Should IS Serve or Police?

Should IS Serve or Police?

Not long ago a staff member of a prominent Australian company sent an e-mail filthy enough to make a sailor blush to 12 separate organisations, including two federal government departments, under the company name.

Another employee, this one working at a leading Australian travel company, unintentionally forwarded the company customer list to a competitor after choosing the wrong alias.

Then there was the ministerial press secretary who took enormous exception to some critical comments on an Internet mailing list, but accidentally e-mailed his controversial and "confidential" refutation to the whole list, not the individual author, thus exposing his minister to even further criticism.

These and numerous other damaging incidents are proving impossible for CIOs to ignore.

It's not just that e-mail misuse, high levels of pornographic content, and sexual and racial harassment via e-mail are exposing employers to legal liability -- although when it comes to e-mail there's plenty of evidence of shady dealings being committed by cyberspace perpetrators who wouldn't dream of otherwise breaching the law. "If you sent around pornography in the office, or asked someone to come over to your desk and look at something graphically pornographic, you would be in breach of every company policy in the country," says Alan Schaverien, managing director of e-mail protection company Content Technologies. "Yet there is some sort of psychological distancing people have when they send the material to someone else on the computer, and people's behaviour does change."

It's also that e-mail is clearly costing companies huge amounts in lost productivity, forcing the need for massive upgrades in storage and adversely affecting services. One company's e-mail traffic load dropped by 80 per cent after it took the decision to block all images. When the City of Melbourne's e-mail traffic started creating a bottleneck in its external pipeline, the city found employees had received 800 incoming e-mails with attachments in a single month. Less than 10 per cent of those attachments were work-related; half of the remaining 90 per cent could be categorised as unsavoury material, the rest being private material including family snapshots.

"It's obviously a problem with the bandwidth," says information manager Mike Healey, "but it is also creating a problem of potential harassment issues, and there are potential litigation issues. If City of Melbourne was seen as the addressee on something that went out and it was illegal material, then City of Melbourne could be found legally liable."

In a climate where e-mail is becoming the single most vital desktop application and where businesses stand or fall on the openness of their lines of communication, organisations are realising they have to make serious inroads into cleaning up enterprise e-mail or face the -- potentially dire -- consequences. Not only must every organisation lay down the law on e-mail use, they must also step up efforts to detect and punish breaches.

But is it up to CIOs to don the blue uniform and turn law enforcer? That's a definite "yes" as far as Keith Revell, general manager IT shared services with Orica, is concerned. "I think we have to be policemen," Revell says. "It has caused us some problems, because some of our businesses think we are being too much of a policeman. But I guess we have a duty of care to our employees to try and protect them from disinformation and pornographic information, the greatest risk being that it gets circulated internally when we have the tools and capability to stop it."

Peter Dunn, CIO of AMPlus (the business unit providing IT services within AMP), agrees that when it comes to e-mail, CIOs have to take on the twin roles of service provider and policeman. "On the service provision front we do very carefully look after our e-mail system. It's the absolute lifeblood of the organisation, so I definitely see that as part of my responsibility." But Dunn also enforces AMP "law" by using firewalls to detect and block inappropriate messages from outside the organisation. He is also considering taking that policing role further by committing to internal monitoring of e-mail. "We are looking at, and may well commit to, an internal monitoring device on our internal systems, so once you get inside the firewall we will be monitoring e-mail traffic within AMP to pick up the offensive traffic."

No Consensus

But not every CIO is entirely comfortable with the notion of taking up the baton and joining the boys in blue in the interests of protecting the organisation from e-mail abuse.

When IDC user programs manager Peter Hind discussed the issue with InTEP members recently the group achieved no consensus on whether it was better for CIOs to "serve" or to "police". As Hind put it in his September column in this publication: "After all, IS has spent years trying to foster business ownership of the IT systems. If end users now utilise these systems inappropriately is it the CIO's job to stop them? If so, then it changes the dynamics of the relationship between IS and the business from one of servant to one of policeman."

