Child pornography is hidden on virtually every large corporate network, according to security experts.
While it’s common to hear stories of workers being fired for downloading pornographic images onto their systems, and it’s even more common to hear people complain of pornographic spam, industry watchers say the problem goes even further. Child pornography — explicit images and text dealing with underage children — can be easily found on nearly every large network — be it corporate, academic or government.
”If you’ve got a big company system, I can almost guarantee that you have child pornography on it,” says Kenneth Citarella, deputy chief of investigations with the Westchester County District Attorney’s Office. ”It’s there somewhere.”
And analysts and law enforcement say it’s not simply a case of someone accidentally opening an offensive spam message.
”We’re not talking about that one click to open and then ‘Oh, my God’ and delete,” says William Eyres, chief executive officer of the Joint Council on Information Age Crime. ”That’s not the problem. It’s a different level. Someone downloading thousands of pictures is a different story.”
Edward Appel, chief operating officer of the Joint Council, agrees with his colleague, adding that there’s ‘almost a 100%’ probability of finding child porn on corporate networks.
”They think if nobody is standing over their shoulder, it’s a private act,” says Appel, who notes that it’s found both on hard drives and shared storage. ”They think they can get away with it but it’s discoverable. The evidence is easily found.”
And the person downloading it onto the network, might not even work in that company, according to Charles Kolodgy, a research manager with industry analyst firm IDC.
”It might not even be because someone in your company is doing it,” says Kolodgy. ”Someone outside could have found a way in and now they have all that storage space.”
No matter how it gets there, having child pornography on a corporate network causes a litany of legal issues — from creating a hostile work environment to criminal liability.
Security and law enforcement experts have differing opinions on whether or not a company is held liable for illegal content sitting on its network. Some say if company executives don’t know it’s there, they’re not responsible for it. Others disagree. Most say IT managers need to go looking for it. And all of them agree that once it’s found, it needs to be reported to police.
”Do not delete and forget it,” says Citarella from the DA’s office. ”There may be a real child at risk. You ignoring it may allow him to continue abusing… and then your company may face catastrophic liability. You won’t write a check to that child’s parents. You’ll give them a deed to corporate headquarters.”
IDC’s Kolodgy says IT administrators need to check their systems for illegal content regularly — to both have control over their networks and to eliminate and report illegal activity. Kolodgy notes that a lot of administrators check for and wipe out mp3 files when they’re doing backups. They also should be checking for any anomalies, such as the passing of data files outside the network, that would hint that something is going on that shouldn’t be.
All the analysts agree that the best way to head the problem off is to create a policy that restricts corporate Internet usage for anything but strictly business purposes. Users should have no expectations of privacy when using company equipment and services.
Appel of the Joint Council on Information Age Crime says IT administrators need to not only create the policy, but they need to make sure that every employee knows about it and agrees to it. He suggests giving workers periodic reminders and he also recommends having a pop-up window that appears when a computer is booted up. The window will show the corporate policy and by clicking on it, employees acknowledge it and agree to it.