5. What are the best ways to protect computers and the information they contain?
Have you ever lost a term paper you worked on for weeks because your hard drive crashed or you deleted the wrong file? You were upset, angry, and frustrated. Multiply that paper and your feelings hundreds of times over, and you can understand why companies must protect computers, networks, and the information they store and transmit from a variety of potential threats. For example, security breaches of corporate information systems—from human hackers or electronic versions such as viruses and worms—are increasing at an alarming rate. The ever-increasing dependence on computers requires plans that cover human error, power outages, equipment failure, hacking, and terrorist attacks. To withstand natural disasters such as major fires, earthquakes, and floods, many companies install specialized fault-tolerant computer systems.
Disasters are not the only threat to data. A great deal of data, much of it confidential, can easily be tapped or destroyed by anyone who knows about computers. Keeping your networks secure from unauthorized access—from internal as well as external sources—requires formal security policies and enforcement procedures. The increasing popularity of mobile devices—laptops, tablets, and cell phones—and wireless networks requires new types of security provisions.
In response to mounting security concerns, companies have increased spending on technology to protect their IT infrastructure and data. Along with specialized hardware and software, companies need to develop specific security strategies that take a proactive approach to prevent security and technical problems before they start. However, a recent CIO article lamented the lack of basic security policies that companies only implement after a hack or data crisis.15
Data Security Issues
Unauthorized access into a company’s computer systems can be expensive, and not just in monetary terms. Juniper Networks estimates that cybercrime will cost businesses more than $2 trillion in 2019, compared to just $450 million in 2001. The most costly categories of threats include worms, viruses, and Trojan horses (defined later in this section); computer theft; financial fraud; and unauthorized network access. The report also states that almost all U.S. businesses report at least one security issue, and almost 20 percent have experienced multiple security incidents.16
Computer crooks are becoming more sophisticated all the time, finding new ways to get into ultra-secure sites. “As companies and consumers continue to move towards a networked and information economy, more opportunity exists for cybercriminals to take advantage of vulnerabilities on networks and computers,” says Chris Christiansen, program vice president at technology research firm IDC.17 Whereas early cybercrooks were typically amateur hackers working alone, the new ones are more professional and often work in gangs to commit large-scale internet crimes for large financial rewards. The internet, where criminals can hide behind anonymous screen names, has increased the stakes and expanded the realm of opportunities to commit identity theft and similar crimes. Catching such cybercriminals is difficult, and fewer than 5 percent are caught.18
Firms are taking steps to prevent these costly computer crimes and problems, which fall into several major categories:
Unauthorized access and security breaches. Whether from internal or external sources, unauthorized access and security breaches are a top concern of IT managers. These can create havoc with a company’s systems and damage customer relationships. Unauthorized access also includes employees, who can copy confidential new-product information and provide it to competitors or use company systems for personal business that may interfere with systems operation. Networking links also make it easier for someone outside the organization to gain access to a company’s computers.
One of the latest forms of cybercrime involves secretly installing keylogging software via software downloads, e-mail attachments, or shared files. This software then copies and transmits a user’s keystrokes—passwords, PINs, and other personal information—from selected sites, such as banking and credit card sites, to thieves.
Computer viruses, worms, and Trojan horses. Computer viruses and related security problems such as worms and Trojan horses are among the top threats to business and personal computer security. A computer program that copies itself into other software and can spread to other computer systems, a computer virus can destroy the contents of a computer’s hard drive or damage files. Another form is called a worm because it spreads itself automatically from computer to computer. Unlike a virus, a worm doesn’t require e-mail to replicate and transmit itself into other systems. It can enter through valid access points.
Trojan horses are programs that appear to be harmless and from legitimate sources but trick the user into installing them. When run, they damage the user’s computer. For example, a Trojan horse may claim to get rid of viruses but instead infects the computer. Other forms of Trojan horses provide a “trapdoor” that allows undocumented access to a computer, unbeknownst to the user. Trojan horses do not, however, infect other files or self-replicate.19
Viruses can hide for weeks, months, or even years before starting to damage information. A virus that “infects” one computer or network can be spread to another computer by sharing disks or by downloading infected files over the internet. To protect data from virus damage, virus protection software automatically monitors computers to detect and remove viruses. Program developers make regular updates available to guard against newly created viruses. In addition, experts are becoming more proficient at tracking down virus authors, who are subject to criminal charges.
Deliberate damage to equipment or information. For example, an unhappy employee in the purchasing department could get into the company’s computer system and delete information on past orders and future inventory needs. The sabotage could severely disrupt production and the accounts payable system. Willful acts to destroy or change the data in computers are hard to prevent. To lessen the damage, companies should back up critical information.
Spam. Although you might think that spam, or unsolicited and unwanted e-mail, is just a nuisance, it also poses a security threat to companies. Viruses spread through e-mail attachments that can accompany spam e-mails. Spam is now clogging blogs, instant messages, and cell phone text messages as well as e-mail inboxes. Spam presents other threats to a corporation: lost productivity and expenses from dealing with spam, such as opening the messages and searching for legitimate messages that special spam filters keep out.
Software and media piracy. The copying of copyrighted software programs, games, and movies by people who haven’t paid for them is another form of unauthorized use. Piracy, defined as using software without a license, takes revenue away from the company that developed the program—usually at great cost. It includes making counterfeit CDs to sell as well as personal copying of software to share with friends.
