Source: theHRDIRECTOR
Date: October 2006 

In the race by business and industry to embrace the benefits of technology, many attendant risks, severe in their potential impact, are often overlooked, ignored or insufficiently accounted for. Edward Wilding, Co-founder and Director of Data Genetics International (DGI), and author of ‘Information Risk and Security – preventing and investigating workplace computer crime’, highlights the danger areas for computer misuse.

Traditional security doctrine has emphasised risks external to the organisation, i.e. those that originate beyond the corporate firewall. In practice, however, the most threatening frauds, computer crimes and misdemeanours – those that may even threaten the organisation’s viability – overwhelmingly reside within the firewall. Trusted managers, employees, contractors and associates have the requisite access to sensitive systems and processes and the knowledge to inflict the worst damage, as well as to conceal their crimes and evade detection should they so choose.

There are some key technical factors that serve to undermine the protection of Intellectual Property and corporate data, principally:

• The ICT profession’s continuing obsession with external threats outside the firewall
• The ease with which information can be copied seamlessly and undetected using a range of high capacity data storage devices and transmission methods, all of which are effortless to use
• Unsupervised employee access to electronic mail, the Internet and high-speed communications
• Poor ICT security with inadequate audit trails and network and firewall monitoring
• An erosion of employee loyalty which, when combined with managerial complacency or inattention, greatly exacerbates the risks of fraud, IP theft and the deliberate leaking of information.

Reacting effectively and appropriately to the fraudulent, hostile or disaffected employee is a complex task that is fraught with difficulties, as many employers have found to their cost.

PRE-EMPTIVE STEPS
A comprehensive and transparent policy on the acceptable use of information and communication technology (ICT) in the workplace is therefore mandatory, for the simple reason that employees cannot obey rules that do not exist or that have never been expressly and unambiguously stated. Disciplining and potentially dismissing staff for contravening non-existent rules is clearly untenable. Management often wrongly presumes that the summary dismissal of an employee for a perceived misdemeanour at work – particularly one that transgresses the commonly accepted boundaries of decency and standards – is fair, proportionate and appropriate. However, in the UK, precedent indicates that this is not the case. In July 1998, an employment tribunal heard the case of Dunn v IBM United Kingdom Ltd:

Mr Dunn had used his employer’s computers to access pornographic websites. IBM concluded that this constituted gross misconduct and dismissed him. However, the employment tribunal upheld Mr Dunn’s complaint of unfair dismissal. The tribunal concluded that Mr Dunn’s actions were not indisputably a breach of IBM’s policy and did not, therefore, warrant summary dismissal. The Tribunal added that Mr Dunn had also been dismissed unfairly because IBM’s policy did not indicate that dismissal would result from his actions.

“policy needs to be comprehensive, explicit and unequivocal in its stipulations”

The ICT acceptable usage policy needs to be comprehensive, explicit and unequivocal in its stipulations and, in addition, contractually binding. In the absence of such a policy, the employer may have no grounds for dismissal or scope to reprimand an employee who misuses systems in the workplace. The policy outlines relevant laws and those actions that may render the employee liable to criminal prosecution. So that there
should be no misunderstanding, the terms of the Computer Misuse Act 1990 should be written into each employee’s contract of employment, and all employees should be expected to understand the principle tenets of this legislation. It is essential that the employment contract is unequivocal in defining and asserting the organisation’s Intellectual Property and its copyright.

The policy should be maintained and should reflect current law and technological developments. An outdated policy that does not account for changes in legislation or technology may prove a severe hindrance to the conduct of disciplinary or legal proceedings.  The ICT acceptable usage policy should be binding with the employee signing a contract stating that he or she has read and understood the policy, and accepts its provisions. A copy of the completed contract should be given to the employee and a copy retained by the organisation.

“contractual notification is the bedrock upon which any enquiry commences”

There is a further very practical reason why this policy is essential – in crude terms it delineates the ‘rules of engagement’ by serving notice on the employee, that the organisation reserves the right actively to monitor and record information that is transmitted and stored using its ICT resources. From an investigative perspective, this contractual notification is the bedrock upon which any enquiry commences.

