Child sexual abuse material is a security issue
When a business or organisation decides to take action against child sexual abuse and the spread of child sexual abuse material, departments such as the management team, HR, and legal are likely to be involved. It is also an issue that falls to the department that handles IT security. Here, IT Safety Specialist, Conny Jäverdal from the Swedish Transport Administration, shares how they deal with this issue.
It was in 2012 that the Swedish Transport Administration made the decision to install the software NetClean ProActive to ensure that nobody was viewing or downloading child sexual abuse material on the authorities work computers. Jäverdal oversaw the installation of the software and has been in charge of its use subsequently.
The initiative to install a detection tool was promoted by the HR Department. The decision was based on the moral standpoint that the Swedish Transport Administration should do what it could to fight child sexual abuse, and that it was important for such a big government department to be seen as leading by example.
However, even though the initiative came from the HR department, it was seen as an issue that should be handled by IT security. There are risks and safety concerns linked to all activities on the Internet; but there are several very specific concerns linked to the issue of child sexual abuse, according to Jäverdal who elaborates (below) on the issues on which the Swedish Transport Administration have focused.
Adhering to legislation and policy
Safeguarding the organisation’s computers and other devices so that they are not used to commit crimes, is both a legal and a policy issue.
In Sweden, businesses and organisations have a duty to report any crime that happens in the workplace. It is therefore important to work to prevent crimes from occurring, and to enable the employer to detect crimes if they occur.
There is also the issue of company policy. The Swedish Transport Administration has put in place rules based on ethical and moral values. These rules govern what you can and cannot do in the office and with the equipment that is used there. It is unacceptable that a person should view or download illegal material such as child sexual abuse on devices belonging to their place of work whether it be at work or in their spare time.
Risk taking behaviour
A person who views or downloads child sexual abuse material is engaging in risky behaviour. They will have to lie to their employer and to people around them. It is reasonable to assume that a person who is willing to engage in this type of risky behaviour might break other laws or flaunt company policies.
Risking multiple types of attacks
If an employee is visiting unregulated websites and media, whether it be on their work computer or mobile, they risk that their visit can be traced back to the Swedish Transport Administration. There will be an increased risk of other attacks such as DDOS-type cyber attacks, spam and other threats. There is also a risk that the person will download malware when downloading illicit or unwanted material. The same thing can happen with unverified USB-sticks.
People who engage with this type of illicit material are vulnerable to threats and blackmail. This is a big security risk if the person has a prominent place in the organisation or if they handle sensitive material that they can be blackmailed to divulge.
Caring for our employees
Finally there is the risk that other employees will be subjected to the illicit material. It is perhaps not the biggest security threat, however by protecting the organisation we also ensure that we safeguard our employees from the risk of being subjected to child sexual abuse material.
Conny Jäverdal has worked on IT security issues since the 1980s. He is currently IT Safety Specialist at the Swedish Transport Administration, and has been responsible for the installation and running of NetClean ProActive since the start in 2012. Even though NetClean ProActive was requested by the HR department, it fell to Conny Jäverdal to manage it as alerts triggered by the software are a security issue that need to be handled in a similar manner to other IT security investigations.