Managing e-business risk to mitigate loss: along with the speed and convenience of e-business come new risks, such as identity theft and cyberextortion. Technology has increased the amount of confidential information at risk, and can exacerbate financial and reputational loss.Between February and the end of April, more than 3 million personal data records have been reported lost or stolen due to security breaches. The U.S. Congress is holding hearings on the concern over unauthorized access to confidential information Noun 1. confidential information - an indication of potential opportunity; "he got a tip on the stock market"; "a good lead for a job" steer, tip, wind, hint, lead and, in some cases, the failure to notify affected consumers of such a breach in a timely fashion. Not surprisingly, the plaintiffs' bar has taken notice of potential class-action tort litigation An action brought in court to enforce a particular right. The act or process of bringing a lawsuit in and of itself; a judicial contest; any dispute. When a person begins a civil lawsuit, the person enters into a process called litigation. associated with these events. [ILLUSTRATION OMITTED] Welcome to the reality of e-business--which, while convenient, poses such threats as identity theft, cyberextortion and more. Businesses need to be aware of a host of these new cyber (1) From "cybernetics," it is a prefix attached to everyday words to add a computer, electronic or online connotation. The term is similar to "virtual," but the latter is used more frequently. See virtual. threats and how to mitigate the repercussions repercussions npl → répercussions fpl repercussions npl → Auswirkungen pl of such events. For starters, businesses should understand the financial and reputational risks that may be associated with the disclosure of a security/privacy breach and take the necessary steps to mitigate the risk and potential loss. Key issues to consider in light of an actual or potential security breach of confidential information include: * Will consumers form a class-action suit Noun 1. class-action suit - a lawsuit brought by a representative member of a large group of people on behalf of all members of the group class action ? * Will banks and credit card companies demand that companies pay them millions of dollars, as banks incurred such costs to reissue re·is·sue v. re·is·sued, re·is·su·ing, re·is·sues v.tr. To issue again, especially to make available again. v.intr. To come forth again. n. 1. credit cards to the consumers? * Will directors and officers be sued by stakeholders Stakeholders All parties that have an interest, financial or otherwise, in a firm-stockholders, creditors, bondholders, employees, customers, management, the community, and the government. alleging that lax internal controls over IT processes led to a fraud and caused millions of dollars in direct losses, brand damage and a drop in the stock price? * Will a company's network and IT infrastructure be able to recover quickly and provide functions that will support the business applications and customers? * Will an extortionist threaten to post the confidential information on the Internet for all to see unless paid tens of thousands of dollars? * Will a company be able to restore consumer confidence? Identity Theft In March 2004, a major retailer alerted its 8 million customers that "a small fraction" of them (it couldn't pinpoint which ones) may have had their credit card information stolen. The company released little detail on how the information was stolen, but admitted the cost was significant--as much as $16 million. The U.S. Secret Service has since said the case may be tied to an international identity-theft ring. More than a dozen banks filed claims against the retailer, seeking restitution for fraudulent purchases made with its customers' cards and for the costs associated with reissuing hundreds of thousands of credit cards. The Federal Trade Commission (FTC FTC See Federal Trade Commission (FTC). ) considers identity theft the fastest-growing crime in the U.S., estimating it affected more than 27 million Americans between April 1998 and April 2003; nearly 10 million individuals were affected in 2003 alone. The FTC reports that in 2002 businesses absorbed more than $48 billion in losses and victims spent nearly $5 billion in out-of-pocket expenses out-of-pocket expenses n. moneys paid directly for necessary items by a contractor, trustee, executor, administrator or any person responsible to cover expenses not detailed by agreement. to correct their financial histories. Although there is no clear breakdown as to how much identity theft involves computer break-ins as opposed to "traditional" thievery Thievery See also Gangsterism, Highwaymen, Outlawry. Alfarache, Guzmán de picaresque, peripatetic thief; lived by unscrupulous wits. [Span. Lit. , there is no doubt that technology has increased the amount of confidential information at risk. Two of the newest tools of identity thieves are "phishing Pronounced "fishing," it is a scam to steal valuable information such as credit card and social security numbers, user IDs and passwords. Also known as "brand spoofing," an official-looking e-mail is sent to potential victims pretending to be from their ISP, bank or retail establishment. " and "spyware." Phishing is one way fraudsters obtain the information needed to commit identity fraud. In this email-based fraud, perpetrators pretend to be a trusted bank, retailer or other organization and lure victims into providing identifying information, such as a Social Security number, home phone number, passwords and other account information. Research firm TowerGroup estimates last year's worldwide fraud losses from phishing to be $137 million. Although phishers have tended to target large corporations, smaller firms ultimately may be targeted as phishing "tool kits" gain wider distribution over the Internet. Another villian, "adware" or "spyware," in its most benign form, tracks the sites a user visits on the Web and reports back to advertisers who use the knowledge of an individual's Web-surfing habits to target them with specific pop-up ads
