Inappropriate Computer Use Is your workplace protected?
Author: Brian O'Donnell
While there are huge efficiencies to be gained from the use of information technology, there are also risks from uncontrolled access to the Internet. One of the largest information security issues facing Irish businesses today is inappropriate computer usage in the workplace. Brian ODonnell offers advice on how to tackle the issue.
Inappropriate use comes in many guises, and ranges in severity and risk for the organisation. At its most benign, inappropriate use impacts onemployee productivity, where many hours are wasted through Internet browsing and use of instant messaging services. A survey published in June of this year by the employment law firm, Peninsula Ireland, suggested that Iris employees are spending an average of 90 minutes per day on social networking sites such as Bebo and Facebook. That works out at 43 working days per year! While there is clearly a serious cost arising from this time-wasting, inappropriate use has other more serious forms.
Personal email accounts Access to personal email services such as Gmail and Hotmail can facilitate transmission of sensitive information out of the organisation, allowing disaffected employees to perpetrate intellectual property theft of, for example, customer databases, new product blueprints or other commercially sensitive and valuable information.
In addition to these personal email services, the ability to use USB memory sticks and to burn data to CD or DVD is a serious point of exposure for organisations subject to this kind of risk.
Inappropriate images Perhaps the hardest form ofinappropriate use to control is the use of corporate IT resources to view pornographic material. Employers have a duty of care to their employees to protect them from inappropriate material, and any inappropriate use of computer systems can lead to damage to corporate reputation. The risk and embarrassment associated with the presence of offensive, pornographic, and sometimes illegal images in the workplace has become very highprofile over the past few years. There are specific legal requirements related to inappropriate images which businesses need to comply with, such as the Child Trafficking and Pornography Act 1998, and various employment laws.
But how can organisations address this broad range of risks in a balanced way, without impacting on the efficiencies that IT can provide?
Policy An effective policy for acceptable usage of computers should be the cornerstone of any approach to these issues. Without effective policies, clearly communicated to employees and consistently implemented, problems will arise.
Acceptable Usage Policies Typically, an Acceptable Usage Policy (AUP) will have the following key objectives:
- Clearly state the organisations policy regarding the use of information technology, the Internet, email and other telecommunications resources (e.g. mobile phones). - Clearly state the organisations responsibilities with regard to protecting the individual. - Clearly state the responsibilities of individual employees with regard to using corporate IT resources. - Protect the organisation against potential liability. - Promote security awareness among management and staff. - Encourage effective and productive use of IT resources.
In addition to acceptable usage policies, management should also consider developing incident response plans. These plans provide detailed steps to be followed by responsible individuals in the organisation should a security incident arise. The types of security incident which would typically be addressed will be wider than just inappropriate use and will include hacking attempts, etc. However, the plan should identify the steps to be followed should a theft of intellectual property be suspected (such as to call in legal advisers and IT forensic specialists).
Tone of Policy In the changing environment described above, many organisations struggle to find the right balance in their policies between risk mitigation and empowering users. Ultimately, however, one has to err on the side of protection for the user and for the organisation.
AUPs need to be unambiguously worded and lawful, as any subsequent sanctions will rely on the existence of enforceable policies. It is important to involve other departments, e.g. HR, legal, risk management and the business to ensure that the corporate culture, business requirements and employee capabilities are appropriately considered. All employees must receive a clear and consistent message from management describing what is considered appropriate activity in the workplace together with what action will be taken for any abuse. It must be clear as to who in the organisation is responsible for enforcing the policies. This will ensure that disciplinary measures are applied consistently and fairly.
Employee education and training Critical to the success of the policysetting initiative is ensuring that the policy is communicated to employees (through staff awareness training and education) and enforcing the policy (through the implementation of control processes to monitor user activity and taking action on foot of findings). An appropriate corporate culture and good user practices need to be established.
Policies need to be clearly communicated and supported by a structured communications and awareness programme. This should provide evidence of every employees understanding and acceptance. Management should be seen to lead by example and should make clear that any disregard of policies will not be tolerated.
Enforcement controls and processes It is good practice to implement technical controls to reduce the risk of a breach of your AUP, and to increase the likelihood of uncovering a breach, so that appropriate action can be taken.