Southcorp IT manager Peter Rogers is one IT executive who isn't entirely comfortable with the notion of shifting the dynamics of the relationship. Rogers says that within Southcorp IT has acted as a policeman from time to time (more through monitoring Web use than e-mail), but says he's never been entirely happy with the role. "We've been pretty uncomfortable about doing that because we don't see it as being an IT function; but it's a case of no one else seems to see it as theirs either, he says. "It's sort of an extension of the security requirement that we've got."

But City of Melbourne's Healey has no problem accepting such an evolution in the relationship between IS and the business. He argues that in organisations where IT is already in charge of voice it makes perfect sense for IT to apply similar management techniques to e-mail. "Why should IT be the policeman?" Healey asks. "Historically IT in our organisation is responsible for voice, and in terms of the responsibilities we have with telephones, we have the same sorts of problems. We have STD bars on phones or we monitor people who spend too long on the phone."

But while IT accepts that part of its role is to detect and expose excess telephone use, via a range of minimisation strategies, it relies on line managers in the business to take responsibility for law enforcement and punishment. "Now exactly the same thing applies in the Internet environment, so we're monitoring the environment and we're looking for excesses. And we once again highlight where there are excesses and send them to the line manager," Healey says.

But there's an even more compelling reason than past practice for CIOs to consider becoming e-mail police. In a previous incarnation David Thompson, national director of the e-security business group in Deloitte Touche Tohmatsu, headed up the computer crime group in Victoria police. Thompson points out that unless e-mail servers and the applications on them are set up properly, the well-known weaknesses in e-mail programs could expose the organisation to potentially serious breaches. In this area the CIO or IT manager is probably best equipped to oversee management of that risk.

"If an e-mail server is not properly configured, [then] an e-mail that is structured to take over control of the system by exploiting a weakness, a security hole or a bug can give a user on the outside of the system the ability to pick the lock, so to speak," Thompson says. "There are certain known weaknesses that allow people to elevate their access rights on a system, or to get access to the system administrator's power of running a command, so they can run scripts to take over control of the system and execute processes that are not allowed to be run by an outsider."

Thompson argues this puts the issue of corporate messaging policy and control firmly in the CIO's lap. "It's very much part of the CIO's role," he says. "It's a new technology that organisations are still grappling with. They're very familiar with the benefits of using desktop technology applications, but below that someone has to take responsibility for the network and its services."

Damaging Exposure

CIOs and security managers who have, like the City of Melbourne, taken the trouble to analyse their e-mail traffic know just how seriously e-mail can be abused in organisations without a clear corporate message policy. Pornographic images and offensive jokes are spreading like viruses. When Schaverien spoke to a security manager for an organisation of several thousand people the security manager said he was shocked and felt undermined by the volume and graphical nature of the material coming in.

"He defined it in several ways," Schaverien says. "First, there was the pin-up style; then there were people involved in sexual acts; then there were several people involved in sexual acts, either with other people or with animals; and then there's the truly illegal stuff, which may involve children. And there's the extraordinary situation where people take pictures of themselves and send them around the office, and hold quite open discussions on e-mail about their sexual encounters.

"The issue isn't so much that people want to do this: I think [that's] their business. But the issue is that when it's done at work and sent from work and you send it with a .com domain, it's come from [the company]. This is the real problem."

There are also other and equally serious business risks, including loss of information, reduced operational effectiveness, breaches of confidentiality, exposure to legal liability, lost productivity, and damage to the corporate reputation. Network integrity can be hit by infection from e-mail-borne viruses via serious network congestion through system misuse and loss of network service from spam and spoof attacks. A survey by Content Technologies in 1999 showed just how vulnerable organisations were to spoofing, with 95 per cent of respondents saying they wouldn't think to question the origin of an e-mail purporting to come from their manager or supervisor.

But despite the dangers of unrestricted use, e-mail presents enormous benefits to organisations. It is, after all, an extremely useful means of communication, and clamping down on it too hard could seriously impede employees' ability to do their jobs. A balance has to be found, and it is here that a corporate messaging policy, whether developed by the business or IT, has such a vital role to play.

