Is Your Computer Data Safe at Night?
by Scott Cooper and Robert P. Green
(County Bar Update, August 2002, Vol. 22, No. 7)

 

Is Your Computer Data Safe at Night?

By Scott Cooper, CMC, and Robert P. Green, CPA, of INSYNC Consulting Group, Inc., written at the request of the Law Practice Management Section Executive Committee. INSYNC is an independent consulting firm that provides information technology-oriented strategic consulting and tactical implementations in the areas of business automation, security, and forensics services to accomplish its clients' objectives. The opinions expressed are their own.

Running a business involves many components -- A reliably operating computer system with the data it contains is one of them. Without adequate safeguards, this asset is vulnerable to attack from many influences.

In a recent report from the FBI and the Computer Security Institute, the economic cost to companies via unauthorized computer access or computer "piracy" was calculated to be about $25 billion annually. That same study showed that the average cost of unauthorized computer use is approximately $350,000 per company. More than 35 percent of the losses arise from theft of proprietary information. Another 30 percent of losses result from sabotage of data or networks. In fact, contrary to public perception, the least likely problem is a computer virus, accounting for only 11 percent of the losses.

The unfortunate fact is that most of these problems are preventable. A January 2002 National Academy of Sciences study concluded that corporate network "cyber-security today is far worse than what known 'best practices' can provide." Although the tools to protect the systems are in place, they aren't used by businesses.

All businesses can take four steps to mitigate the risks of computer "piracy
or corruption: understanding the risk, assessing your company's deficiencies, developing proactive protection systems, and monitoring on a regular basis.

Understand

Be aware of four major sources for computer data corruption or "piracy":

External threats, such as viruses, hackers, competitors or industrial spies, that are especially troublesome to smaller and mid-sized companies without the systems in place to protect the data

Environmental threats, such as poor physical security, bad electrical conditions, unreliable phone wiring, among other things. It's not uncommon for a company to spend top dollar on a computer system but buy cheap wiring and networks, which immediately degrade the system's quality

Problems with general systems mismanagement, including poorly configured networks, weak computer security systems, and ineffective network policies and procedures

Internal threats, such as breaches of security by disgruntled employees and dissemination of confidential, proprietary, or other such privileged or fiduciary data. Users often improperly store passwords or fail to simply log off, thereby exposing confidential data. The risk of external threat isn't as great as the internal threat to computer security. Employees and other insiders caused nearly two-thirds of the $25 billion in damage reported by the FBI study.

Self Assess

Assess your computer security from the perspective of a company competitor. What information would the competitor want to access? How can this hurt your pocketbook? What programs and data are mission-critical? Often it's helpful to have a third party who isn't familiar with your system help you with the self-assessment.

Protect

Protect your system from data corruption and piracy. With the development of new and improving technologies, this step becomes easier to accomplish. It's critical to have effective back-up systems -- and necessary to back up not just the data but rather the entire system and the data with a verification process.

Another means of protecting against data corruption or piracy is a sound disaster prevention and recovery policy. Put proper software, hardware, devices, and policies and procedures in place, and require compliance with specific disaster prevention protocols.

Revisit

Perform regular proactive internal and external threat monitoring. Just as with immunizations, the protections need to be updated. Without a constant reminder of the potential threat to security, people may become lax about their precautions. Remember the pro-act/react paradox: Although pro-action doesn't guarantee safety, the cost of prudent pro-action is far less than reaction.

# # #