Controlling the abuse of illegal and inappropriate images in the workplace is an increasingly important part of managing risk for an organisation. Inappropriate use of company computer resources for pornography can lead to a host of problems, including lost productivity, viruses, serious business interruption and civil or criminal lawsuits. But with the a proliferation of plug-and-play storage devices such as MP3 players, USB keys, high speed connectivity and unmonitored out-of-office network activity is it possible to eliminate the risk?

What are the risks?
UK legislation is clear; company directors and the managers they appoint can be held personally liable if negligence is found in the management of data and images on company computers. Prosecution can be carried out under legislation including Child Trafficking and Pornography Acts, Sexual Offences Acts, Obscene Publications Acts and Civil and Human Rights Acts.

Reputational risk is hard to quantify, but if a company is found to have allowed illegal pornography on to its computers, or is sued for sexual harassment it can have serious and long-lasting financial repercussions. Corporate social responsibility requires protecting employees, creating an environment in which employees feel comfortable working and being a responsible part of the business community.

“It doesn’t happen here!”
Don’t fool yourself! According to a recent survey conducted by independent research firm Delta Consulting, 40% of US firms have disciplined staff over image abuse in the previous 12 months. In a UK survey carried out by the CIPD the figure was over 70%.

Results of a recent survey of 400 public sector organisations by the public spending watchdog the Audit Commission, found a 16% increase in cases of staff accessing pornography and that inappropriate material now accounts for almost half of all incidents of computer misuse.

Protection
With the risk of a prison sentence, civil suit or adverse publicity it is surprising that many organisations do little more than install URL blocking systems and think they are covered. According to the Internet Watch Foundation over 20,000 new porn pages are published each day making the prospect of blocking all pornographic websites at the internet gateway next to impossible.

Images infiltrate desktops and corporate networks through many other entry points including CDs/DVDs, USB keys, MP3 players, mobile phones and digital cameras.

Reducing the risk
Organisations can adopt a four step risk assessment methodology to identity and mitigate threats posed by illicit images on corporate PCs.

Step 1: Review - corporate legal and HR policies to gauge loopholes for employee abuse. Ensure:
Clarity in terms of what is acceptable and specifically what is not acceptable;
Policies embrace all possible data entry points for illicit images;
Procedures deal effectively with the discovery of illegal or inappropriate images.

Step 2: Assess - the quantity and severity of illicit images on a company’s network. Software tools are available to assess and report on the state of company resources.

Step 4: Communicate - to all staff, ensuring employees understand new policies and procedures and the repercussions if disregarded.

Step 5: Enforce - an enterprise wide process using monitoring and auditing tools to provide ongoing detection reporting and case management.

Regular audits are essential to track the overall situation and to review compliance with policy. On high risk computers, such as laptops or open access internet PCs, ‘always-on’ monitoring is a more effective strategy.

Conclusion
Clearly it is time for organisations to take action. Policy definition and enforcement, auditing and monitoring at the desktop is the only sure way of dealing with and ultimately putting a stop to an activity which carries a considerable business risk.

PixAlert is exhibiting at Infosecurity Europe 2006.