|Home - Industry Article - Aug 04 Issue
Enterprise Risk Management in Today’s Information-Centric Environment
By Tery Larrew, President and CEO, Vericept Corporation
Risks Associated with Information
Today is the “Information Age” based on growth companies information assets and proprietary data. It is collected, preserved, studied, analyzed, disbursed, published, and protected. However, the past few years have seen too many high profile information breaches. Companies in financial services, healthcare, retail, technology, energy and manufacturing have all been victims. Information lost is falling into two definable categories: Company information and Customer information.
Company information, most notably Intellectual Property, customer lists, R&D files, and source codes have been stolen. Quarterly earnings reports and merger and acquisition documents have also made their way into the wrong hands through web mail and online public forums. This can be classified as corporate espionage.
Customer information such as Credit Card Numbers and Social Security Numbers has also been compromised, sometimes leading to Identity Theft. Recently, President Bush signed legislation that toughens penalties against identity theft, a problem that federal officials estimate cost U.S. consumers and businesses over $50 billion last year.
Consequently, HIPAA, GLBA, and California Privacy laws have been passed as well as Sarbanes-Oxley, which regulates governing internal controls protecting investors and ensuring corporate ethical responsibility. As a result, financial reporting must now be strictly adhered to.
With more information being electronically stored and shared, and with communication tools such as instant messaging, peer-to-peer and web-based email being adopted, safeguarding sensitive information has become a challenge for enterprises of all sizes.
There are several forms of enterprise risk damage that a company could face, for instance, regulatory compliance fines, loss of reputation in the market place, and a safe work environment for its employees. It varies between industries, but each company has to ask itself “what is the impact to my business if the below examples happen?”
If an employee were unwittingly sharing proprietary secrets to an unauthorized user with a Peer-to-Peer (P2P) client which is sharing the wrong folders?
If confidential or highly sensitive information leaves your network? What would be the financial impact of such breaches and how would you quantify the financial damage to your reputation? Would you be able to pinpoint the specific information being compromised and the offender?
If the press found out about these lapses in information security?
If customers or clients knew their information was being sent out unencrypted?
If an employee pasted customer data into a webmail message and sent it to someone unauthorized to view it?
If a contractor or consultant were searching on Google for “stack smashing programs”?
If an employee were sending personnel data (e.g., SS#, home addresses, salary info, etc.) to an outsider via Instant Messaging?
If a business partner (e.g., payroll processor, insurance agent, clearing house, etc.) were exchanging customer data via an unencrypted email format?
If an employee unwittingly leaked unencrypted personal information via a Outlook mail message?
If an insider purposely sent out unencrypted personal information via webmail or IM with data in an attachment, or cut & pasted it into a web form?
If an employee was creating an illicit child pornography video collection while at work?
If your systems are successfully hacked? How do you know?
Many companies have identified these gaps in their risk management programs with various types of exposure assessments. What is scary is that no matter who has conducted exposure assessments, 100% of organizations have found that the above issues as well as hundreds more are taking place every day!
A company should conduct an exposure assessment to evaluate the likelihood and potential damage of these threats and determine the relative importance of the risk. The potential cost of the risk should be quantified where possible and the sufficiency of policies, procedures, safeguards, and information systems should be analyzed for their ability to control and maintain security.
Minimize the Enterprise Risk
When researching ways to ensure security of your information assets and proprietary data, the following questions should be raised as you look at the approach, technology, functionality, and application.
Do you have a way to intelligently monitor, analyze and categorize all forms of Internet traffic, not just email, not just web traffic, not just instant messaging but all electronic and internet-based communications?
Do you have a way to provide an intelligent, early warning when inappropriate content is found helping mitigate many forms of risk including compliance (Gramm-Leach-Bliley or Sarbanes-Oxley), legal (sexual harassment or discrimination), financial (leaking of sensitive company secrets or information) and more?