Protecting personal and corporate information in the workplace from outside hackers and even disgruntled employees is a growing concern executives can’t afford to ignore, say cybercrime experts.
While many corporate leaders assume it’s a computer or technology issue, the potential fallout from even a minor breach – including loss of reputation and investor confidence, downtime, and the cost of information retrieval and damage control – proves information security is a fundamental business concern.
“The importance of protecting personal and corporate information is increasing,” says Sharon Polsky, president of Project Scope Solutions Group, a Calgary-based information security company which held a seminar on cyber-liability risks last week.
“Security preparations typically are viewed as being on the wrong side of the ledger – they are a cost, not a revenue generator,” Polsky adds. “But it’s the same thing as paying for insurance . . . there’s no benefit from it except when you have a claim and you have something to fall back on.”
Police are also zeroing in on corporate cybercrime, trying to educate local businesses on the risks they face before they become targets. “Criminals are doing the same old crimes using new technology,” observes Calgary police Sgt. Marty Fulkerth. “That’s the only difference. It starts out virtually, and ends up real world.”
But Fulkerth says many companies, from mom-and-pop small businesses to larger enterprises, are embarrassed to report being victimized over the computer. “We’re having a problem with even tracking what types of crime are being committed,” he says.
It’s often only the higher-profile cases – like the infamous 15-year-old “Mafiaboy” who shut down several prominent Internet sites, including CNN, Yahoo, eBay, Amazon, Excite and ETrade – which are reported in the press, helping make the crime even more invisible.
“Corporations and people have to educate themselves,” says crime prevention specialist Gerry Bailey, who also spoke at the seminar on behalf of the Calgary Police Service. “It’s absolutely critical because of the fast-paced nature of this industry.”
A survey of conducted last year by the U.S.-based Computer Security Institute in co-operation with the FBI showed the financial toll from security breaches continues to rise.
The study showed 85 per cent of large corporations and government agencies surveyed had detected detected computer security breaches within the last twelve months, with 64 per cent reporting resulting financial losses – the most serious occurring through theft of proprietary information. Seventy per cent of the firms cited their Internet connection as a frequent point of attack, as opposed to their internal systems.
The respondents who were willing or able to quantify their financial losses reported $377 million in losses – but only 36 per cent of those targeted ever reported the intrusions to a law-enforcement agency.
Raj Dhaliwal, western regional manger for Montage.DMC E-security Solutions, told the seminar that even the latest computer security technology is ineffective unless it’s accompanied by proper training, due diligence and the involvement of all employees within an organization.
“There is more to information security than simply the deployment of technology,” Dhaliwal said, adding company strategies should include being familiar with legislation, regular self-assessments of security and vulnerabilities, and developing policies and procedures to mitigate risk.
Polsky agrees, and says to implement a comprehensive information security plan on a holistic level throughout an organization, every person has to become part of the solution – or they’ll be part of the problem. Company insiders can often pose more of a threat than hackers or other external factors, she added. “The people inside know where your soft spots are . . . they can hurt you most of all.”