For pop-up headlamps, see . Pop-up ads or popups , which, while annoying, are generally harmless. Significant problems with spyware stem from the ease with which it allows criminals to gather sensitive information. Spyware can add other costs to a business--such as time spent rooting it out and lost productivity. Microsoft estimates that about half of all computer crashes are caused by spyware. Another growing e-menace threat is cyberextortion. In a 2004 survey of small and mid-size companies by Carnegie Mellon University Carnegie Mellon University, at Pittsburgh, Pa.; est. 1967 through the merger of the Carnegie Institute of Technology (founded 1900, opened 1905) and the Mellon Institute of Industrial Research (founded 1913). , 17 percent reported having been threatened by cyberextortionists. Also, the study indicates that small companies--viewed as more likely to pay up--are more likely to be targeted by extortionists. Threats being used against the companies include: theft or destruction of customer data or intellectual property; launch of a denial-of-service attack "DoS" redirects here. For other uses, see DOS (disambiguation). A denial-of-service attack (DoS attack) is an attempt to make a computer resource unavailable to its intended users. and Website defacement A website defacement is when a Defacer breaks into a web server and alters the hosted website or creates one of his own. A message is often left on the webpage stating his or her pseudonym and the output from "uname -a" and the "id" command along with "shout outs" to his or . Regulatory & Legislative Issues Management of information risk is increasingly tied to regulatory mandates. Over the past 10 years, laws enacted at the federal and state levels have forced companies to be even more careful in protecting the confidentiality and reliability of medical, financial and other information held on their computer systems. Failure to comply can lead to civil and criminal penalties, lawsuits and related litigation costs and damage to reputations. While some of the earlier laws focused on financial and healthcare companies, two of the most recent laws--the 2002 Sarbanes-Oxley Act See SOX. and the California Data Protection Law (SB 1386)--broadened the range of companies that need to comply. The Gramm-Leach-Bliley Act The Gramm-Leach-Bliley Act, also known as the Gramm-Leach-Bliley Financial Services Modernization Act, Pub. L. No. 106-102, 113 Stat. 1338 (November 12, 1999), is an Act of the United States Congress which repealed the Glass-Steagall Act, opening up competition (GLB (Gramm-Leach-Bliley Act) Enacted in 1999 and effective in mid 2001, the GLB stipulates that every financial institution shall protect the security and confidentiality of its customers' confidential personal information. ), known as the Financial Services The examples and perspective in this article or section may not represent a worldwide view of the subject. Please [ improve this article] or discuss the issue on the talk page. Modernization modernization Transformation of a society from a rural and agrarian condition to a secular, urban, and industrial one. It is closely linked with industrialization. As societies modernize, the individual becomes increasingly important, gradually replacing the family, Act, sets privacy standards for financial institutions and for financial activities. The Health Insurance Portability and Account-ability Act (HIPAA (Health Insurance Portability & Accountability Act of 1996, Public Law 104-191) Also known as the "Kennedy-Kassebaum Act," this U.S. law protects employees' health insurance coverage when they change or lose their jobs (Title I) and provides standards for patient health, ) holds businesses accountable for protecting patient health information in an industry that handles extremely sensitive information about individuals, that is increasingly transmitted over the Internet, stored in digital formal and open to security breaches. Managing Information Risk Instead of only analyzing how a cyberattack would affect individual business units, companies must consider how a security breach would affect the entire enterprise. Thus, managing IT risk must be integrated with the company's overall risk management strategy. Technology infrastructure--including servers, network monitors, and firewalls--needs to be assessed and managed in terms of its relation to people, operations, supply chains and other business drivers. Some of the steps involved with IT risk management include paying attention Noun 1. paying attention - paying particular notice (as to children or helpless people); "his attentiveness to her wishes"; "he spends without heed to the consequences" attentiveness, heed, regard to human factors, putting proper security policies in place, identifying critical assets and fostering better communication and an enterprise-wide perspective among IT managers and risk managers. Building networks and databases and bringing applications online has the focus of IT and the financial support of the firm. Security and risk management across all functions of the enterprise is often secondary or an afterthought af·ter·thought n. An idea, response, or explanation that occurs to one after an event or decision. afterthought Noun 1. . Bringing together IT, risk management, internal audit, legal and human resources The fancy word for "people." The human resources department within an organization, years ago known as the "personnel department," manages the administrative aspects of the employees. (HR) departments to address information management issues can bring consensus to the identification of threats, the areas of operation (ranked in order of most critical and sensitive) that could be affected by a threat, potential financial or reputational loss, and the most cost-effective way to reduce the risk. Elevate Security, Starting at the Top Financial executives need to understand the importance of security. The value of a brand and reputation are critical corporate factors to be considered, but shareholder