No matter whether a security breach is due to an industrial spy, a clever hacker, or, more likely, a hostile or careless employee, in seconds intellectual property and confidential records can be pilfered, communications severed, and data corrupted -- leaving your company exposed to legal and financial liabilities from which it might never recover. To avoid that predicament, Sanford Sherizen, president of Data Security Systems and an expert on electronic information protection and computer crime prevention, suggests that CIOs sit down with internal information security staff to determine whether the company has adequate information protection in place. "The dialogue has to take place at the C-level," explained Sherizen. "I find that a lot of senior managers are quite concerned about [information] security, but they don't know how much is necessary or appropriate before the company can feel safe." Ask these five questions to find out how well your company's information is protected, and follow the tips to ensure that security efforts stay on track. 1. What is being done to protect confidential information from deliberate or inadvertent electronic dissemination?
You need to know what security measures are in place to control the electronic dissemination of company confidential information. This includes everything from customer records and intellectual property to shareholder information, financial documents, and business plans. With a mobile workforce and tight integration with business partner operations, remote access to a company's systems is now commonplace. One good security component, according to Sherizen, is security information awareness training. Determine what, if any, security employee training and programs have been established. The best training approach, according to Sherizen, is one that relates corporate security to home security so that employees can easily understand the corporate issues. "If your employees work outside of the office at night or weekends," said Sherizen, "do you know if your company has established adequate information security rules that must be followed in their homes? If the answer is no, your company may be open to viruses and information leaks." Even major companies like Raytheon, a military equipment contractor based in Massachusetts that likely has a strong internal security program, haven't been immune. An article in the September/October 2000 issue of Group Computing reported that Raytheon sued 21 people for revealing trade secrets in Internet chat rooms. Most were employees at the time of the indiscretion. One technology available to address IM security is messaging filters. Filters can be applied by a corporate set of rules and by lexical analysis of key words and phrases. As the CIO, you must know what's been done -- or not done -- via both technology and policies. 2. What, if any, anti-spam measures are in place?
Know what safeguards are being put in place to ensure network uptime and responsive e-mail delivery to employees, customers, and business partners. If your company engages in service-level agreements that are based on the timely flow of communication, failing to meet contractual obligations often carries stiff penalties. The long-term ramifications of network degradation could be termination of the service contract and loss of future business. Spam can obviously impact SLAs and network flow. Here too, employee education is key. Management must articulate policies regarding spam and internal junk mail. Senders, recipients, and administrators need to understand the havoc that frivolous messages can wreak on vital network performance -- and the long-term repercussions of subpar response times. For example, Bill Fallon, vice president of EasyLink Services, which operates an outsourced e-mail security service called Mailwatch, suggests that companies examine e-mail security systems for protection against oversized electronic greeting cards, which are capable of shutting down an e-mail system. Hoaxes and online social demonstrations ("send an e-mail to protest X") are another area of concern, points out Graham Cluley, senior technology consultant for Sophos, which specialises in antivirus protection. PC users tend to send them to all their contacts in the mistaken belief that they are doing good. "In reality," said Cluley, "these actions waste bandwidth, clog up e-mail servers, and spread disinformation." He recommends that firms instruct employees to send all such e-mails to a single, nominated IT support person who will be responsible for checking out whether the threat is real instead of sending the e-mail to everyone. Proactive identification of spam is critical. IT systems need to be able to detect and block known spam sites and internal junk mail before it replicates and clogs the network. Information security staff must aggressively search out offending sites on a regular basis to keep the list current. Another preventative measure is to automatically block certain file attachments by size, type, structure, user, or domain. CIOs need to ask what's being done, what's not, and why.