Securing information: beware the enemy within

The wrong document emailed to the press can ruin a company’s reputation and its share price. Protecting data from the enemy...

The wrong document emailed to the press can ruin a company’s reputation and its share price. Protecting data from the enemy within is far more difficult than detecting 12-year-old hackers

Almost every aspect of a company's business is now held electronically. From invoices to payroll, even the most innocuous data files will be kept, almost indefinitely, somewhere on the typical company network. Some of this information could potentially damage share prices or the company reputation if disclosed. Information, such as staff wages, if revealed, could cause problems with future pay negotiations if everyone knows what everyone else is earning. The list of possible problems if the wrong document gets into the wrong hands is endless. Before the widespread adoption of electronic mail, the photocopier was the tool of the data thief. Today, moving large amounts of information out of the company is easy and difficult to trace.

Many users also use the Internet for recreational activities while at work. The email filed with rude jokes is an annoyance to some; but a user who unwittingly downloads a network aware virus then spreads it throughout the company is a more serious problem. Staff spending a disproportionate amount of their work time surfing the Web from the safety of their own desk has now replaced the more banal time wasting activities traditional in the office. The content downloaded by users can slow down network performance and fill up network drives full of junk. A network drive filled with explicit material is the legal responsibility of the company and can cause a great deal of embarrassment if audited.

Content inspection tools

The dual problem of unauthorised document disclosure and inappropriate web content is being addressed by several new products. Two of the most notable ranges of software applications in this field are Symantec's Gear and Content Technology's Sweeper products. Both companies offer software that can monitor Internet web pages, email and FTP traffic moving through an Internet gateway. The web inspection software uses two methods. The first looks for inappropriate words on a web page and then either blocks the page or notifies a network administrator that a user has accessed a page containing inappropriate words. Another method is to create a list of unauthorised web sites (an extensive list is supplied with both of these programs). These websites are blocked from users, and the list can be added to as new illegal sites appear. These programs are policy-based, so groups of users can have different policies depending on their role (and seniority) within the company.

Policy-based software can also solve some of the problems of document security. Products, such as Data Fellow's Fsecure, allows documents to be automatically encrypted across the entire network and only decrypted by authorised users. Even if a file is sent out of the company via email, it can be automatically encrypted so that if the recipient is not authorised, they cannot open it. If a user tries to duplicate a file, this duplicate is also encrypted.

New picture inspection software from a British company based in Cambridge now claims to be able to spot pornographic images. Using a pattern recognition technology, the software sits on desktop PCs, servers or Internet gateways, and looks for pornographic content. If the software sees a large expanse of skin tones or certain types of shapes and colours that it associates with explicit images, it notifies the system administrator to check the image.

All of these software products are aimed at automating the process of content inspection, but their very use can cause both legal and moral dilemmas.

Legality and morality

The running of these inspection packages is transparent to users and is normally the domain of the IT department. One serious problem is who becomes the office "policeman"? Should the power be in the hands of properly trained HR staff or Bob - the head of the IT help desk? The reins of power for monitoring employees are primarily held by the IT staff that implement and manage these systems. Most of these systems are set to an active mode that prevents suspect web pages from being loaded or blocks email attachments containing video clips or large image files. More covert options allow you to create electronic dossiers on the data traffic of each user. These dossiers are useful weapons for staff disciplinary procedures or for waging internal politicking. A medical problem which is personal might be conveyed in an email to a friend which could potentially be intercepted by Bob on the IT desk because certain word patterns might have alerted the explicit content sensor on the inspection software. The ethical question of who becomes the moral guardian of your corporate environment is a thorny one, but is comparable to the legal vagueness of the situation

As more and more information goes electronic, the laws which surround surface mail are likely to be reviewed to account for the intricacies of the Internet age. With the US considered as the blueprint for technological change and Internet growth, the laws surrounding data privacy are still very vague. The tough Privacy for Consumers and Workers Act was rejected by the Senate in 1993; the employer-friendly Electronics Communications Privacy Act, which gives employers the right to examine any stored staff email, was accepted. Legal test cases in the US of email monitoring have also favoured employers over workers. The case of Alana Shoars vs. Epson America, Inc. is one such example. Ms Shoars sued after she was fired for insubordination after catching a manager printing out and reading every email she had sent both in and out of the company. The case for wrongful dismissal and infringement of civil liberties was dismissed, as the she had no case under the provisions of the Electronic Communications and Privacy Act.

The UK's own Data Protection Act fails to cover privacy at work. This is likely to change if the widely rumoured minister for the Internet role is brought to the government. So far, with few test cases to provide precedents and with the changing nature of the Internet, monitoring email content without due warning may, at some point, cause a major lawsuit.

Summary

Setting up a fully automated inspection suite is technically possible now. In fact, the software is very easy to deploy and use. Legally, the employer has little worry regarding infringing any legislation. But the question of content inspection is more one of corporate culture. The slowness of the Internet at 5:30pm on a Friday is a given phenomenon now. Groups of staff, tittering at a satirical website, are the equivalent of the photocopied joke memos of the past. Creating an environment of oppressive security may well foster resentment, and could encourage attempts to "beat the system", ultimately leading to a more counterproductive environment.

At the moment, the IT department can look at almost any file on the system. Even secret passwords held by users are "backed up" by the IT department in case of user forgetfulness or unexpected staff departure. If you are worried about staff abusing your IT resources, the IT department can become the network police. But who watches the watchers?

One solution may be to set up company wide policies regarding content monitoring. In consultation with staff, line managers and HR departments, comprehensive guidelines will stop both employees abusing electronic communications and managers using monitoring as a way of persecuting staff. These policies would form part of an employee's contract and apply equally to every member of the company. The monitoring software is not particularly complex and properly trained HR staff can use it to enforce these policies without prejudice. This solution moves the power away from IT departments who are not necessarily trained to deal with these responsibilities.

Will Garside

This was last published in May 2000

Read more on IT risk management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close