| Home | Software Providers | Consultants | Articles | Columns | Reviews | Headlines |

-

Computer exposures can byte the unaware; Organizations often not prepared for threats from inside, outside system

Risk Management Systems & Strategies
Spotlight Report December 2, 1996

Atelevision commercial for an Internet search engine asks viewers, "Have you ever been experienced?'' A better question for corporate computer users may be: "Have you ever experienced a loss?''

With the explosive growth of business use of the Internet, and with the penetration of computer systems into every aspect of a business organization, a growing number of computer-related risks are emerging.

Risks range from loss of data--including theft, destruction and inadvertent loss--to new liability exposures associated with computer activity.

"Risks are more complex now than they used to be,'' said Per J. Agrell, visiting professor of management at the University of Georgia in Athens.

Linking up to the Internet "has a wonderful advantage, but it brings with it new risks, as it is a new avenue into organizations that didn't used to exist,'' said Maia Hughes, a consultant in risk management practice for Tillinghast-Towers Perrin in Parsippany, N.J.

"A lot of companies that are exploring these new tools are not completely aware of the risks that exist. They are more concerned with the competitive advantage and don't realize the risks they face,'' she said.

Perhaps the greatest risk that companies face is the loss or theft of computer files because of inadequate computer security.

Although controlling access to company information always has been a priority, computer networks and links to the Internet allow wider access to more company data.

"The Internet increases risks exponentially,'' observed Gail Thackeray, deputy county attorney in Maricopa County, Arizona, which includes the Phoenix metropolitan area. Ms. Thackeray specializes in computer crimes.

A company's computer system has to be secured so that people both outside and inside of the company have access to only the information the company wants to share with them, experts say.

This is accomplished by erecting electronic fire walls and requiring passwords for anyone to access sensitive areas.

Apart from threats to data integrity, the Internet can also be the source of many other risks for organizations, including:

Employees' claims of a hostile work environment because of electronic sexual harassment.

A company could face this exposure if an employee downloads pornography from the Internet and e-mails it to a colleague.

"People have been the unwilling recipient of pornography by e-mail,'' said Joan Feldman, president of Seattle-based Computer Forensics Inc., one of the new breed of computer detectives that plaintiffs hire to retrieve from defendants computer documents they did not know or did not care to know exists (BI, Sept. 30).

"You bet an attorney can drive a Ferrari down that avenue,'' observed David Tweedy, president of Tweedy Risk Consultants in Kingston, R.I.

If companies do not take action in response to employee complaints about receiving e-mailed pornography, they could be liable for creating a hostile work environment, some experts warned.

But, Michael Turner, founder and creator of Woodstock, Ill.-based RMIS-Web, a Web site devoted to providing information on RMIS systems, downplays the sexual harassment risk from computers. He said it is no worse than if someone sends pornographic photographs anonymously to a colleague using conventional internal mail.

Copyright infringement lawsuits, "because its so easy to reproduce and distribute information,'' over the Internet, Mr. Turner said.

A company could face such a risk if, for example, one of its employees receives from a friend at another company an e-mail containing proprietary information belonging to that other organization.

The existence of that information in the system--even inadvertently--could prove very damaging for the company whose employee received the e-mail.

"If they did come in, did a review and found it, they could claim that it was stolen or that you were copying their plan or product,'' Ms. Feldman said. "That's kind of a frightening thought for any company.''

Ms. Feldman recommends that companies enforce strict policies on what e-mails to open and educate employees on potential e-mail perils. "If you can educate users at the beginning on what to accept and how it can have a negative impact on the company, that's the first thing.''

She recommends deleting all e-mail messages after reading them, printing out any important messages for keeping. She also advised keeping e-mails on their own back-up tapes separate from other data and discarding messages older than three months.

Companies that sponsor bulletin boards or chat rooms in conjunction with their home pages on the World Wide Web also have to be wary of their potential liability for the posting of libelous statements and information that violates copyrights, warned Lori Jorgensen, risk manager for worldwide products at Microsoft Corp. of Redmond,Wash.

To reduce this exposure, companies should remove the offending material when someone complains.

However, Ms. Jorgensen cautioned against editing all of the material. That can lead to even greater liability if it is construed that the edited material that remains online is endorsed by the company.

A home page on the Web also may expose a company to some international risks, Ms. Jorgensen pointed out. Because a Web site can be accessed by anyone with Internet access from around the world, it may expose the host company to the laws of foreign countries.

For example, some European countries have privacy laws that prohibit the kind of data gathering on individuals that some Web sites conduct for marketing purposes.