Some of the forms of inappropriate use are easier to control than others. For example, web content filtering tools exist, and are probably already installed on your network, which can prevent users from accessing websites that are in breach of policy. These tools allow you to specify the website addresses you want to prevent, such as those of social networking sites, and the domains of the popular free personal email services.
A decision to enforce policies to prevent access to social networking sites and personal email services can often cause disquiet among employees, particularly Generation Y staff who are used to unfettered access. Some organisations decide to make the policy enforcement easier by providing Internet kiosks in high visibility areas of their office to allow staff brief access during break times.
More difficult to solve is the exposure to USB memory sticks and other removable media. Laptop and desktop PCs are routinely issued with CD or DVD burners as standard. Organisations should question whether these are really needed for all users, and should consider downgrading to CD/DVD players upgrading to burners only where there is a proven need.
Memory sticks are ubiquitous at this time. But they carry significant risk as discussed above, and are often the means by which viruses are brought into an organisations systems. Given that these devices are very useful and often desirable in a corporate environment, controls need to be put in place to manage their use. Only memory sticks supplied by the organisation should be used. Your AUP should stipulate that only USB memory sticks supplied by the organisation can be used. This is important because if a suspected issue of intellectual property theft arises, you retain the right to recover the device and to examine it using IT forensic techniques. Then, you can enforce the policy by using tools available in the market to only allow particular types of devices to be used, and to encrypt all data. If your organisation operates a Microsoft Windows Active Directory network, it is also possible to enforce settings to prevent users or groups of users from using any USB data storage devices.
From the perspective of inappropriate images (pornography) a range of technical controls may need to be implemented to address the different working practices and the various routes inappropriate material may take to enter the IT environment.
Traditional gateway-based web filtering and email systems only form part of an overall integrated solution. They can be bypassed by using proxy servers or encryption and do not address the numerous other ways material can get onto systems. An approach may include combinations of the types of tools already discussed, as well as email/spam content filtering, hostand network-based intrusion protection, and client-based filtering.
The effectiveness and practicality of these controls will be dependent on how a business uses its IT resources and should be designed accordingly.
Compliance monitoring Regular compliance monitoring is an effective way to enforce the acceptable use policies and mitigate the impact of inappropriate computer use.
Depending on the technical IT controls put in place, different monitoring processes will need to be implemented. To address the risk of unproductive use of Internet, email and instant messaging, management should use the reports available from the web content filtering tools to ensure that the filters are kept up to date for all significant non-productive sites being used, and repeat offenders should be dealt with in line with your HR disciplinary procedures.
Compliance monitoring for inappropriate images typically consists of the following phases:
With the appropriate policies established, the first stage is to agree which areas of the business will be scanned.
Those doing the review must have a clear understanding of what material is considered appropriate. There will always be material that will be clearly inappropriate, but depending on the business, certain images may be allowed. The categories and what action should be taken if images have been discovered should be defined early on to facilitate the image analysis phase.
The asset discovery phase and actual image scanning can be automated using multi-source image detection technology. These tools automate an extensive part of the data gathering and image analysis work. They are installed on a PC and they remotely scan personal computers (laptops, desktops), email boxes and networked user shares on file servers for inappropriate content. They scan all files to identify if they are capable of supporting an image, i.e. not only typical image files such as jpegs or bitmaps, but also files such as Microsoft Office documents. The images flagged as possibly illicit are then viewed by an appropriately trained auditor and placed into one of the previously agreed categories.
By following this approach, a detailed view can be generated that shows the different categories of material found, together with its location and possible owners. Based on the findings, appropriate remedial action can then be taken, such as the secure removal of the material through to the assessment of affected systems for any further compromises by malicious software or individuals.
Appropriately trained individuals should always perform this work with agreement from management to establish requirements, to preserve forensic information and ensure that appropriate remedial action is taken. By taking proactive steps to enforce acceptable use policies, the need to deal with the aftermath of unsuspecting employees being repeatedly exposed to illicit images may be avoided.
Brian ODonnell, ACA, CISA is a Senior Manager in the Enterprise Risk Services group at Deloitte. He is also a member of the ICAI IT Services Committee, and the President of the Irish Chapter of ISACA.