Getting your own house in order: child sexual abuse material the missing link for financial services security

CSAM is a crime against the most vulnerable in our society. It is content that evidences the sexual abuse of children. It is a problem that policymakers and non-governmental organisations are trying to tackle through regulation. A crucial missing link in these collective efforts, however, is CSAM's presence within business environments — and for the financial services industry, the stakes are higher than ever.

Digital footprint

The way in which CSAM's digital footprint is growing increasingly puts firms and institutions within the sector under threat of blackmail, ransomware, malware, viruses and serious reputational damage.

2023 data from Eurostat, Statista and HR solutions business Remote revealed that 65% of the Dutch working population worked at least partially remotely in 2022, as did 54% of those in Luxembourg and 54% of those in Sweden. In February 2023, the UK Office for National Statistics (ONS) found that 44% of workers opted for total home or hybrid working, with 80% of the highest-income earners opting to work from home. Some version of remote working is here to stay in the financial services sector. This has, however, unearthed dangerous new avenues for illegal activity.

Even before the pandemic, research found that one in every 500 people had used a work computer to store or distribute CSAM. The problem is on the rise: a combination of mass remote working and access to the dark web have significantly increased the ability to share CSAM.

Challenging picture

The European Union Agency for Law Enforcement Cooperation (Europol) produced a special report in 2020 exploring the pandemic's impact on CSAM. It found higher volumes of new posts in online forums dedicated to child sexual exploitation and a sharp rise in attempts to access CSAM since lockdowns began. That represents a risk to the businesses whose employees are viewing such material.

In January 2023, the author's firm NetClean conducted the second chapter of its unique research into the corporate security landscape, and uncovered a deeply challenging picture: most businesses are battling the risk of CSAM, its prevalence is routinely underplayed, and anti-CSAM initiatives are not covered by existing security solutions. Seventy percent of senior IT professionals say that the rise in pandemic-induced remote working has heightened the risk of the spread of CSAM, but more than half (54%) say that their organisation responds to CSAM threats too late.

Some 79% of all IT professionals reported having personally heard of other firms who have had CSAM brought into their organisations; 57% of senior IT professionals agreed that the more they increased protection through technology, the more problematic internal threats became.

Echoing this, the Internet Watch Foundation's own research in January 2023 reported a staggering 1,058% increase in the number of webpages showing sexual abuse images and videos of children who had been recorded specifically via an internet-connected device. There are higher volumes of CSAM in circulation, and therefore higher volumes that can be accessed by employees, or used as blackmail against them.

Legal, practical and reputational consequences

The consequences for the financial services sector cannot be understated — legally, practically and reputationally. This is an industry that is well-accustomed to regulation to prevent people from engaging in risky behaviour, but in the case of CSAM, and employees accessing and sharing it, there is no regulation, despite this being the definition of risky behaviour.

Something this author hears about all too often through their work at NetClean is CSAM being used to blackmail employees, or CSAM contracting malware, thereby causing an unhealthy IT environment for the business. In the context of a financial services firm or institution, the repercussions of blackmail being successfully carried out against it or even operating in an unhealthy IT environment are wide-ranging and incredibly difficult to reverse.

Equally long-lasting is the erosion of trust when it comes to financial services. Any organisation that is entrusted with individuals' or businesses' money needs to build and maintain a strong brand, rooted in trust. Once it is on record that an organisation's employees have been viewing CSAM, or been targeted by malicious code or blackmail based on CSAM, that sticks — and where trust is lost, so is business.

Legal costs for failing to take accountability for CSAM incidents in the workplace can be eye-watering. It was unsurprising to find that 42% of IT professionals are concerned about CSAM being present on their own systems and that, specifically, C-suite executives' concern about the impact of employees viewing CSAM has quadrupled in the past two years.

How firms can tackle CSAM

This all paints an unsettling picture for the industry and its leaders, who must put in place procedures to tackle CSAM. The appropriate approach for the financial services sector is guided by its philosophy that taking care of your own house is equally as important as taking care of your customers. For example, banks have a strong track record of tackling CSAM externally by tracing card payments, blocking customers from paying for CSAM with their bank cards. A similar level of commitment and vigilance internally would pay dividends.

The author would encourage all businesses in the sector to investigate what can be done within their own systems. Education is critical: it is known from 2018 research that one in 500 work computers has CSAM on it, but 71% of IT professionals to whom the author's firm spoke underestimated this statistic. Nearly two-thirds (64%) still believe that employees viewing CSAM poses a small or nonexistent threat to their company.

It is also worth taking a hard look at where the firm's vulnerabilities may lie. They can even be in closed environments that many assume have a low risk profile. Even if USB ports are closed, or communications channels are monitored, CSAM can still enter by other means, especially with loopholes from remote working. Security solutions therefore need to be reviewed to ensure that CSAM risks are covered. When it comes to getting buy-in for stepping up action and installing further protections, it is important to highlight that it is the right thing to do, but leaders should also emphasise that it protects the company brand and shareholder value.

Double positive

Ultimately, taking greater action to tackle CSAM within the financial services sector is a double positive: protecting businesses from harm, and eliminating pathways through which CSAM is shared. NetClean research found a rise in both the material business risk of CSAM incidents, and in the volume of C-suite executives who are concerned about it.

Meeting the business responsibility in this area should be a priority for leaders and firms across the sector and there are many ways in which they can do it. Firms should start with mass education, lead by example and ensure the security they have in place covers every risk possible.

Anna Borgström, CEO of NetClean.