Internet makes it easier for employees to steal money or information


Thursday, December 8th, 2005

Companies face new hazards now that the Net makes it easier for employees to steal money or information, or commit sabotage

Gillian Shaw
Sun

Forensic computer expert Dave Iverson says employee use of computers and the Internet puts firms at risk if they’re not prepared. Photograph by : Ward Perrin, Vancouver Sun

Employees may also use a company computer to access illegal websites, including child pornography or discrimination sites, putting the employer at risk if its equipment and Internet access is being used for that activity. Also, the prospect of police descending on your business to confiscate computers for a forensic investigation into child porn could hardly be good for your company’s reputation.

Another problem is hacking — even an attempt made in fun to try out hacking tools found online can backfire on the company that owns the computer being used. Iverson tells of a local college that found itself the target of an investigation when a student launched a hack attack just as a lark.

Computers also make it easier for employees to disclose information, since it no longer has to be painstakingly copied on the office machine and hidden in a briefcase. All it takes is a quick e-mail to a browser account to deliver confidential information and trade secrets, or plugging in a keychain storage device to download crucial information and walking out the door with it.

When it comes to litigation, employees should be aware that company e-mails are fair game, so damaging comments made in such mail may come back to haunt the company.

And then there is monetary theft. Re-directing money is so much easier in the digital age. Iverson tells of cases where the salary of a long-departed employee continued to be paid through the company payroll, with the funds going into the account of an employee at the company. Iverson said such schemes often fall apart only when the thieving employee goes on holiday or gets sick and the person filling in discovers the fraud.

In worst-case scenarios, denial-of-service attacks can bring down entire online systems, putting a halt not only to companies that are engaged in e-commerce but seriously impeding business at any company that relies on network communications. Anything from large attachments to website downloads and other non-business-related functions, to a complete virus infection can slow and stall a company’s computer network.

Buchanan, who has represented both employees and employers in cases relating to computers and the Internet, said employees must also be wary of what can go wrong.

“From the point of view of employees, people should be very careful what they put in e-mail and one their computer,” he said. “It can certainly come back to bite you.”

Employers that don’t have a clearly defined policy that entitles them to look at everything in their computers must give employees notice of such a change, Buchanan said. He said companies should expect to give the same notice that would be required of any workplace change deemed to be to the detriment of employees.

“If you already have 150 employees and you have no policy, it is harder to announce, ‘Guess what, tomorrow we might start looking at your computer,’ ” he said. “What you do in those circumstances, is that you treat it like any material change that is to the detriment of the employees.”

So for example, if employees were entitled to six months termination notice, the same notice would be required before a company could expect to freely access information on their computers. In hiring, Buchanan said, employers could make such a requirement a condition of employment.

Employers and employees alike also shouldn’t think that they can easily make information on their computer systems disappear. Iverson said he has been called in to find information on a computer that has been reformatted by an employee before leaving, supposedly erasing any incriminating information. That’s not enough — short of taking a computer hard drive to pieces, such attempts to cover a trail will likely be unsuccessful.

One employee did manage to foil Iverson by putting strong password protection on encrypted files in his computer. Iverson, who was searching for a poison pen letter — a damning letter sent by an employee to a supplier or client to discredit a company — thought it was a lost cause.

“Then I came across a list of passwords in an Excel spreadsheet — the passwords were so complicated in nature that unless you had a fantastic memory, you could never remember them, so the person kept a whole file of passwords on the computer.”

CYBER ABUSE:

Computer misuse can take many forms. Forensic computer specialist Dave Iverson co-wrote with Keri Grenier, a member of the Clark Wilson labour and employment practice group, an alert warning companies to the dangers that could lurk around their employees’ computers, including:

– Time theft: The personal use of company e-mail and Internet access that can erode efficiency.

– Conflict of interest: Using company e-mail and Internet access for personal gain, such as running an online business, gambling online or simply searching for a new job.

– Harassment and defamation: Employees may harass or defame other employees or third parties in their e-mail. Even displaying inappropriate images on a computer screen that can be viewed by others could constitute harassment. With the employer’s name usually appearing on the e-mail, the recipient may look to the employer as the source of the e-mail.

– Violation of copyright and trademark laws: Employees who download information or files that may be protected by copyright and trademark laws could be putting their company at risk of being held liable for the offence.

– Violation of privacy laws: The Personal Information and Protection Act requires employers not to collect, use, or disclose personal information unless an individual’s consent is first obtained. That may put an employer at a disadvantage in investigating the computer use of an employee, who could argue that some of the information found is personal and out of bounds to the employer, even on a company computer.

© The Vancouver Sun 2005



Comments are closed.