Protection of IT environments to prevent downloading, consumption or sharing of child sexual abuse material (CSAM), is driven by, and heavily focused on, risk. Risks to the IT environment, but also the risk that individuals who partake in this crime pose to the organisation. The latter is further detailed in the section on compliance and risk.

For some organisations, security risks weigh heavily on decisions to protect IT environments from CSAM, for others it is an added bonus, for a few it has not been one of the arguments considered. Notably, organisations from industries that are usually more exposed to IT security threats, as well as other security threats, place more emphasis on this issue.

“We work in an industry which is very exposed to security threats. If we have individuals that engage in this type of behaviour in our company, then we have a security risk.”

Risky environments

When individuals use IT equipment to download, view or share CSAM, it often exposes devices, and the IT environment, to different types of IT security threats, such as malware, trojans and different types of viruses. It can also leave traces that could lead back to the company.

“Security was low on the agenda when we decided to protect our
IT environment. It was an ethical decision. However, we discovered that when this type of material is handled, it is often also a way in for malware and different types of viruses. It’s an added bonus that this type of security threat can also be mitigated.”

Another of the interviewed companies highlights that CSAM is often handled on the darknet, which is a space that hosts a lot of other harmful material that individuals might download. This creates a considerable risk for collateral damage.

Layers of protection

The companies state that they need a secure IT environment. They also need to be assured that the IT equipment that they own and provide to employees is not used for illegal purposes. This is why organisations have a range of measures in place, such as firewalls, virus protection, and other limitations. A computer agent that protects against CSAM adds an extra layer of protection.

“Every limitation of IT security risk is important, and this is a good complement and layer inside of the perimeter protection.”

“For the IT department this can be seen as any type of virus programme that a company should have installed. It should be a hygiene factor to have installed, just as programmes that are installed to prevent virus attacks or computers being hacked.”

One of the companies highlights that commonly used security protections don’t work in the same way when people work remotely, and that firewalls only stop traffic to known websites:

“The agent is always on and always protects the computer, even when it is taken outside of our network.”

Risk of blackmail

Another issue, which a few of the companies mention, is the risk of blackmail, and the fact that it is becoming an increasingly pertinent issue. If someone is found to be handling CSAM, and traced back to the company, they could easily be exposed to blackmail and pose a very real risk to the company.

Accidental exposure

A couple of the interviewed companies also identified a risk that their employees, in particular IT personnel, may accidentally be exposed to CSAM. By making sure that CSAM is identified and flagged in a controlled manner, this can be avoided.

Comment to insight 7, 8 & 9

More results from the NetClean Report 2020