lawsuits arising out of a cyber crime-generated financial loss could adversely impact a corporate director or officer's own personal property. Awareness starts at the top, but there is a role for all in the organization. Financial and risk management executives and IT may not see eye-to-eye. IT may perceive the risk manager as a deterrent in bringing an application forward and on time. Risk managers recognize the growing risk and the need to establish prevention strategies, such as minimum standards for IT. The standards not only provide guidelines along the road to development, but also establish tools for internal audit and potentially a defense for the legal department. Minimum standards guidelines can hold individuals accountable for security across all functions. HR also plays a major role protecting against cyber crime. Employees are the number one risk to shutting down a system or gaining access and distributing critical corporate data. Employment policies and how they are conveyed to employees could prevent a theft or unauthorized access to data. Legal needs to review content with respect to intellectual property issues and address the company's privacy statement. Legal should also review indemnification agreements with the service providers (ASPs, ISPs) and IT should perform due diligence Research; analysis; your homework. This term has caught on in all industries, because it sounds so "wired." Who would want to do analysis or research when they can do due diligence. See wired. on the service providers' security protocol; firms should encrypt as much personal information as possible. An Information Risk Assessment A financial officer should work with a risk assessment firm and key internal personnel (legal, IT, information security, internal audit, risk management, HR) utilizing a security framework like ISO (1) See ISO speed. (2) (International Organization for Standardization, Geneva, Switzerland, www.iso.ch) An organization that sets international standards, founded in 1946. The U.S. member body is ANSI. 17799 for the following: System Characterization -- Assess and identify the resources and information that constitute the system. Identify the critical business systems with key management, IT personnel and users. Automated tools could assist with mapping networked assets and identifying the boundaries of the IT system. Threat Identification -- Conduct onsite interviews and small work-group sessions with key management team members, technology administrators and system users to uncover potential threat agents that may impact the confidentiality, integrity and availability of the information. Leverage resources provided by industry and federal agencies to determine the risk from natural, human, environmental and technical threats. Vulnerability Identification -- Conduct a technical assessment to detect vulnerabilities and to check how effective the controls are preventing unauthorized access due to those vulnerabilities. Control Analysis -- Assess countermeasures That form of military science that, by the employment of devices and/or techniques, has as its objective the impairment of the operational effectiveness of enemy activity. See also electronic warfare. currently implemented to manage the security of information in the organization. Using ISO 17799 security controls, review and assess security policies, system documentation, security architecture, third-party service provider contracts, interfaces/access controls for vendors and the capabilities of the company's information security. Current IT controls regarding items such as change-management procedures, currency of software and plans for hardware maintenance and physical environment should also be reviewed. Insurance Gap Analysis -- Assess current insurance policies in terms of coverage for financial loss arising out of unauthorized access or use of confidential information, damage to third-party software or data as well as damage to the business network or data. Risk managers or related responsible parties need to review the organization's property and casualty insurance policies. Traditional insurance does not cover or provides limited coverage for unauthorized access or use and the release of confidential information, extortion extortion, in law, unlawful demanding or receiving by an officer, in his official capacity, of any property or money not legally due to him. Examples include requesting and accepting fees in excess of those allowed to him by statute or arresting a person and, with and other risks posed by identity theft. Some insurers now offer endorsements to cover identity theft, while others have introduced cyber-risk insurance policies to protect corporations financially from the increased risk of identity theft. The assessment can not only help identify the critical areas to be addressed, but ultimately can be used to recommend best practices to remediate re·me·di·a·tion n. The act or process of correcting a fault or deficiency: remediation of a learning disability. re·me the risk. Given the cyber realities, every organization is seeking answers. Creating a more secure environment can help produce and maintain consumer confidence and deter financial loss, which could, in turn, provide an organization a competitive edge. RELATED ARTICLE: take aways * Identity theft is considered by the Federal Trade Commission the fastest-growing crime in the U.S., having affected more than 27 million Americans by April 2003. * Identify theft cost business more than $48 billion in 2002 and its victims have spent nearly $5 billion in out-of-pocket expenses to correct their financial histories. * Consider how a security breach would affect the entire enterprise, and integrate risk with a company's overall risk management strategy. * A risk assessment can serve to identify critical areas to be addressed and recommend best practices to remediate risk. Peter C. Foster is Senior Vice President of Marsh Inc., a division of Marsh & McLennan Cos. Inc. He can be reached at Peter.C.Foster@marsh.com. |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion