Printer Friendly

Computer systems on the brink of destruction.

Computer Systems On the Brink of Destruction

Today, organizations routinely use computers to place and receive orders, operate manufacturing equipment, process mail, keep accounting records and issue payroll checks. This increasing dependency on computers means that the risk manager must focus more attention on the security and integrity of his firm's computer system. In addition, as the function of risk management becomes more dependent on computers, the same issues must be considered by the risk management department.

The indirect losses which result from the destruction of computer data can greatly exceed the cost of replacing the equipment or the data. Even the most sophisticated loss control program may suffer a loss of data or damage to computer equipment as a result of fire, flood, earthquake or lightning. while losses incurred as a result of these perils are insurable, most policies only cover the direct loss to equipment and replace the lost data. If a company loses the records for $1 million in accounts receiveable, it could potentially lose $1 million of income if it is unable to collect on those accounts. Should the risk manager be unable to substantiate the information entered into a risk management information system due to lost data, there is a possibility of another indirect loss.

With the invention and widespread use of the microchip came a new breed of computers which were much less susceptible to water damage than their vacuum-tube predecessors. Microchip technology paved the way for water systems replacing the more expensive Halon systems as an acceptable and cost-effective method of fire suppression. Now, if an electrical source is disconnected and the equipment is quickly dried out, water damage can be kept to a minimum and may not even affect the system.

Possible damage caused by lightning is often thought to be an unnecessary concern due to the use of surge protectors. Unfortunately, even the best surge protectors do not completely protect a computer system from lightning damage. Simply turning the system off during an electrical storm is the best method for preventing damage.

Damage to the computer system from technical or mechanical failure is a primary concern of the risk manager. Possible causes for such damage include explosions, contamination of data, or an internal failure of existing hardware. Large amounts of data can easily be lost due to a power surge, magnetic interference or excessive heat. At 150[Degrees]F, malfunctions in tape parts can cause severe damage to stored data, and at 300[Degrees]F, parts can be damaged and all data can be lost. If the data has not been back-up and placed in a secure location, it is possible to lose most, if not all, stored data. If the power supply is interrupted while the system is in use, all data which has been entered but not saved can be lost.

Power supply interruptions and failures can also cause severe indirect losses. Every minute a computer is down could cause a company to lose money, customers and credibility, not to mention the cost of paying employees for the time the system is down.

One of the largest areas for concern are exposures arising from human error which is sometimes intentional. According to FBI estimates, the average individual computer crime yields the perpetrator $600,000 compared to the average bank robbery which nets approximately $3,000.

Computer Viruses

Computer viruses are complicated programs which can be written to achieve a variety of results. Some viruses merely yield innocent joke messages while others are extremely destructive and have the ability to wipe out all stored data. Often, viruses are used to cover illegal acts such as virsues are used to cover illegal acts such as theft or embezzlement.

Viruses can be designed so that they attach themselves to any diskette used in a computer system. Back-up copies of the disk may then also contain the virus. In addition, viruses may be transmitted from one disk to another, as well as through the use of modems.

Viruses can be hidden in malicious programs called "trojan horses" which take effect as soon as the program is booted up. Upon running a trojan horse, the user may find that the computer's hard drive has been completely erased. In contrast with the trojan horse, most viruses lie dormant for extended periods of time before running amok. Viruses can be set to "go off" on certain dates, such as holidays or dates which are significant to a particular company. For example, a virus may be written so it erases the entire hard drive once the hard drive is half full. Consequently, if someone takes a number of months to fill his hard drive to 50 percent capacity, the virus will lay dormant until that condition is met. Conversely, someone who never stores data on a hard drive will never experience the effects of this particular virus.


Computer hackers are often teenagers who illegally access computer systems as a way of proving their ability. While most hackers break into systems just for the thrill of doing it, many others infiltrate systems in search of money or mechandise

Eavesdropping and wiretapping are also becoming popular illegal activities for computer criminals. It is easy for an experienced and determined individual to tap into a telephone line used to transmit data between two corporate computers. The increased use of telephone-linked computer systems and networks makes this type of activity more popular, possible and lucrative than ever before.

Safeguards and Loss Control

There are many techniques a risk manager can use to protect the integrity of his company's computer system as well as their electronic data system. Every method is not suitable for every firm, and many are cost-prohibitive to most small to medium-size companies. Risk managers should consider the possible effects that computer damage, destruction and crime can have on the company and conduct a cost benefit analysis. The degree to which a company depends on computers in its daily activities should also be considered when determining what measures are necessary to insure the security of the system.

Regarding software protection, firms and risk-management departments of all sizes should back up all programs and data. The brief amount of time it takes to back-up data can insure a company against the total loss of data from the hard drive. Two back-up copies of data should always be kept, with one copy stored on the premises in a fire and burglar-proof safe. A safe that adequately protects valuable papers from fire may not be sufficient to protect sensitive diskettes or magnetic tapes from fire and heat. The other set of data should be stored off-premises. For many companies, a bank safe deposit box is adequate for this type of storage. However, there are a number of service firms which specialize in the maintenance, storage and protection of back-up data copies. Some firms even guarantee a complete restoration of a company's computer system within a matter of hours.

Copies of data stored off-premises should be updated as often as necessary. For some companies, this could be every day; for others, updates could take place on a weekly or monthly basis. Risk managers must keep in mind that if the company's computer system is destroyed, the only source of data available is the copy kept off-premises. The less often this copy is updated, the more data the company stands to lose in the event of a disaster and the more difficult it is to completely restore.

Back-up procedures should not be limited to a company's data. Whenever possible, back-up copies of any commercial software packages used in the company's daily operations should also be stored off-premises. Commercial software packages can cost anywhere from a few hundred dollars to over $20,000, so it is important to carefully investigate the copy protection and license agreements of software before it is purchased.

If a company's computer facility is located in a centralized area, the location and design of the facility should be the first consideration in protecting against losses. Computer facilities should be located far from sources of radiation and heat, and be inaccessable to visitors and customers.

Computer facilities should also be constructed to resist fire and smoke penetration. To determine whether this is a justifiable expense, the cost of the computer system and the value of the data and records stored in the facility should be weighed against the cost of building a protective facility.

No matter how fire resistant the facility may be, the computer system will always be susceptible to damage from a fire originating inside the facility. Thus, the use of a fire detection/suppression system is highly recommended. Since water will not seriously damage most computers, using a water supression system is safe and cost-effective. However, one drawback of a water system is that it cannot quickly penetrate the housing of an individual terminal or mainframe. If a fire originated inside a computer or mainframe, the chance of complete destruction of the computer and all stored data is greatly increased.

A Halon gas or carbon dioxide gas suppression system can penetrate the housing of a mainframe or individual computer and extinguish internal fires much more quickly than water. Unfortunately, the cost of a gas system is considerably higher than that of a water system. Also, in case of a small, contained fire, a portable gas extinguisher can serve very well, if the fire is discovered quickly.

Static pads can protect computers from static or magnetic interference. As mentioned earlier, surge protectors are a necessity, not only to protect against power surges, but also to avoid wear and tear on the equipment's toggle switches. Connecting the computers and printers to surge protectors and turning on all the equipment from the surge protector's main switch will greatly reduce the cost of replacing a worn switch on a computer.

To protect hardware from theft or damage from being moved excessively or carelessly, there are a variety of locks to secure the equipment to a desktop. There are also various programs designed to secure the heads of the hard drive when the computer is shut down. Custodial employees, workmen and other employees with access to computer equipment must be cautioned not to move any equipment without prior authorization. Companies may also implement a standard policy requiring employees to secure the hard drive heads at the close of each workday, thus reducing the risk of losing data after hours.

In addition to being able to back-up software, it is possible to back-up hardware as well. By using multiple computer facilities, should hardware in one facility become damaged or rendered inoperative, the hardware in the second facility can function in its place. Companies can also contract with each other to serve as mutual back-up facilities so that if one of the companies' systems is destroyed or inoperative, it will be able to use the hardware from the other company until its system is back on line. Many companies also have agreements with their computer vendors to provide immediate replacements if their equipment becomes damaged. The smaller the piece of hardware, the shorter the replacement time.


There is a variety of operating standards and hardware equipment available to protect against the threat of both internal and external security problems. Although it is unlikely that any firm has addressed all the following standards, they should be aware of their existence.

Many keyboards are equipped with access locks and employees using computer terminals should be instructed to habitually use these locks. Careful records should be kept regarding the issuance of keys and all keys should be stamped" do not duplicate" to avoid copies being made. Employees should also be required to turn in all keys to their supervisor upon transfer to another department or termination.

The threat of computer viruses is so prevalent that many software manufacturers have developed diagnostic and "vaccination" programs to identify and/or remove any viruses present in the system. Unfortunately, no diagnostic or vaccination program is completely foolproof. Some diagnostic programs only identify specific viruses, while others simply look for general symptoms of viruses. It is possible for a valid program or file to in some way resemble a virus. If a vaccination program mistakes a valid program for a virus, it will erase the entire program. When investing in a diagnostic or vaccination program, it is important to understand its exact capabilities and limitations and to know what dangers, if any, are associated with its use.

Viruses can also be hidden in "pirated" copies of software, so it is important to use only commercial copies which will be free of contamination. Although software should be purchased directly from the manufacturer, the original copy should never be used for daily work. Copies should be made for daily use and the original software stored in a safe location, off-premises.

When using a hard disk computer system, employees must be instructed not to turn on the power when there is a floppy disk in the disk drive. If someone left a trojan horse in the disk drive, then simply turning on the computer will cause a complete loss of data on the hard disk drive. When using floppy disks, always use the write-protect tabs whenever possible. These tabs are a simple way to prevent viruses from attaching themselves to valuable diskettes. Also, employees should be instructed not to copy any type of program or software onto the hard disk. This task should be left to the supervisor who can first check the software for viruses and trojan horses.

Internal and External Crime

The first step in controlling internal computer crime is through instituting standard procedures for authorizing and implementing any program changes. Computer programmers must never be allowed to operate computer systems and employees should only have access to data and records necessary to perform their specific jobs. Employees should also be prohibited from leaving their computers unattended while they log on to the mainframe or file server. If a particular department uses its company's mainframe or network file server, programs should be designed so that terminal operators have "read only" capabilities, which means that they cannot write anything onto or alter any programs stored in the central computer.

To protect against hackers and other external intruders, modems should be turned off at night and passwords and account numbers should be changed frequently, especially if someone from the department is fired or leaves the company for any reason.

There are many highly sophisticated alternatives on the market that prevent access to mainframes. A type of hardware, called encryption devices, scrambles data so it cannot be understood if a phone line is illegally tapped. There are also "dial-back" systems which can verify that an incoming call to the computer system is from an authorized phone number.

Other security alternatives include software packages that record all attempts to log on to the computer. There are some software packages which require anyone attempting to log on to the system to wait a few seconds between attempts to enter a password, and others that require the person to hang up after three unsuccessful attempts to log on. The latter package prevents a person from allowing the computer to generate random numbers or words in an effort to guess the proper access code.

Since most companies refuse to report acts of computer crime for fear of adverse publicity, there is no way to accurately estimate the amount of money businesses lose each year as a result of these crimes. Although the legal system is working on appropriate statutes to deter and punish computer criminals, their efforts are useless if companies do not make an effort to bring the perpetrators to justice. Companies themselves, including their risk managers, must take positive steps to quash such criminal activities. Left undeterred, criminals will continue to thrive on the vulnerability of corporate computer systems regardless of the preventive measures taken.
COPYRIGHT 1989 Risk Management Society Publishing, Inc.
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 1989 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Author:Leverett, E.J., Jr.; Powell, Brenda F.
Publication:Risk Management
Date:Nov 1, 1989
Previous Article:RAND report details Superfund's slow progress.
Next Article:Does insurance really ensure computer security?

Related Articles
Applying Records Retention to Electronic Records.

Terms of use | Copyright © 2018 Farlex, Inc. | Feedback | For webmasters