It’s a sunny Friday and the company IT manager is kicking back. The office is quiet and life is easy. That’s until the managing director storms in, brandishing a copy of the paper and wanting to know if the business is protected in the event of staff sending or receiving pornographic email.
Bosses all over Ireland may well be getting hot under the collar since it emerged last week that Merrill Lynch, the investment bank and financial advisory firm, sent home more than 20 employees from its Dublin office for having sent pornographic emails and warned a further 10 staff over inappropriate email use.
It’s far from an isolated incident. The very same week, the Driver and Vehicle Licensing Agency in Swansea sacked 14 staff and disciplined 101 for offences such as sending obscene emails. John Nolan, CEO of the security software company PixAlert, believes this online pornography problem is widespread. “In our experience, most companies have it in email and aren’t aware of the extent of the problem,” he says.
The potential pitfalls for a company range from reputational damage to outright business disruption, especially if several members of staff are involved in downloading or distributing porn via email and the internet. There’s the direct cost to business of workers who may be doing this on company time. There could also be legal problems if an employee decides to take a sexual harassment case against the company for being exposed to such content in the workplace.
In addition, security experts say that pornographic websites carry a higher security risk as they have been found more likely to contain viruses or harmful code, bringing further potential for damage to a company’s IT systems.
Not for the first time, it’s a case of technology as the cause of — and solution to — a business problem. Although easy access to the internet at work is likely to mean that some proportion of staff may misuse it, there are various products available to prevent them from doing so.
Installing technology can help an employer to show it is doing something about the problem. “The bottom line is that if this came to an employee taking a case against the company for finding offensive material, the employer has to demonstrate they are taking due care to protect the employees,” points out Sean O’Connell, security consultant with CA.
The most common protection tools are content filters, which check websites visited against a blacklist of known pornography sites. These applications can then block access to those pages if a member of staff types in the web address.
Mathieu Gorge, managing director of the IT security consultancy Vigitrust, says that such systems are available as software to be loaded onto a server or as a bespoke hardware appliance.
The systems govern where users can and can’t visit on the internet during working hours and they can be set up in many different ways. “You can have a particular group of users allowed to visit certain types of sites and within each group you can have different rights. You can also have quotas such as up to two hours per week for non work-related web browsing,” Gorge suggests.
Email filtering is another issue and O’Connell recommends this is a trickier task which should be handled separately from web traffic. According to O’Connell, companies where instant messaging use is widespread should also be watchful as this has the facility for sending and receiving image files undetected by other IT security systems.
One shortcoming to filtering products is that they usually only operate at the gateway to the network so that they scan and check what passes into and out of the company’s systems by email or via the internet. Useful as they are, these tools could leave potentially large gaps whereby staff could bring inappropriate content on portable storage devices such as USB keys, CD-Roms or even digital cameras.
By their nature, these would bypass the gateway filter and go undetected once loaded on to a computer. Moreover, conventional blocking technology can’t guard against unsuitable images being sent to PCs from a range of other sources such as encrypted emails or images embedded in other files.
PixAlert developed software to specifically tackle this issue. The difference is that its software is loaded onto each user’s PC so that, regardless of the source, images they will be blurred so that the user isn’t exposed to naked flesh.
Installing technology is important but it’s only part of the issue: staff must also be made aware what they may and may not do when online. To remove any ambiguity, a clearly written policy should be circulated to employees informing them that, for instance, they can only use the internet for company business. Any technology product should support this policy and not be a substitute for it.
A good usage policy should set out what is and is not permitted and should detail the consequences of any breach. This could run the gamut from mandatory email training to financial penalties right up to dismissal. Some employees have tried to fight dismissal in the Employment Appeals Tribunal by claiming that they were unaware that downloading or sending porn wasn’t permitted by the company and there are cases where this defence succeeded.
Legal sources say it’s now extremely unlikely that such a defence would be upheld in a court or tribunal, however. A better rule for businesses might be that when it comes to courts, the best bet is to stay out of them altogether.
Where to find technology to stop your staff looking at the wrong kinds of websites:
www.bloxx.com: Supplier of hardware-based internet filters for networks of 50-50,000 PCs
www.ca.com: International company with filtering software to handle email, web and instant messaging
www.pixalert.com: Irish company based in the Digital Hub with products that blur suggestive or pornographic images
www.surfcontrol.com: Internet security company with products to shield users against a range of internet threats
www.websense.com: Web security and filtering provider with products for the network gateway down to the desktop PC
By Gordon Smith