Julie Connor assesses the risks caused by employees accessing illicit images in the workplace

Controlling the spread of illegal or inappropriate images in the workplace is an increasingly important part of managing risk for any organisation.

Private use of company computer resources for pornography can lead to a whole host of problems, from lost productivity, wasted computer resources and viral infections, to serious business interruption and even civil or criminal lawsuits. But with the a proliferation of plug-and-play storage devices, such as portable hard drives and USB keys, high speed modern connectivity protocols and more out-of-office unmonitored activity, is it possible to eliminate the risk?

What are the risks?

Legislation in the UK is clear - company directors and the managers they appoint can be held personally liable if negligence is found in the management of data and images on company computers. Neglect is defined simply as a failure to take steps that should have been taken to prevent an incident happening. Prosecution can be carried out under various pieces of legislation, including the Child Trafficking and Pornography Acts, Sexual Offences Acts, Obscene Publications Acts and Civil and Human Rights Acts.

It is not just illegal images that are a risk. In the US, the American Management Association reported that that more than 27% of Fortune 500 companies had suffered sexual harassment claims stemming from use of corporate e-mail and internet systems by employees. If an employee is exposed unwittingly to inappropriate images, it could prove very costly indeed.

Cyber-skiving in itself is a huge problem in terms of lost productivity, with 90% of US workers in a recent BusinessWeek survey admitting to surfing on the job. If this surfing inadvertently or deliberately includes sexually explicit material, other staff may see it. Unwanted exposure to pornography at work not only risks costly civil action, but fosters an unproductive, hostile working environment.

The risk to reputation is hard to quantify, but if a company is found to have allowed illegal pornography on to its computers, or is sued for sexual harassment it can have serious and long-lasting financial repercussions.

A growing problem

Results of a recent survey of 400 public sector organisations by the Audit Commission found a 16% increase in cases of staff accessing pornography, and reported that inappropriate material now accounts for almost half of all incidents of computer misuse.

The scale of the problem was also reflected by an incident in the UK Department of Works and Pensions last year. It was disclosed that, after an investigation, 2 million inappropriate images and, more alarmingly, 18,000 illegal images were discovered on its computer systems. The result was a series of dismissals, disciplinary actions and prosecutions.

Given the risks, it is surprising that so many organisations remain complacent about the problem. Many do little more than install gateway-based web filtering systems and think that is sufficient to cover them. However, these only go part of the way to addressing the problem. They are easy to bypass and do nothing to stop pornography coming in from other sources, such as CDs, USB keys, digital cameras or unsecured wireless networks.

Reducing the risk

My organisation has developed a five step risk assessment methodology to help organisations identity and mitigate the threats posed by illicit images stored on corporate PCs.

STEP 1. Review corporate legal and HR policies to gauge vulnerability to employee abuse.

Acceptable use policies need to be reviewed to ensure they are clear and explicit in terms of what is acceptable and what is not. Pornography does not only reach the corporate network through e-mail or the internet, so it is important that the policy covers all possible data entry points.

The review must also ensure that the company has disciplinary procedures in place to deal effectively with the discovery of illegal or inappropriate images.

STEP 2. Assess the quantity and severity of illicit images on a company's network to determine the level of corporate exposure to risk.

At this stage, software tools (such as PixAlert Auditor) are used to assess the current state of company resources. E-mail accounts, Exchange Server, user home accounts, desktop PCs and Citrix servers should all be scanned, and any illicit images in e-mails, zip files or image files, along with Word, PowerPoint and Excel documents, will be detected. Following the scan a report should be generated so that the situation can be assessed and the reported images reviewed for severity.

STEP 3. Align policies and procedures to meet company strategic goals while minimising risk to the corporation.

Once policy has been reviewed, it is essential it is updated in light of what has been found in the audit of the network. This ensures the risk of exposure to illicit material is handled properly and that the company cannot be accused of being negligent. The resulting computer usage policy must clearly state what content is not acceptable and that its presence on corporate IT assets contravenes the policy, no matter how it came to be there.

STEP 4. Ensure that employees understand the new policies and procedures and the repercussions if they are disregarded.

A means of communicating the company's new acceptable usage policy must be put in place. This can take the form of a series of presentations, involve making sure that users sign the policy, or even making the policy something that has to be accepted each time users log on. But most importantly, it needs to be made as clear as possible, so that there can be no confusion.

STEP 5. Enforce an enterprise-wide process, using monitoring and auditing software to provide detection, reporting and case management.

By doing this the company clearly demonstrates that it is endeavouring to employ best practice by preventing illicit image abuse recurring and enforcing compliance to the new policy. It is not enough to simply issue a new policy and tell people about it; it has to be enforced.

Audit and monitor

Typically, organisations use a mixture of auditing and monitoring to ensure compliance. Regular audits are essential in order to keep track of the overall situation and to review compliance with policy. However, most corporate networks comprise a mix of servers, desktops and laptop computers. While servers and desktops are relatively easy to audit, laptop computers are regularly removed from site, operate in stand-alone mode, or connect to other networks, such as home or unsecured WiFi networks which increases the risk of illicit images making their way on to the computer.

On high risk corporate computers such as laptop computers or open access internet PCs, monitoring is a more effective strategy. Deploying screen-based, image scanning software, which remains resident in memory, the technology assesses screen content, no matter where the computer is, what type of network it is connected to or whether the file has been encrypted.

Once an image is displayed on the screen, such technology will capture it.

As a part of the enforcement plan, employers may decide to grant an amnesty period, so that employees can dispose of inappropriate content. After that period any illicit images found on their machines or that they have viewed will lead to potential disciplinary measures. The results of monitoring must be regularly reviewed, and pre-defined procedures for dealing with image abuse followed.

Regular audits will measure how effective the new policy is and identify if anything further needs to be done. Reducing the risk of illegal and inappropriate images should not be a one-off activity; it has to be part of a continual improvement programme.

Alarmingly, despite technology being commercially available that can monitor image content regardless of source, a recent survey undertaken by the Chartered Institute of Personnel and Development and PixAlert showed that nearly 70% of organisations have not installed desktop solutions to identify improper images.

It is only through a combination of good policy, procedures and enforcement technologies that a company can demonstrate best practice and show that it is doing its utmost to minimise the risk of exposure for both the company and its employees.

Given the ready availability of software tools that can stop illegal and inappropriate images entering the corporate network, it is harder for companies to argue that they have not been neglectful. With the consequences of that neglect ranging from fines, and costly harassment cases to custodial sentences, companies must move now to address the risk.

- Julie Connor is customer services manager, PixAlert International, Tel: +353 1 707 8860, E-mail:info@pixalert.com