You've got a solid firewall and good physical security, but there’s something you can't protect against with mere alarms and guards. What is it? A very unpleasant visit from the police!
You’re law abiding, so you don’t need to worry. Right? Think again.
“We have a warrant!”
What do you do if federal marshals show up with a warrant and announce they are going to be spending some quality time with your computers?
About all you can do is phone your attorney, submit graciously to their demands, and hope they do no significant damage to your important files. No matter what you do, this is going to disrupt your business and cost you money.
Unfortunately, it may turn out that you’ve forgotten to keep track of the software you use every day. Specifically, you may have forgotten to count copies of installed software and compare the total to your license count.
Remember when you bought all those new computers to avoid Y2K problems and installed your existing office suites, accounting programs, and business graphics tools on them? Rather than discard the older systems you replaced, you very sensibly passed them down the food chain to lower-level workers.
But you may have left all your software on the old computers, so now there are 25 (or 2,500) copies of each program in your company computers and only 10 (or 1,000) licenses.
Or maybe you’ve got dozens of WinZip programs you haven’t registered yet, but they have been used on your network for six months.
This was an innocent mistake. Other scenarios, such as leaving software installation to individuals or even a specific person if he or she isn't fully aware of potential problems, can also lead to massive license violations.
But that's not all. Having all those loose copies of software around also means you have little control over what programs are on your systems. That makes it even harder to manage security holes or bugs because you don't know what programs to track.
Think it can't happen to you?
Imagine this conversation:
Installer: "I've got the new Office suite here."
Tech-savvy user: "Hey, I hear there's a great new graphics program being installed in the art department; can you slip a copy onto my PC? I occasionally contribute ideas for the company brochure."
Installer: "Sure, got it right here; it'll only take a couple minutes longer."
Unfortunately, this and similar scenes are played out daily. And although it never occurs to either party, these are all violations of federal copyright laws—violations taken very seriously by the software police. If you're lucky, you've never run afoul of them. I know a lot of business people who haven't even heard of the software police.
Or perhaps you think they mostly work to stop Russian or Chinese companies from pirating programs. But the Business Software Alliance , combining anti-piracy efforts of Adobe, Apple, Attachmate, Autodesk, Bentley Systems, Corel Corporation, Lotus Development, Macromedia, Microsoft, Network Associates, Novell, Symantec, and Visio, are very interested in just what software you have on your PCs.
In fact, they are interested to the tune of $44 million, which is the settlement amount they have collected from U.S. companies in just the past six years.
In October, a Grand Rapids, MI, hospital paid $250,000 for unlicensed software found on its computers. In November, a Columbus, OH, mortgage company discovered that although it paid more than $300,000 for software licenses, it was using more copies than authorized—$33,000-worth, in fact. The company has now paid for the copies, but it was also hit with a $139,000 bill to settle claims from the BSA.
There are many more cases, and a lot of them involve criminal prosecution for software piracy where people knowingly copied software and sold it illegally. But what should concern you, the honest businessperson, are cases like the hospital and the mortgage agency, neither one of which set out to steal anything. Their software deployments just got ahead of their management practices.
The BSA isn't out to steal your company secrets. It’s not even out to intentionally disrupt your operations. Whether you get a visit from the feds, or just a polite request to run a software audit and pay up for any illegal program copies you possess, getting caught with the wrong number of licenses can ruin your day every bit as much as catching a macro virus or having a hacker alter your Web site.
Fines add to the license costs for program copies you may not even know you have installed. The legal hassle that ensues can result in a real hit to the bottom line many times more than it would have cost to just pay for enough licenses in the first place or keep a proper inventory.
Still not convinced?
If you think this doesn't apply to you, then you should look at the results of a September survey conducted by Yankelovich Partners for the Business Software Alliance. The vast majority of companies reported they had software management programs in place, and 90 percent said these were effective.
Nevertheless, 40 percent reported people were bringing software from home, 24 percent said employees were downloading unauthorized copies from the Internet, and 24 percent acknowledged that employees were sharing otherwise-legal programs with each other.
And think about this. Just as a virus is often an inside job perpetrated by a disgruntled employee, so too is a visit from the BSA. Such visits are often the result of a current or former employee reporting their former employer.
Even if you consider software licensing to be a non-security problem, those big numbers of employees copying software from the net—and even more who are bringing possibly infected software from home—should be a very big concern. That is definitely a security problem.
Your best defense
As usual, this is mostly an education problem.
If all you do is post a notice instructing employees not to download or bring in software, a lot of people will just hide what they are doing. Some employees may only want to play games during slow periods (stealing time). But the really dangerous ones are those who feel they are doing the company a favor by making themselves more productive.
A lot of computer-savvy people are joining the workforce these days, but they have little knowledge of, or interest in, security problems. All they see is that they could work more efficiently using some of the programs they have at home. Thus, they don't see any harm in bringing them in.
Of course, even if users deploy a clean program on a CD-ROM, it can still be software piracy—and yet one more program that your MIS department isn't aware is installed and therefore can't monitor for security holes.
You need to impress on everyone that the company can be fined heavily for software piracy, even if it's inadvertent. Make sure they understand that the legal concern and the threat of viruses make it essential to prohibit these practices. Such information should be published in the employee handbook, along with the company policy regarding punishment of violators.
Kill two birds with one database, too. Avoid license problems and potential security holes by conducting a thorough audit. Hire a consultant to perform it for you if you don’t have the time.
Also, remember to perform periodic software audits by actually inspecting every hard drive, not just asking users. There's a big incentive not to report programs they installed on their own. After all, who wants Quake III uninstalled after spending all that time having the OpenGL drivers installed and the video card configured properly?
John McCormick is a consultant and writer (five books and 14,000-plus articles and columns) who has been working with computers for more than 35 years.
Have a comment?
If you'd like to share your opinion, please post a comment below or send the editor an e-mail.