EXIT PROCEDURES
Set out below is a checklist of steps that should be taken as soon as the employee is notified of their dismissal or, depending on the circumstances, at the earlier point of suspension:

1. Don’t dismiss; suspend. It is wiser for an employer to suspend an employee rather than dismiss them, as this way they are able to recall the employee for interview as part of any internal investigation.
2. Accompany any employee who is being removed from the workplace until they have left the premises.
3. Ensure the employee surrenders all company-owned laptop computers, notebooks, PDAs (personal digital assistants), mobile telephones or other electronic devices or access control devices as soon as the dismissal or suspension is imparted. It is important to ensure that the employee is not given an opportunity to wipe such devices clean of data before returning them.
4. Inform the IT department that the employee’s computer accounts should be deactivated immediately, including any remote access and database accounts. Failure to do so allows a disaffected employee to access computer systems and cause havoc by amending or deleting data and systems, or to misuse company confidential information to compete. Employees who have committed misconduct could also destroy or
   amend potentially incriminating documents and e-mails, or misuse other employees’ accounts – the ever-present danger of people and departments sharing passwords only adds to this risk. Administrative passwords should be changed on all systems and an audit conducted for each  system to identify any obvious vulnerabilities.
5. Particular care is needed where the disaffected employee is a network administrator. Such employees may implement unauthorised ‘backdoors’ into the systems that they administer or maintain, which they may use to obtain remote access regardless of whether their official dial-in account is revoked.
6. Ensure data from all computer systems (including laptops etc) is secured in a forensically sound manner. The data need not necessarily be reviewed but it should at least be archived in the event that the employee brings a tribunal claim.
7. Ensure remote access server and network audit monitoring are effective to record any attack on the systems – without audit trails and event logging, it will be difficult to investigate or prosecute computer misuse.
8. Prevent potential intrusions – change passwords, change locks and update security passes!
9. Telephone answering systems and voicemail should also be secured against tampering or the unauthorised re-recording of answer messages.

MOBILE WORKING AND THE ASSOCIATED RISKS
The current trend for ‘home working’ and ‘remote working’ poses additional risks and difficulties, all the more so if employees use their own laptop computers, PDAs, mobile telephones or other devices to connect to company networks. From a control and audit perspective ‘home working’ and ‘remote working’ impose additional risks and difficulties. The immediate framework of control, in the form of strictures on the use of corporate IT systems, monitoring and day-to-day management is less apparent to the home worker, who may opt to bypass the corporate intranet, mail systems and firewall entirely and engage directly in unauthorised negotiations or transactions using his or her own unregulated systems. There is a real danger that the home worker may enter into commitments, contractually binding on his employer, that are unregulated or ill-considered, and that are not recorded anywhere within the corporate network.

“fraud flourishes in a control vacuum - psychologically, the bedroom study or the garden shed are far less exposed environments than the office desk for committing fraud or wrongdoing”

There is also the risk that the employee, uninhibited by the presence of colleagues, managers and the internal audit department, may be tempted to stray from the narrow path of righteousness and enter into collusive arrangement with others, using systems that are not, and cannot, be policed or monitored by his or her employer. Fraud flourishes in a control vacuum – psychologically, the bedroom study or the garden shed are far less exposed environments than the office desk for committing fraud or wrongdoing.

In the UK, the unauthorised inspection of a computer system (for example, one purchased by an employee for home use) constitutes a criminal offence under s.1 of the Computer Misuse Act 1990. Therefore, in order to ensure that the employer has rights of access to the hardware necessary for home working, it is important the employer pays for the equipment and retains all receipts. Similarly, it may be preferable for an employer to provide mobile telephones and pay for all cellular billing itself so it can legally undertake call log analysis.

Although advisable, it is rare for employers to stipulate a ‘right of access’ to computer systems used by any employee for business purposes at home as part of the standard employment contract, and it is normally impossible to access someone’s home computer without a court order. This is the case even when the employee is in possession of company data. Obviously, if the employer has supplied the computer for home use it has the right to demand the machine’s return – but not necessarily a right to enter the user’s residence, or to inspect the computer’s contents or any other materials in his possession.