The Internet, though, is only one source of computer-related exposures.

Companies also have to take additional security safeguards when dealing with computer consultants, warned Ms. Thackeray, the Arizona prosecutor. Background checks and contracts with computer consultants often are inadequate to protect the company, she said, noting that up to one-third of computer-crime complaints she receives are leveled against computer consultants who had access to a company's system.

A nefarious consultant can create ways of re-entering a client's computer system after completing a job and either use access to such systems for his or her own purposes or sell the know-how to others.

Companies should "have contracts that constrain the consultant in making use later of what they learn of computers or systems,'' Ms. Thackeray advised. Companies should include in their contracts with any consultant a non-disclosure agreement that prohibits the consultant from revealing information the consultant learns about the company's system.

"There needs to be a no-trespassing sign in the contract,'' Ms. Thackeray said.

Without such a clause in the contract, the consultant later can invade the system and claim that he or she was authorized to do so, Ms. Thackeray said. If the contract contains the no-access clause, then that defense is negated and the consultant can be prosecuted under criminal statutes outlawing unauthorized access to a computer system.

E-mails also are potential security weaknesses.

"Everyone has to be entirely clear an e-mail is not a letter. It's a fax,'' said Mr. Agrell of the University of Georgia, referring to the hubs along the e-mail's path where it can be intercepted and read.

He compares e-mails to a fax sent to a hotel where the recipient is staying. Everyone who handles it along the way can read it.

In addition, e-mails can be faked or altered by someone who intercepts the message, Mr. Agrell noted.

Another common source of computer file disruption is disgruntled employees. They can steal information off a computer network as well as erase data off a network or a work station's hard drive.

Before the creation of computer networks, such sabotage could have been done by throwing away paper files. But now the scale and impact of the potential loss is greater via computers.

"It's just using a different medium,'' said Mr. Turner of RMIS-Web. "They're using a hard drive rather than a file cabinet.''

Hackers from outside the company also steal information. "It occurs regularly,'' Tillinghast's Ms. Hughes said.

Indeed, she added, it occurs more frequently than companies report. But many companies are reluctant to publicize their vulnerabilities, Ms. Hughes said. "It's a big worry for companies.''

A newly released study supports her conclusion. It shows that 58% of 205 companies surveyed reported an outside intrusion into their computer system in the past year. According to the study, conducted by Baltimore-based computer security specialist WarRoom Research L.L.C., 155 of the intrusions were investigated by the company and only four were referred to law enforcement.

But, one security advantage computer files have over paper files is they can be backed up. Companies generally have extensive back-up procedures for their systems, though they rarely have similar procedures for employees' individual personal computers. According to experts, this is where companies are vulnerable and require greater diligence in backing up files.

"It's a manageable risk as long as we understand it,'' Microsoft's Ms. Jorgensen said.

Stolen laptop computers also should be a concern. The potential loss is especially great when an employee has downloaded the latest version of a corporate document into the laptop before the equipment is stolen. "If that computer is stolen, the thief gets more than a computer; he gets the company's proprietary information,'' Ms. Hughes observed.

Laptop computer thefts frequently can be traced to industrial espionage, according to Ms. Hughes. She said that restricting what kind of information can be loaded into employee laptops is easier than preventing the thefts.

Ms. Hughes recommends several steps to reduce the risk of theft or accidental loss of information:

Maintain an inventory of all computer hardware so the company can discern easily whether its equipment has disappeared.

Trace the flow of information through the company to determine where the company is vulnerable, and then restrict access to sensitive information at those points.

Set policies and procedures for sending and receiving e-mails--as well as storing e-mail data--and clearly explain to employees why following those procedures is important.

Failing to take such measures can even create additional risks for a company.

Inadequate measures to safeguard company data could trigger derivative-action lawsuits by shareholders against a company's directors and officers, Ms. Thackeray warned.

A corporate officer can be sued for dissipating a corporate asset, including vital company information. Though Ms. Thackeray has not heard of such a case yet, she said that one way of dissipating a corporate asset is by not properly protecting the computer system.

"If management is sloppy about computer security, it is one way that shareholders can sue the officers,'' she said.

As part of their larger strategy, companies need to elevate their technological risk assessment to a level equaling the assessment of other exposures, said Ms. Hughes of Tillinghast.

Ms. Thackeray said that to date many companies have not assessed the potential risks of the new technology.

"Companies cannot maintain the same lax attitude about computer security and expose themselves to the Internet without dramatically increasing their risks,'' she said.