by insiders. A recent study by Carnegie Mellon University’s Software Engineering Institute found that 75% of IPT’s were carried out by current members of staff.
Companies often do not admit to being victims of IPT, and so it is impossible to quantify the costs. The sums involved can, however, be considerable. In a recent case, a research chemist admitted to stealing $400 million worth of proprietary data from his former employer, DuPont.²
Employees often have access to sensitive personal information which can either be misused by the employee or sold on to a third party. HSBC customers had almost $500,000 stolen from their accounts after an HSBC employee passed on data to criminal associates³. A Social Security employee in the US sold personal information that was used in a $2.5 million identify theft scheme.⁴
The cost of fraudulent activity extends beyond the losses incurred as a direct result the fraud – the financial effects of the damage to an organization’s reputation and the loss of customer confidence can far outweigh the cost of the fraud itself.
In most jurisdictions, employers hold some form liability and accountability for the actions of their employees. According to the ePolicy Institute, 13% of employers have been faced with a lawsuit resulting from the improper use of e-mail by employees⁵ - and such lawsuits can be extraordinarily expensive. Petrochemical company Chevron were ordered to pay $2.2 million to settle a sexual harassment claim that stemmed from inappropriate e-mails circulated by male employees.⁶
From multi-million dollar lawsuits and settlements to public embarrassment and public relations disasters to deliberate sabotage and industrial espionage, the list of risks to which organizations are exposed is practically endless. Monitoring your employees computer activities is not a big brother tactic, it’s responsible business and helps protect both an organization and its stakeholders – including its employees.
MONITORING: HOW TO DO IT RIGHT
Monitoring employees should not in itself be regarded as a panacea to the problems previously discussed. To be effective, monitoring must be introduced as part of a risk management strategy that includes:-
Organizations should create an AUP that covers e-mail, internet and applications and that AUP should be clearly communicated to employees. Should an organization fail to create or communicate an AUP, it will be exposing itself to a myriad of legal problems. In a case in the UK, IBM lost an unfair dismissal case brought by a former employee who had been sacked for using company computers to access pornography. The Tribunal decided that there had been no clear breach of company policy and the former employee was awarded compensation. In order to avoid such complications and potentially costly legal battles, an AUP should:-
Be communicated to staff in writing
Clearly set out permitted and prohibited uses for e-mail, internet and applications
Specify the disciplinary consequences of breaching the AUP
Explain the employer’s right to monitor and explain what will be monitored
Explaining that a monitoring mechanism is in place is important for a number of reasons. Firstly, failing to advise employees that their computer activities will be monitored may be an infringement of their privacy rights in certain jurisdictions. Secondly, if employees are aware that they are being monitored, they are less likely to breach the AUP – and prevention is better than cure. Thirdly, undisclosed monitoring would invariably negatively impact on staff morale. There may be occasions when unannounced monitoring is deemed necessary, but such action should not be taken without careful consideration and, if there is any doubt as to the legal implications, advice from a qualified professional.
Employee Monitoring: An essential component of your risk management strategy