Strong security controls are an important element of Royal London's IT strategy. This principle is communicated to all staff from the moment they join, through to their everyday work, when they receive a reminder every time they log on to Royal London's systems.

This has helped to create an environment of trust between Royal London and its employees, and which has led to the establishment of sensible rules relating to the personal use of e-mail and the Internet.

Nevertheless, there is always room for further improvement, and this has led to Royal London's decision to install 3ami's Monitoring and Audit System (MAS). Nick Harwood, Group IT Security Manager, said:

"Let's be clear: although the system will let us, we do not sit and secretly watch what people are doing day-to-day, but we do consider it our responsibility to be able to check, if we need to, how our IT is being used. MAS is a non-intrusive system that complements existing security and enables us, in the case of a well-grounded allegation, to see what the reality was."

The real advantages of the system are in its application in monitoring actions undertaken by each PC and storing these so that its database can be interrogated either on a daily basis or over a longer period of time.

MAS also acts as an effective deterrent against breaches of UK law such as:

• Theft of data files, including by emailing to a third party; by copying, printing or deleting; and by saving to CD, floppy disk, USB memory stick or flash card
• Uploading/downloading of confidential files, pornography or other illegal images
• Use of racist, libellous, sexist, discriminatory, bullying or abusive language in emails or other documents
• Theft by copying applications for personal use

"If MAS deters someone from doing something foolish because they might be caught, we'd accept that as a bonus benefit," continued Harwood. "Like many companies, we already have other security solutions in place to prevent some types of misconduct - access to certain types of web site, for example - but there are sometimes ways around those. MAS won't stop it, but it means we can find out later."

The result is a system that, whilst not actually preventing acts of misconduct, does offer an efficient means for organisations to respond. Investigations can produce results in a few mouse clicks, rather than the average of 2-3 man-days. This, when coupled with the clear communication of an organisation's security policy, provides strong controls against computer and systems misuse; and where such misuse does occur, provides clear and accurate evidence.

Employers may be concerned about the potential negative reaction from some staff to this sort of monitoring system. Royal London has addressed this by including its Staff Consultative Committee in discussions ahead of deployment and by communicating with all employees that the company reserves the right to monitor activity. Not least of the reasons is that NOP research, from 2003, for the National Hi-Tech Crime Unit suggested that more than 80% of medium and large companies experienced high-tech crime.

Tim Ellsmore, Managing Director of 3ami, said: "Firewalls and virus protection will only get a company so far – about halfway there, according to the research. Now companies can prove what actually happened. Knowing that, if you're caught, there's a large body of evidence on a hard drive somewhere to prove a case, has got to be a strong deterrent to wrongdoing."