By Mr Steve Leitch
Attention to information security is essential for all businesses, says Steve Leitch, Operations and Financial Director at information security management company Urbanna. But having adequate employment policies in place is just as important for security as technological shields, he says.
Many organizations find themselves compromised because they have paid insufficient attention to securing the information in their business. It is not just electronic information they should be worrying about, that which is at risk from hackers, industrial espionage and criminals, but also information held by firms' own people in various forms.
Just over half those responding to a recent Oracle/Institute of Directors-sponsored survey on security said that internal security breaches were a bigger threat to business than those originating from outside their companies.
Businesses need to be constantly vigilant against the risk posed by rogue or badly trained staff, poorly drafted and monitored procedures, and inadequately secured technology. And they should not assume that problems will only originate from the lowliest employees. The more senior the employee the more scope there is likely to be to cause damage and, often, the least monitoring.
Many businesses do not take the time to adhere to best practices in dealing with the people in their organization, including letting them know in no uncertain terms where they stand on use of information.
For a start, they need to initiate proper employment policies which include ensuring the correct background checks have been made and references followed up before prospective employees are hired. And they must be sure to follow correct dismissal and redundancy procedures should that eventuality arise.
Any failure to adhere to relevant legislation (and all of us know the rate of change in employment law) can result in litigation and the awarding of costs against the company. It can also result in disgruntled staff.
It is a management responsibility to ensure that employees know about acceptable use policies for shared resources such as email, Internet access and technology.
It is imperative that each is made aware of what access to confidential information he or she has and how that information must be used.
As I see it there have been three main drivers to change the technical competency levels of human resource professionals:
If and when an employee moves on for one reason or another, you will want to be sure he or she has not previously copied your company database to another computer or passed it on to the new employer.
There are a number of areas to which companies invariably do not pay enough attention. Common problems can include staff exploiting loopholes in business processes and fraud (unfortunately still the most common). In a recently discovered fraud an employee of Olsman Mueller & James, a Michigan law firm, was duped by the now famous Nigerian '419 fraud' - so named because of the relevant section of the Nigerian penal code. This scam promises untold fortunes for help in moving funds from Nigeria to the recipient. The employee fell for the scam but used funds from her employer. This coupled with lax security by the bank which approved all of the wire transfers, even though the employee was not authorized to conduct such transfers, meant OM&J were down $2.1m and also reaped a deluge of bad publicity.
Recent high profile cases have shown that even the world's biggest companies can be among the worst offended against - witness Enron, Tyco, Worldcom and their ilk. Fraud can cause serious financial loss, lowered staff morale, adverse publicity and disruption; in snort, it can be ruinous to any business.
Steps that can help guard against fraud include:
| defining staff responsibilities which should include a duty to prevent fraud within the firm; |
| avoiding having 'indispensable' staff - unfortunately these sorts of people can be a liability as well as an asset; |
| have a clear company policy concerning fraud, ensuring suppliers and staff know what it is, and sticking to it; and |
| maintaining tight control over accounting systems. |
Computer networks and the software they run play a vital role in business today. But as software becomes more and more complex, so more bugs appear.
Most applications in everyday use patches - usually via the Internet.
Meanwhile, proliferation of new technologies such as Wireless LAN, that works immediately out of the box, pose new opportunities for those who would breach security.
Email also poses a potential threat, especially if misused. What staff say in their emails can bind the business to commitments it had no intention of making. More seriously the provisions contained in the Regulation of Investigatory Powers Act 2000 (RIPA), mean that emails can be viewed by police authorities.
Those involved in email marketing will be affected by the EU's Privacy and Electronic Communications Directive, which is due to be enacted in Autumn 2003. It will have enormous impact since it will require that before unsolicited emails are sent to an individual permission of the intended recipient must first be sought.
Other Internet links also pose security risks. Consider the fact that businesses using the Internet are connected to a public network where not everyone will play fair. Insecure machines will be seen as a target and will be attacked.
And again the threat is that much worse if staff are not properly trained and required to follow safe procedures: by not giving away passwords, for example, by not downloading and installing programs from the Internet, by not opening suspect emails, and by not sending inappropriate messages.
Minimizing information security risks takes work and careful organization. There are a number of do's and don'ts:
| do take advice prior to planning the firm's security - remember, an ounce of pre-planning is worth a ton of problems later; |
| do create a written security policy, complaint with relevant legislation; |
| do ensure you comply with all current legislation and generally recognized accounting principles; |
| do seek independent advice about the security of any new technology introduced to the business; |
| do put anti-virus software, firewalls and appropriate email monitoring in place; |
| do ensure it is necessary to log onto your network, so as to provide an audit trail; |
| do ensure regular and comprehensive backups along with regular reviews of your network security; |
| do have a recovery plan should any disaster strike your system; but |
| do not put temptation in the way of your staff by maintaining poor procedures. |
Remember, it was hard to get your business to the stage it is now and, in the click of a mouse, it could so easily be given away.
