What are your employees most likely to do when no one’s looking?
- Surf porn sites on the Web
- Send chain e-mails to co-workers
- Make personal long-distance calls
Answer: None of the above. Today, it’s just as likely that they’re infiltrating your computer systems and downloading sensitive information. The list of organizations that have fallen victim to cyber crime is long, and includes luminaries ranging from Microsoft to Bloomberg to the U.S. Justice Department.
Although Bear, Stearns & Co. Inc. predicts that Internet security solutions could be a sizable $15 billion market by 2004, at present businesses spend only miniscule amounts on security. According to research firm Datamonitor, although damage from security breaches costs businesses over $15 billion a year globally, over half of companies spend 5% or less of their IT budgets on security, and only 10% spend more than a fifth of their technology dollars beefing up systems protection. With e-commerce breaking down communication barriers in every industry, it is clear that computer security concerns need to take center stage.
The number one thing distribution facilities must do is guard sensitive inventory information, especially as this data is increasingly computerized, according to Barry Wilkins, managing director of logistics security worldwide at Pinkerton, based in Raleigh, NC. “Warehouses need to protect the information they have in these systems — times, delivery, quantity, and a description of that information are the key things that need to be protected in a warehouse environment,” he says.
In addition, Wilkins suggests, disseminate warehouse logistical information only on a strict need-to-know basis so would-be thieves cannot access it freely. “The people who work in the warehouse should not have unnecessary access to critical information about the product, its value, when it’s coming, and where it’s going,” says Wilkins. “Separate duties so warehouse employees who handle, ship, receive, and do the physical inventory are not the same individuals who can alter the inventory record.”
Covert operations? Going undercover? These may be spy thriller catch phrases, but they’re the best ways to catch bad guys in the act, according to Barry Brandman, president of Midland Park, NJ-based Danbee Investigations. Carefully placed undercover operatives almost always nab would-be hackers and saboteurs. The evidence turned up in these investigations is usually enough to incriminate the smoothest of operators. Says Brandman: “The people that commit the sabotage or the theft of proprietary information boast about their exploits. For example, we had one investigation where two employees inside the company had downloaded highly classified data and sent it to a competitor. Our client reported that it had cost well over $2 million to develop the data. We put an undercover operative in the company.”
When a group of employees went out to a restaurant after work, two of them, after a few beers, “confided that they were going to download some highly confidential marketing plans for the new year and extort money from the employer to keep the plans from being posted on the Internet.” Brandman says that because this information came out in an actual conversation between the hackers and the undercover agent, his company was able to install covert video equipment and obtain factual evidence of the system hacking and downloading of proprietary information. A criminal prosecutor is currently reviewing the case.
“Many companies have major gaps in their system defense. As outsiders, we come in with a totally different perspective than their in-house IS people,” Brandman says.
Toll-free tip-lines are another useful tool that companies can use to catch cyber criminals, because the anonymity that the medium confers encourages people to report acts of data sabotage, manipulation, or theft.
“We received a call on what we call the HOTLINE, which is an 800 number that can be called not only from the U.S., but from Canada, Mexico, Europe, and Asia,” says Brandman. “Many of our clients are international firms. A few months ago an individual called in a tip on our 800 number and told us about a disgruntled worker who was responsible for downloading viruses into the system, so obviously, the investigative techniques and safeguards work.”
Other important warehouse systems security measures include diligent screening of new hires, as well as background investigations of employees who might be promoted to security-sensitive positions. Brandman also stresses the importance of having independent auditors review computer security systems. “The company should have firewalls and other security safeguards audited by an outside firm to determine where there are loopholes.”
The price of safety
One measure that could save a company from collapsing under the devastation caused by cyber crime is insurance, according to John Spain, president of Information Risk Group (IRG) in Atlanta. Spain led the task force that brought the infamous hacker group, The Legion of Doom, to prosecution.
“If you do have an attack by a hacker or a disgruntled employee, there are insurance products available that would pick up risks, send security experts to solve the problems, and pay for lost revenue,” Spain says.
He adds that an insurance product such as e-Comprehensive SM could save companies from going under by allowing them to transfer to the policy the residual risk of cyber crime. e-Comprehensive was developed by underwriters at Lloyd’s of London for cyber risks, including first- and third-party liability exposure and loss of intellectual property, according to IRG.
Cost is an issue mainly untouched when discussing cyber-security, because the tab for protection ranges quite widely. Generally, the more resources a company has to protect, the higher the overall cost will be.
“The most important thing is to have a dedicated resource to focus on good IT security,” says Spain. “The cost for a small company will range from $20,000 to $40,000. Sometimes, it is not as costly as companies may think — employees need to know how to protect information assets. Employees need to know what to do when something goes wrong. That is not a costly thing, but it is an essential thing.”
According to Brandman, the cost of implementing effective security measures depends on the size of the company, the kind of technology that the firm uses, and how extensive the systems are. “On the low end of the range the cost is anywhere from $20,000 up to $70,000. Bigger companies have more locations and hardware, and some are international. On the high end, the cost could run to $150,000.”