No matter whether a security breach is due to an industrial spy, a clever hacker, or, more likely, a hostile or careless employee, in seconds intellectual property and confidential records can be pilfered, communications severed, and data corrupted—leaving your company exposed to legal and financial liabilities from which it might never recover.
To avoid that predicament, Sanford Sherizen, president of Data Security Systems and an expert on electronic information protection and computer crime prevention, suggests that CIOs sit down with internal information security staff to determine whether the company has adequate information protection in place.
“The dialogue has to take place at the C-level,” explained Sherizen. “I find that a lot of senior managers are quite concerned about [information] security, but they don’t know how much is necessary or appropriate before the company can feel safe.”
Ask these five questions to find out how well your company’s information is protected, and follow the tips to ensure that security efforts stay on track.
1. What is being done to protect confidential information from deliberate or inadvertent electronic dissemination?
You need to know what security measures are in place to control the electronic dissemination of company confidential information. This includes everything from customer records and intellectual property to shareholder information, financial documents, and business plans.
With a mobile workforce and tight integration with business partner operations, remote access to a company’s systems is now commonplace. One good security component, according to Sherizen, is security information awareness training. Determine what, if any, security employee training and programs have been established. The best training approach, according to Sherizen, is one that relates corporate security to home security so that employees can easily understand the corporate issues.
“If your employees work outside of the office at night or weekends,” said Sherizen, “do you know if your company has established adequate information security rules that must be followed in their homes? If the answer is no, your company may be open to viruses and information leaks.”
Even major companies like Raytheon, a military equipment contractor based in Massachusetts that likely has a strong internal security program, haven’t been immune. An article in the September/October 2000 issue of Group Computing reported that Raytheon sued 21 people for revealing trade secrets in Internet chat rooms. Most were employees at the time of the indiscretion.
One technology available to address IM security is messaging filters. Filters can be applied by a corporate set of rules and by lexical analysis of key words and phrases. As the CIO, you must know what’s been done—or not done—via both technology and policies.
2. What, if any, anti-spam measures are in place?
Know what safeguards are being put in place to ensure network uptime and responsive e-mail delivery to employees, customers, and business partners.
If your company engages in service-level agreements that are based on the timely flow of communication, failing to meet contractual obligations often carries stiff penalties. The long-term ramifications of network degradation could be termination of the service contract and loss of future business. Spam can obviously impact SLAs and network flow.
Here too, employee education is key. Management must articulate policies regarding spam and internal junk mail. Senders, recipients, and administrators need to understand the havoc that frivolous messages can wreak on vital network performance—and the long-term repercussions of subpar response times.
For example, Bill Fallon, vice president of EasyLink Services, which operates an outsourced e-mail security service called Mailwatch, suggests that companies examine e-mail security systems for protection against oversized electronic greeting cards, which are capable of shutting down an e-mail system.
Hoaxes and online social demonstrations (“send an e-mail to protest X”) are another area of concern, points out Graham Cluley, senior technology consultant for Sophos, which specializes in antivirus protection. PC users tend to send them to all their contacts in the mistaken belief that they are doing good.
“In reality,” said Cluley, “these actions waste bandwidth, clog up e-mail servers, and spread disinformation.” He recommends that firms instruct employees to send all such e-mails to a single, nominated IT support person who will be responsible for checking out whether the threat is real instead of sending the e-mail to everyone.
Proactive identification of spam is critical. IT systems need to be able to detect and block known spam sites and internal junk mail before it replicates and clogs the network. Information security staff must aggressively search out offending sites on a regular basis to keep the list current. Another preventative measure is to automatically block certain file attachments by size, type, structure, user, or domain. CIOs need to ask what’s being done, what’s not, and why.
