Print Print | Email Facebook Twitter Share ThisShareThis

Security is Everybody’s Business

By Patricia S. Eyres

DANGERS LURK IN CYBERSPACE

Dangers lurk in cyberspace. Every business, regardless of size or industry, should have an easily understood, consistently enforceable policy to protect trade secrets, maintain the integrity and security of all networks and servers, protect sensitive customer information, protect the organization from lawsuits by third parties, protect the integrity and reputation of the organization and its business and ensure achievement and productivity. Security is everybody’s business.

Spam and viruses are the most visible, but not the most significant security challenge. Fearing loss of valuable trade secrets and confidential company records from intrusion by criminal hackers, large and small organizations alike are installing firewalls to protect their networks. These firewalls will stop many, but not all, of today’s hacker attacks. Hackers can take advantage of holes in a network’s perimeter defenses created by employees who bypass protections by attaching modems to their PC’s, setting up wireless access points without permission or downloading risky software, such as chat or file-sharing programs, all of which offer entry points for the creative criminal.

That’s why security is everybody’s business, and all managers and employees must understand the importance of following established security procedures. This is especially important when using laptops or working from remote locations.

Keeping your networks secure from hackers is just as critical to protect your customers’ private information. Hackers target electronic databases of companies selling products on the Internet because they often have a mountain of information from which identities can be stolen: names, addresses, credit card information and other personal data. Theft of customer data gets the attention of the media, and one company was hit with a class action lawsuit charging that it failed to secure credit card information online. In addition to the legal exposure and negative PR, it wasn’t helpful for future business development. The visibility of insecure networks has prompted tough laws in several states, most notably California, that require any business that collects data from California consumers to immediately notify every person if there is a breach of security – from any source.

What about mischief and malice by employees and coworkers? In many ways, e-mail is ideally suited to smuggle trade secrets and valuable company data out of your organization. Leaks of important business plans can be embarrassing and costly, as Apple Computers learned when it was forced to speed up the launch of a new product due to a leak from inside its walls. And intentional disclosure of secrets can cost a lot more. A scandal involving nuclear secrets leaked from the U.S. Department of Energy’s lab at Los Alamos underscores the security risks inherent in e-mail. Investigators found evidence that e-mail was the critical component in the theft of top secret data about how to fabricate smaller nuclear warheads.

A comprehensive e-security plan should address internal threats that are as dangerous as attacks from outside. Identifying internal threats is the first step. The combination of e-mail overload and careless attachments is one risk; intentional stealing from internal electronic files by e-mail attachment is quite another. Whether accidental or deliberate, breaches of confidentiality can erode customer and employee confidence, cost jobs and devastate your organization.

Information security requires effective policies and consistent enforcement. It is imperative that every employee know and understand their role in security, even when it seems like a hassle. This article provides strategies you can put into practice immediately.

What is the Purpose of Information Security?

Information security is designed to prevent unauthorized access or damage to hardware, software and data. This encompasses misuse, malicious or accidental damage, vandalism, intentional intrusion, fraud, theft and sabotage to information resources.

The purpose of information security is to safeguard your company’s information resources. Information resources include hardware, software and data, in both electronic and hardcopy formats. This document defines the responsibility and accountability of company personnel, contractors and vendors with regards to the security of company information. It also educates all computer users about security and informs them of the serious legal risks associated with security violations.

Define Responsibilities for Information Security

The job of protecting hardware, software and data (hardcopy and softcopy) from abuse is shared by all users – employees, contractors, management, administrative staff and customers. Make it the responsibility of every system and information user to read, understand and comply with your corporate information security policy and all associated information regarding security policies and procedures.

Post the essential provisions on your intranet as well as publishing it in your employee handbook.

Your information systems department should manage information security standards, procedures and controls intended to minimize the risk of loss, damage or misuse of your organization’s data. They should develop policies that:

  • Establish and maintain policies, procedures and standards for access.
  • Secure the information managed by the company and implement access to authorized persons.
  • Assist data custodians in identifying and evaluating information security risks.
  • Select, implement and administer controls and procedures to manage information security risks.
  • Distribute security report information in a timely manner to management, data custodians and appropriate system administrators.
  • Serve as the focal point for reviewing data security issues that have company-wide impact.
  • Promote security awareness to all managers, supervisors and other end-users through timely information and training.

Establish Accountability Standards and Enforce Consistently

Since security is everybody’s business, end-users, including contractors and vendors who access company data, should be personally responsible for proper use of the resulting available information. Company employees who access data must be responsible for:

  • Complying with all company information, security policies and procedures in the use, storage, dissemination and disposal of data.
  • Protecting data from unauthorized access.
  • Reporting information security violations to their supervisor orthe information security department.

Specifically Address Data Confidentiality

Due to the value and sensitive nature of your data and customer information, employees must exercise caution and care in their jobs and adhere to all of your company information security policies and procedures. In order to effectively communicate this policy and emphasize the importance placed on the confidentiality of data and software, all employees should be required to sign a data confidentiality statement on an annual basis. New employees should sign the statement prior to being hired.

Safeguard Accounts and Passwords

Access to accounts and passwords is the responsibility of each user.

Data Security and Individual Privacy

Security measures should be strictly observed by all system users to protect critical or sensitive data files (softcopy and hardcopy) from accidental or intentional disclosure to unauthorized users. In addition, all users should respect the privacy of other users’ software and data. Your company should reserve the right to monitor and review all system activities performed by system users and notify users that they do not have a reasonable expectation of privacy in their computer files, including e-mail.

Reporting of Security Problems

All users should be required to report instances of security violations, including unauthorized or attempted intrusion.


Patricia S. Eyres is an experienced attorney with who has spent more than 18 years defending businesses in the courtroom. She is a full time professional speaker and author. She can be reached at www.PreventLitigation.com or toll free at (800) LIT-MGMT.

Posted: Wednesday, June 01, 2005 12:00:00 AM. Modified: Wednesday, September 07, 2005 2:15:49 PM.

317.875.5250 - Indianapolis  |  202.628.1558 - Washington, D.C.

NAMIC | Where the future of insurance has its voice TM