Building Your eBusiness

Throughout the past month our newsletter has focussed on e-commerce. Because of the overwhelming response we've had, we are creating a column dedicated to e-commerce that will appear once a month.

Our objective for the MyComputer.com Newsletter is to provide you with the information you need to make educated decisions and help grow your eBusiness.

If there are topics you'd like us to address, let us know. You can email me at editor@mycomputer.com.

Thanks for your valued input.

Avoiding Risky Business
by Sharon Polsky

How many times in the last year has your company been the victim of information security breaches? Do you really know?

What we know is valuable. Careers and businesses are built on knowledge, and protecting our personal and corporate information is vital. Failing to protect that information is risky business.

Information security continues to be one the most fundamental but least discussed aspects of computer security. Media reports of virus attacks, hackers and other external security breaches are becoming commonplace. In reality, though, up to 85 percent of security breaches are internal.

It is the average employee who commits these offenses—although often without realizing his actions are risky. All information is valuable and at risk of being jeopardized—even information that is ultimately destined for public release. But the increasing use of computers and the Internet increases the opportunity for this information to be jeopardized.

Consider how easy it would be to send an email containing confidential information from a co-worker's system to a competitor. Your company's viability, and your co-worker's job, could be jeopardized in the time it takes to get a cup of coffee.

The most fundamental measure to minimize the opportunity for breaching information security is to set clear IS/IT policies.

The reality of this need is revealed in critical policy surveys. Eighty-six percent of respondents think accurate policies are extremely important, but only 14 percent already had critical areas documented and an amazing 57 percent had no documented policies at all.

Organizations usually have policies dealing with Human Resources, but those often are a restatement of Labor Standards legislation. Alarmingly few organizations consider where confidential information is stored, who has access to it, and what the consequences would be if the privacy of that information were to be jeopardized.

In an effort to protect information, companies are requesting security audits. While those are an important step towards information security, audits typically look at physical controls.

Security audits typically recommend that clients establish IS/IT policies and implement tools to help monitor users' adherence to those policies. Unfortunately, auditors and monitoring tools presume that policies already exist.

Using computers without any guiding policies is like playing sports without any rules. What is allowed in one game is declared illegal in the next. Players are at the mercy of referees' whims. And with no rules to refer to, there is no way to challenge the ref's call.

Now imagine what happens when there are no policies to tell employees and other users what is and is not allowed on company computers. On one hand, the users are free to use the computers as they wish. There are no policies indicating that any use is prohibited; therefore, users might assume that all activity is allowed.

An International Data Corp study showed that 30 percent to 40 percent of employee Internet activity in the workplace is not work related.

And a recent survey of the Canadian government's Federal Fisheries Department revealed that an average of seven sex and dating sites were visited daily by the equivalent of each of the department's 10,000 users. At two minutes per site, and a loaded wage rate of $60 per employee hour, that amounts to a cost of $139,980 per week—or a staggering $7,278,960 per year.

From the employer's perspective, personal use of company computers might be considered theft of company time. But without policies that define the boundaries of acceptable use, the company might have no recourse to reprimand the user. And if the company does reprimand or fire the employee, the company might face a wrongful dismissal lawsuit.

IS/IT policies that set out what is and is not permitted protect users at all levels in a corporation because everybody knows the rules of the game. Along the way, users might become more enthusiastic about their own work when they realize their productivity has increased and their risk has decreased.

Sharon Polsky, President of the Project Scope Solutions Group, specializes in information security and cyberliability issues. She has over 20 years' experience in IS/IT/policy development, business analysis, and technical communication for clients from startup ventures to Fortune 500 corporations - in High Technology, Manufacturing, Oil and Gas, Telecommunications, and the Public Sector.