3. Do we have an archive of critical electronic messages?
An archive of corroborating documentation is essential today for legal compliance and litigation reasons. You must know if the IT system maintains an audit trail of incoming, outgoing, and internal electronic correspondences. Lawsuits can tarnish a business’ reputation—long-term, this could affect investor relations and erode stock value or undermine strategic business alliances. A negative image could even harm your company’s ability to recruit top-notch employees, derailing future growth. In heavily regulated industries like finance and healthcare, failure to provide extensive documentation on demand can result in extremely stiff fines and potential jail time.
Archiving business e-mails to a database is one part of the solution. Recording and storing specific incoming, outgoing, and internal e-mails by user, group, or domain makes it easy to retrieve and review corroborating documents when needed.
“If a computer crime was found in your company, is it possible to absolutely prove to the court, media, and stockholders who committed the crime?” noted Sherizen. If the answer is no, your information security experts need to beef up your user identification and authentication methods as well. Sherizen suggests there are a number of biometric authentication tools (fingerprint and/or iris scan, voice recognition, etc.) and authorization control technology packages that are worth investigating.
4. What’s in place to stop malicious attacks?
Just because an attack hasn’t happened yet doesn’t mean it won’t. You need to know if, and what, steps are being taken to prevent viruses from contaminating or destroying your company’s electronic data, whether initiated from external, internal, or remote sources.
Sherizen said, “IT security people need to keep abreast of what’s happening in information security in their industry. Look at the kinds of attacks that have occurred, and learn about the kinds of approaches being implemented to prevent or detect security breaches.”
Also, IT security staff should be conducting ongoing evaluation of the latest e-information security techniques and tools, weighing the cost of implementing various strategies against corporate objectives.
On the most basic level, any IT system must be able to detect and block viruses. A number of tools on the market today can countermand intrusions by name pattern, file type, structure, or fingerprint.
“Management may have to make some strategic tradeoff decisions as to what’s appropriate and what’s not,” said Sherizen. Limiting access to certain information may reduce the risk of security breaches. On the other hand, instituting restrictive roadblocks to sensitive information may hamper your company’s agility to pursue unexpected business opportunities.
5. What is in place to limit legal culpability relating to e-mail?
You must take steps to contain your company’s liability for the content of any communication originating from your messaging systems. Any instance of e-mail abuse over the corporate network, such as messages that may be construed as sexual harassment, for example, leaves your company wide open to charges.
In July of 2000, Dow Chemical fired 50 workers and disciplined another 200 for distributing, downloading, or saving pictures that were either pornographic or violent. The employees were found to have violated the company’s harassment-free work environment policy. The repercussions from that event and subsequent disciplining were wide ranging. Besides the expense of terminating staff, and recruiting and training replacements, the company had to contend with poor morale, loss in productivity from the 200 workers, unpaid suspensions, and probations.
While many companies have corporate policies in place on “appropriate” Internet and e-mail use, this might not be sufficient to limit your company’s liability. You also need a systematic approach to screening e-mail content to ensure compliance with corporate ethics.
Staying ahead of the security curve
Amy Kessler, vice president and general manager of GROUP Technologies, a developer of security software, offers five tips on ways CIOs can shore up security:
- Build awareness. Make sure every employee and partner with access to systems understands policies about e-mail, data access, passwords, software installation, and Internet use.
- Survey and evaluate. Conduct a comprehensive survey of your data and determine what’s most important to protect and what’s not. Then evaluate what tools and applications are best for the job.
- Use the right tools. A firewall and antivirus software aren’t enough. For instance, some software can block certain types of data from being e-mailed. Other software can filter e-mail according to specific criteria.
- Aggressively test the network. Once you’ve put your tools in place, rigorously test your network inside and out. Use your own internal team or hire professional hackers to try and crack your system. Then keep testing your network regularly and plug any holes that surface.
And maybe most importantly, experts say it’s critical that CIOs don’t become complacent about security. It’s easy to develop and install safeguards and then forget about them—especially if nothing bad happens. Complacency leads to security lapses as updates lag and new holes go uncovered. If you haven’t had a breach in a long time, it’s easy to think that you’re safe forever. And if you believe that, it’s probably only a matter of time before you find yourself in deep trouble.