Operational risks arise from failure to manage employees’ use of Internet technologies adequately. Typical instances include: abuse of e-mail facilities through unauthorised use in the workplace; accessing and downloading inappropriate material from websites; failing to accept delegated responsibility for managing the organisation’s website; and inadequate delivery of the organisation’s electronic services. They are referred to as operational risks because they arise from some failure of the operational functions of the organisation, principally the failure to manage employees, so that they recognise and accept their responsibilities when using Internet technologies.
Operational risks arise from business practice. They concern employees’ professional and business practice and conduct in the ordinary course of their work and their use of Internet technologies. Some risks arise from activities of employees which might simply be resolved as an internal disciplinary matter but which equally might expose the organisation to civil or criminal liability. The previous section identified the key legal compliance risks of which organisations need to be aware.
It is important to remember that categories of cyber risk overlap and a risk can fall into one or more categories. This applies particularly in respect of legal compliance risks, categorised as ‘Internet abuse’ in the previous section. While there are compliance issues for the organisation, and there may be proprietary technological solutions for their management, there are also operational risks arising from the conduct of the organisation’s employees. Internet technologies offer considerable opportunity for employees to act without supervision. It is the issue of supervision that gives rise to potential employee misconduct.
There are various operational issues for organisations to consider and they are considered in the categories of:
• employee use of e-mail;
• employee use of the Internet;
• website management;
• delivery of electronic services;
• miscellaneous risks.
There is considerable scope for employees to use e-mail for their personal convenience. It is impractical to supervise e-mail in the way that traditional correspondence can be monitored, and in the absence of supervision, there are endless opportunities for employees to abuse e-mail. There have been a number of highly publicised cases – some involving law firms – where the improper use of e-mail resulted in professional embarrassment.
This problem also extends to the use of e-mail for business purposes. Here, the risks arise less from e-mail abuse, but rather from inappropriate behaviour arising from lack of management control. This absence of management can expose an organisation to risk in a number of ways. The inadvertent formation of online contracts, breaches of confidence through e-mail and the sending of spam e-mail have already been mentioned.
However, other risks are present. Receiving instructions by e-mail can be dangerous if received from a client by an unsupervised member of staff insufficiently skilled in providing the required services, or who fails to make the appropriate identity checks. Professional undertakings can be given by e-mail, binding the organisation to legal obligations. In law firms, other issues concern the use of e-mail for the issue, service and settlement of court proceedings. Lack of supervision and management in this area exposes a law firm to all manner of risks.
Security is another risk area. Employees can receive e-mail containing viruses, potentially exposing the organisation to liability for negligence. Viruses can be received which employees fail to detect because they fail to apply virus-checking procedures. E-mail can be sent to clients containing highly confidential issues and, through forgetfulness or laziness, employees may fail to employ security procedures.
E-mail notices can be a problem. To what extent should employees attach notices to e-mail? Should there be notices containing disclaimers warning against breach of copyright in respect of the content of the e-mail, warning of the possibilities of viruses, or reminding the recipient of the confidentiality of the e-mail and giving directions in the event of receipt by someone other than the person intended by the sender?
These are typical, but by no means exclusive, examples of the risks that can arise through employees using e-mail and the failure to implement adequate management and supervisory procedures.
Similar problems arise in respect of employees’ use of the Internet. Without the assistance of technology, it is impossible physically to check websites that are visited. While technology now enables the monitoring of websites visited by employees, this raises the issues of monitoring and surveillance mentioned earlier.
How is an organisation to ensure that employees do not abuse the Internet in business hours by visiting inappropriate websites and viewing, downloading and distributing unsuitable material in the workplace? Other issues arise from personal use of the Internet in business hours.
Some sites have discussion groups, presenting opportunities for employees to take part during business hours and to post comments that might embarrass the organisation in some way. The Web 2.0 social networking environment simply adds to the potential risks in this area. Employees have ample opportunity to browse websites and lose valuable time, as well as making online purchases for personal purposes.
