Employee Downloads: The Other Insider Threat

Carl Weinschenk

Most security folks spend their time worrying about viruses and other malware that may be finding its way into business networks. This CSOonline.com blog suggests that closer attention should be paid to what employees are putting in their machines on purpose.

 

More specifically, the writer says, enterprises should redouble efforts to ferret out child pornography, increasingly prevalent hacking tools and illicitly downloaded copyrighted files. These materials and others can cause big legal, public relations and regulatory problems.

 

The post provides two examples of what could happen if such materials are found. Employee possession of pirated music could lead to an audit by the Recording Industry Association of America and the presence of child pornography could end in the seizure of the entire corporate network. Those two examples alone should be enough to make IT departments take notice.

 

The unfortunate reality is that there simply isn't a one-step way to end the danger. It's unfair, in a sense, since the company is held responsible for things it doesn't know about and of which it doesn't approve. In any case, the blogger suggests establishing and constantly updating computer-use policies -- an example of how to structure such a policy is available at Scribd-- and configuring firewalls to control what comes into the organization. It's important to note that downloads are doubly dangerous: Malware often piggybacks on the illicit files.

 

Vigilance on the part of the organization can help in a few ways: It will make a crisis less likely and, if one does occur, could reduce its severity. It also can help the organization's standing when dealing with the legal, regulatory and public opinion fallout from such an incident.


 

It's been clear for years that the music industry is not taking illegal downloads lightly. Companies should note that earlier this month, the record labels won their first court case. A Minnesota woman was found guilty of illegally downloading and subsequently uploading 24 songs over the Kazaa file-sharing service. The jury awarded $220,000 to EMI Group, Sony SNE, Bertelsmann AG and Warner Music Group. A commentator said the decision may make people think twice about illegally downloading and, if they get caught, more likely to settle out of court.

 

The news is full of disturbing stories of child pornography being downloaded in the workplace. Earlier this month, InformationWeek reports, two former NASA employees were indicted for doing so at the Ames Research Center. If convicted, each man could face 10 years in prison, a $250,000 fine, and be required to register as a sex offender.

 

The New York Public Personnel Law blog discusses the legal attitudes toward people caught downloading pornography at work. The case involved the head custodian at Copiague High School on Long Island, N.Y. The individual and subordinates viewed pornography during two night shifts.

 

The individual had an otherwise exemplary record, and the hearing officer suggested that the punishment should be demotion. Instead, the custodian was terminated. He claimed that the punishment was too harsh, and the appellate court remanded the case to the school district with instructions to determine an alternate punishment. The point the blogger makes is that the court had no objection to the establishment of a computer-use policy and didn't question the right to discipline an employee found in violation of it. In this case, the only problem was in the severity of that punishment.

 

Organizations are right to worry about viruses, worms and other dangerous pieces of code. They should devote a significant amount of time and attention to ensuring that employees don't abuse their online rights in a way that could cause embarrassment or legal harm to the company.



Add Comment      Leave a comment on this blog post
Oct 31, 2007 12:16 PM Mike Smith Mike Smith  says:
The suggestion of an audit by the Recording Industry Association of America isn't that big a threat, at least not in the UK. Anyone from the RIAA (or the BPI - the RIAA's UK equivalent) trying to gain access to our corporate facilities without a court order would be promptly marched off the premises. Not only that, they would face legal action under the Computer Misuse Act if they touched any of our machines. Groups like that have NO right of access without a court order - and getting these isn't easy without good prima facie evidence.There may not be a UK-wide policy, but my company would certainly prosecute. Reply

Post a comment

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

null
null

 

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.