More than half of the interviewed companies articulate the need to manage risks associated with criminal behaviour. Unlike ethical drivers, these concern risks which occur if and when employees use company IT equipment to commit crimes. It also involves ensuring that companies have done what they can to manage these risks.
Criminal behaviour of any type is a risk to companies. However, whereas some crimes directly affect businesses, such as bribery or corruption, other crimes have an impact on society rather than directly on businesses. Both child sexual abuse (CSA) crime and environmental crimes, although otherwise very different, are examples of such offences; they often don’t have a direct impact on the company, but are still important to mitigate.
Companies have routines and control measures for other types of criminal and problematic behaviour, and it makes sense to have that in place for CSA crime as well. A couple of the companies view putting measures in place to mitigate CSA crime in a business environment as similar to having an insurance.
“We take measures to prevent all crimes, and this is another step. We don’t want any types of crimes committed on company premises or with the help of company equipment. Downloading or viewing child sexual abuse material on the work computer is without a doubt a crime.”
Several of the interviewed companies draw the conclusion that if someone is prepared to commit a crime using their work computer, then they would probably be prepared to break other laws as well, if they haven’t already. Control measures to identify CSAM is therefore an opportunity to identify other criminal behaviour as well.
“Someone who exhibits this type of behaviour has probably progressed quite far into building that behaviour, and could have other problematic behaviours as well. This means a risk that the individuals engage in other inappropriate or illegal activities.”
“You don’t want people who are inclined to commit crimes in a company. If they don’t have a conscience when it comes to this issue, they probably don’t have a conscience when it comes to other issues either.”
Manage the problem
Several companies mention that putting control measures in place to make sure that IT equipment cannot be used to view or download CSAM, means that they have the capacity to manage the problem, and have control of the situation.
“This is a problem in IT environments and we’re not alone in recognising it. We have had incidents before without having the capacity to follow up and manage the situation.”