Before any police force can go to work its members must have clearly defined laws to work with. The corporate messaging policy lays down the law, spelling out in no uncertain terms acceptable e-mail use and the way the enterprise will deal with breaches. These include overuse, discrimination and harassment, copyright, defamation, spamming, employee privacy rights, and revelation of trade secrets. Employees also have legitimate expectations of privacy in relation to their e-mail communications, which have to be balanced against the corporate interest. The messaging policy should make clear the rights of employees in relation to their electronic messages.

The policy should cover storage requirements, whether back-up copies are stored on the server and who has access to them, and the level of privacy employees can generally expect. It should clearly spell out exactly what categories of e-mails should be retained and which destroyed, recognising the potential for old e-mail records to provide a smoking gun in litigation. It should also spell out the circumstances in which management has the right to read and take action on employee e-mail, the legal risks associated with e-mail, and the unacceptability of using e-mail to abuse or harass other employees.

At Orica, Revell focuses on service delivery in accordance with business requirements, while the CIO focuses on formulating strategies and policies. The CIO has reached agreement with the business on a level of security regarding e-mail and Internet use for the organisation and developed a policy to reflect those decisions. Revell, meanwhile, applies and enforces that level of security through monitoring, awareness raising and quarantining of e-mail into and out of the organisation. "Everybody signs what the security requirements and policies are and how it applies to them; we make it very clear when they log onto a PC what their obligations are, and if e-mail is abused then disciplinary action is taken," Revell says.

Any messaging policy needs to be updated on a regular basis, says Healey, who is in the process of rewriting the City of Melbourne policy, but who admits the technology continues to move faster than the policy can. "The technology continues to be a step ahead of our policy, and the policy is always in catch-up mode. When e-mail first came out and we put out a policy, I don't think anyone would have envisaged that this whole pornography would suddenly become attached to it," he says.

It's vital to let employees know about exactly what the policy covers through frequent training and awareness seminars, Healey says. City of Melbourne employees have been alerted to the policy in the newsletter sent to all staff and through messages from the CEO warning that breaches may incur severe disciplinary action leading to potential dismissal. Staff know that both internal and external pipes are monitored and that their chances of being caught should they breach the policy are strong. "I think the internal program has been effective in making our staff aware they shouldn't be sending such stuff out," Healey says.

Because laws in themselves are virtually useless and will be ignored unless they're backed up by a determination to actively detect and punish breaches, Dunn also makes sure AMP staff know they will be dismissed if they breach the corporate policy. "And we have, in fact, dismissed a number of employees where that has been the case. So we have a policy, we have executed that policy, and the word is getting around pretty smartly. That is a behaviour change you have to build up over time," he says.

Based on his previous police experience Thompson says some organisations will prefer to automate policy enforcement by using scanning technology capable of providing control and management options at a technical level. Dunn agrees, saying just letting employees know their e-mail may be monitored can be an effective deterrent. "As soon as you let people know that you have that capability, those few who might be inclined to take advantage quickly get the message," he says.

And monitoring is growing in popularity. A survey of privacy in the workplace, conducted by PricewaterhouseCoopers early last year, found that 13 per cent of Australia's top 100 companies regularly monitor e-mail and 6 per cent read messages. About 15 per cent of companies that monitor do not tell their employees.

But some CIOs remain sceptical about the value of content scanning technologies. At Southcorp, Rogers says content scanning is not only difficult to do, but not likely to pick up a significant per centage of abuses. "You're really talking about the odd 5 to 10 per cent, in my opinion, and the amount of effort to try to control that is too difficult," he says.

On the other hand, Bob Reynolds, assistant director information services with the Victorian Department of Human Services, points out that using a content monitoring technology like MimeSweeper not only helps detect inappropriate e-mails but has another advantage in its ability to virus check e-mails. "And it's surprising, we get a lot of viruses. In a 24-hour period we might get six to eight viruses a day coming in from external sources, but MimeSweeper stops them dead," he says.

It seems these and other emerging technologies may prove the weapons in the CIOs armouries, as they increasingly -- albeit reluctantly -- become the e-mail police of their organisations.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about AMPContent TechnologiesDeloitte Touche TohmatsuDeloitte Touche Tohmatsue-SecurityIDC AustraliaNetwork IntegrityOrica AustraliaPricewaterhouseCoopersPricewaterhouseCoopersProvisionSouthcorp

Show Comments