According to Yogi Berra, “The future ain’t what it used to be.” The Internet has transformed our interactions with each other — individually and on a global scale.
Clearly the rewards associated with the use of Internet platforms are great, but so are the risks. For would-be whistleblowers, the Internet is a megaphone. For the disgruntled, it’s a soapbox. For thieves, it’s an opportunity. For hackers, it’s a challenge.
Defensive tactics may seem like the obvious response to prevent cyber-sabotage. However, a holistic approach that combines IT and security-related prevention techniques with other human resources practices has the greatest potential.
Unfortunately, there is a risk of misuse and abuse at every organization. Toronto-based forensic investigator Chris Mathers credits this to the 10-80-10 theory, which holds that 10 per cent of any population will always be dishonest, another 10 per cent will always be honest and the remaining 80 per cent will vacillate between honesty and dishonesty depending on the circumstances.
Intercepting ‘private’ communications
The Criminal Code of Canada prohibits the interception of private communications without judicial authorization. In Lethbridge College v. Lethbridge College Faculty Assn., the union argued the college’s search of an instructor’s laptop for emails from his Hotmail email account amounted to an interception of private communications and violated the code. The union also objected to the college’s reliance on the instructor’s personal emails on privacy grounds.
The arbitration board rejected both of the union’s arguments. The seizure and search of the instructor’s laptop computer was not a violation of the Criminal Code. In addition, the board found no violation of the instructor’s privacy rights.
The arbitration board applied a three-part test:
• Was it reasonable for the college to have conducted a search?
• Were there alternative, less-intrusive methods to acquire the information sought?
• Was the search carried out in a reasonable manner?
Seizing the contents of a hard drive
Likewise in R. v. Cole, the Ontario Court of Appeal determined school board officials acted within the scope of their functions when they detected child pornography on a teacher’s personal work computer and moved not only to terminate his employment but provided a disk containing the photographs to the police.
Of significance was the fact the school board owned the computers the teachers were given but gave them express permission to use them for personal use. Cole was seen to have had a reasonable expectation of privacy from “state intrusion” (such as police access). However, he had no such rights vis-a-vis his employer with respect to its access to his hard drive “for the limited purpose of maintaining the technical integrity of the school’s information network and the laptop.”
An ounce of prevention
Many researchers have tried to develop a psychological profile of the cyber-saboteur. In one of the more compelling studies, the United States Department of Defense analyzed 10 serious cases of data theft or destruction in industries of national importance, including banking, telecommunications, government and transportation. The 2005 study, Ten Tales of Betrayal: The Threat to Corporate Infrastructures by Information Technology Insiders, focused on the identification of human factors that were at play, rather than any deficiencies in computer security systems. The researchers concluded external factors other than psychological makeup were a more reliable predictor of sabotage.
Work environment appears to contribute strongly to whether or not insider sabotage will occur. Times of change in the workplace can also lead to sabotage. These factors are interrelated with deficiencies in corporate communication.
Not surprisingly, there appears to be a strong correlation between personal stress, change in the workplace and an elevated risk of systems abuse. Furthermore, a worker who is prone to more intense reactions to everyday stressors is more likely to commit sabotage.
Policies that encourage up-the-ladder reporting and investigation of alleged corporate wrongdoing can reduce the risk of harm to an employer’s brand and reputation because they give management the opportunity to remediate an issue internally.
Anti-harassment and bullying
Establishing an anti-harassment and bullying policy may deter employees from using social media to harass management or other employees.
Social media policy
Prohibitions against the disclosure of confidential information, the importance of acting in a respectful manner towards others and posting accurate updates are important elements of a social media policy.
In Ten Tales of Betrayal, the researchers noted background checks, particularly in regard to past history of online misconduct and criminal behaviour, would have screened seven out of the 10 cyber-saboteurs.
While some studies have noted management intervention may not prevent cyber-sabotage, there is some support for the notion access to employee assistance programs (EAPs) will serve to defuse a stressful situation by providing practical, professional and confidential counselling and support.
Undoubtedly, healthy employee relations reduce the risk of sabotage. Policies that address workplace complaints are an effective tool for minimizing and resolving workplace conflict. Clearly established policies to address Internet usage, including social media, also serve to educate and to deter.
Likewise, Internet monitoring procedures that are alive to privacy concerns will be an effective means of securing internal systems. Finally, such policies may aid in the prosecution of those who engage in deliberate misconduct.
Melany Franklin is a partner at the Toronto office of law firm Borden Ladner Gervais, practising labour, employment and human rights law. She can be reached at firstname.lastname@example.org.