Preventing Problems
Creating formal written information security policies to set standards and provide the basis for enforcement is the first step in a company’s security strategy. Unfortunately, a recent survey of IT executives worldwide revealed that over two-thirds expect a cyberattack in the near future. Stephanie Ewing, a data security expert, states, “Having a documented, tested process brings order to chaotic situations and keeps everyone focused on solving the most pressing issues.” Without information security strategies in place, companies spend too much time in a reactive mode—responding to crises—and don’t focus enough on prevention.20
Security plans should have the support of top management, and then follow with procedures to implement the security policies. Because IT is a dynamic field with ongoing changes to equipment and processes, it’s important to review security policies often. Some security policies can be handled automatically, by technical measures, whereas others involve administrative policies that rely on humans to perform them. Examples of administrative policies are “Users must change their passwords every 90 days” and “End users will update their virus signatures at least once a week.” Table 13.4 shows the types of security measures companies use to protect data.
Five Areas of Concern Regarding the Protection of Data
Percentage
Concern for Protecting Data
52
Aren’t sure how to secure connected devices and apps
40
Don’t immediately change default passwords
33
Don’t think they can control how companies collect personal information
33
Parents admit they don’t know the risks well enough to explain to children
37
Use credit-monitoring services
Table13.4 Source: Adapted from Tony Bradley, “Top 5 Concerns to Focus on for Privacy Day,” Forbes, https://forbes.com, January 27, 2017.
Preventing costly problems can be as simple as regularly backing up applications and data. Companies should have systems in place that automatically back up the company’s data every day and store copies of the backups off-site. In addition, employees should back up their own work regularly. Another good policy is to maintain a complete and current database of all IT hardware, software, and user details to make it easier to manage software licenses and updates and diagnose problems. In many cases, IT staff can use remote access technology to automatically monitor and fix problems, as well as update applications and services.
Companies should never overlook the human factor in the security equation. One of the most common ways that outsiders get into company systems is by posing as an employee, first getting the staffer’s full name and username from an e-mail message and then calling the help desk to ask for a forgotten password. Crooks can also get passwords by viewing them on notes attached to a desk or computer monitor, using machines that employees leave logged on when they leave their desks, and leaving laptop computers with sensitive information unsecured in public places.
Portable devices, from handheld computers to tiny plug-and-play flash drives and other storage devices (including mobile phones), pose security risks as well. They are often used to store sensitive data such as passwords, bank details, and calendars. Mobile devices can spread viruses when users download virus-infected documents to their company computers.
Imagine the problems that could arise if an employee saw a calendar entry on a mobile device like “meeting re: layoffs,” an outsider saw “meeting about merger with ABC Company,” or an employee lost a flash drive containing files about marketing plans for a new product. Manufacturers are responding to IT managers’ concerns about security by adding password protection and encryption to flash drives. Companies can also use flash drive monitoring software that prevents unauthorized access on PCs and laptops.
Companies have many ways to avoid an IT meltdown, as Table 13.5 describes.
Procedures to Protect IT Assets
Develop a comprehensive plan and policies that include portable as well as fixed equipment.
Protect the equipment itself with stringent physical security measures to the premises.
Protect data using special encryption technology to encode confidential information so only the recipient can decipher it.
Stop unwanted access from inside or outside with special authorization systems. These can be as simple as a password or as sophisticated as fingerprint or voice identification.
Install firewalls, hardware or software designed to prevent unauthorized access to or from a private network.
Monitor network activity with intrusion-detection systems that signal possible unauthorized access, and document suspicious events.
Conduct periodic IT audits to catalog all attached storage devices as well as computers.
Use technology that monitors ports for unauthorized attached devices and turn off those that are not approved for business use.
Train employees to troubleshoot problems in advance, rather than just react to them.
Hold frequent staff-training sessions to teach correct security procedures, such as logging out of networks when they go to lunch and changing passwords often.
Make sure employees choose sensible passwords, at least six and ideally eight characters long, containing numbers, letters, and punctuation marks. Avoid dictionary words and personal information.
Establish a database of useful information and FAQ (frequently asked questions) for employees so they can solve problems themselves.
Develop a healthy communications atmosphere.
Table13.5
Keep IT Confidential: Privacy Concerns
The very existence of huge electronic file cabinets full of personal information presents a threat to our personal privacy. Until recently, our financial, medical, tax, and other records were stored in separate computer systems. Computer networks make it easy to pool these data into data warehouses. Companies also sell the information they collect about you from sources like warranty registration cards, credit-card records, registration at websites, personal data forms required to purchase online, and grocery store discount club cards. Telemarketers can combine data from different sources to create fairly detailed profiles of consumers.
The September 11, 2001, tragedy and other massive security breaches have raised additional privacy concerns. As a result, the government began looking for ways to improve domestic-intelligence collection and analyze terrorist threats within the United States. Sophisticated database applications that look for hidden patterns in a group of data, a process called data mining, increase the potential for tracking and predicting people’s daily activities. Legislators and privacy activists worry that such programs as this and ones that eavesdrop electronically could lead to excessive government surveillance that encroaches on personal privacy. The stakes are much higher as well: errors in data mining by companies in business may result in a consumer being targeted with inappropriate advertising, whereas a governmental mistake in tracking suspected terrorists could do untold damage to an unjustly targeted person.
Increasingly, consumers are fighting to regain control of personal data and how that information is used. Privacy advocates are working to block sales of information collected by governments and corporations. For example, they want to prevent state governments from selling driver’s license information and supermarkets from collecting and selling information gathered when shoppers use barcoded plastic discount cards. With information about their buying habits, advertisers can target consumers for specific marketing programs.
The challenge to companies is to find a balance between collecting the information they need while at the same time protecting individual consumer rights. Most registration and warranty forms that ask questions about income and interests have a box for consumers to check to prevent the company from selling their names. Many companies now state in their privacy policies that they will not abuse the information they collect. Regulators are taking action against companies that fail to respect consumer privacy.
CONCEPT CHECK
Describe the different threats to data security.
How can companies protect information from destruction and unauthorized use?
Why are privacy rights advocates alarmed over the use of techniques such as data warehouses and data mining?