taken our expertise from the digital forensics and IT security sectors and we have developed an e-safety strategy solution set, which we believe can address all of the issues I have outlined.

Our e-safe business suite consists of three major software components. They are image interdiction, user monitoring (utilising contextual text-string analysis) and USB management. Each component can be purchased and deployed independently from each other, in order to fit the requirements of a client.

Should an organisation wish to consider outsourcing their whole e-safety strategic review and deployment, we are able to provide consultancy and training services around that requirement. These include a professional review and reworking of their AUP to align it directly with their e-safety strategy, thus ensuring robustness.

Our e-safe business solution also includes a comprehensive insurance policy. This policy comes into effect whenever the image interdiction software is purchased. If deployed correctly, it provides an assurance that any employer is litigated against in relation to inappropriate image material, then the costs of that litigation will be entirely covered. There is no cost to this assurance, we provide it in every instance to all clients deploying the image software.