Here, the risks arise from employees who deliberately abuse the facilities that the Internet offers. They do so if they are able to, and when there is no management or control mechanism to enforce appropriate behaviour.
Proper management of the organisation’s website is the responsibility of the Board and Partners, together with senior management, for its strategic success; and of personnel for its efficient operation and effective performance. Brochure sites present no significant risk because they generally contain static information of the sort that may be found in a traditional brochure.
However, websites offering advice and information present various opportunities for problems to arise. Many of these are discussed as legal compliance issues and they show how cyber risks span across the three categories. For instance, website content must be accurate and up to date, and advertisements must conform to regulations and codes. Employees must be aware of their responsibilities in this area. The organisation may choose to post disclaimers in respect of certain information on the site, or with regard to links with other sites. It is the responsibility of employees to ensure these disclaimers are accurate and relate to those sections of the website for which the organisation wishes to avoid exposing itself to liability.
In posting material on a website, employees must be aware of copyright issues and ensure that copyright notices are posted to protect information and advice that the organisation values. On the other hand, if, as a marketing strategy, the organisation is content for certain material to be copied, employees charged with managing the site should ensure that a notice to that effect appears on the site.
If the site collects personal data from visitors, there should be a notice on the website explaining how the data is to be used. In the same way as for other website notices, employees should understand their responsibilities and the criminal and civil risks to the organisation if these notices are not properly posted and updated to reflect the organisation’s electronic services.
The risks to an organisation’s website will lie in failure to comply with legal requirements, and also in the attitude and behaviour of employees charged with its management. They, therefore, become operational issues for the organisation.
The risks arising from the delivery of electronic services are similar to those arising from use of the organisation’s website, but involve additional concerns because as well as providing advice and information, the organisation is undertaking certain activities.
Risks surrounding the formation of online contracts were discussed earlier. Concerns also arise where the organisation provides services with the support of a site to which it is linked. An example might be that of a financial services provider linked to the website of a lender, investment company or broker. Employees must understand how and to what extent liability might arise in connection with advice and information from linked sites.
Most organisations offering electronic services introduce systems for electronic payment. The technology issues to which payment systems give rise were discussed earlier. There are also operational issues. Employees involved in their use and responsible for their management must understand the implications. The system must be secure, with checking procedures to prevent fraudulent use.
These operational features require monitoring, so that as the organisation develops its service provision, the risks that arise are controlled and managed. This involves supervising and managing personnel associated with the activities and, therefore, becomes an operational issue.
The potential range of operational risk is significant because it arises from the conduct of employees and other personnel, such as independent contractors. This is often unpredictable – what may be an operational risk for one organisation may be irrelevant to another.
In addition to the categories above, particular risks arise from the behaviour of employees in a number of areas:
• Phishing and social engineering: employees may take the risk of responding to inappropriate e-mail, resulting in breaches of confidentiality or infiltration of malware.
• Instant messaging and VoIP communications: carelessness can result in the infiltration of malware.
• Passwords: carelessness can result in unauthorised individuals gaining access to corporate systems and networks.
• Negligent management of data: careless handling of data can result in breaches of confidential information, loss of data, reputational damage, and civil or criminal proceedings.
• Negligent management of mobile technologies: loss of mobile devices, such as a Blackberry, mobile phone or laptop computer, can result in breaches of confidential information, loss of data, reputational damage, and civil or even criminal proceedings.
• Negligent management of storage devices: loss of CD-ROMs or USB drives can result in breaches of confidential information, loss of data, reputational damage, and civil, or even criminal, proceedings.
• Illegal file-sharing: involving evasion of payment for copyright material, downloaded and distributed without permission, may result in legal proceedings.
The wide-ranging categories of Internet risk pose significant risk management problems. Frameworks for managing these risks are discussed in Part 2.
13.59.26.221