Managing e-business risk to mitigate loss: along with the speed and convenience of e-business come new risks, such as identity theft and cyberextortion. Technology has increased the amount of confidential information at risk, and can exacerbate financial and reputational loss.
Welcome to the reality of e-business--which, while convenient, poses such threats as identity theft, cyberextortion and more. Businesses need to be aware of a host of these new cyber threats and how to mitigate the repercussions of such events.
For starters, businesses should understand the financial and reputational risks that may be associated with the disclosure of a security/privacy breach and take the necessary steps to mitigate the risk and potential loss. Key issues to consider in light of an actual or potential security breach of confidential information include:
* Will consumers form a class-action suit?
* Will banks and credit card companies demand that companies pay them millions of dollars, as banks incurred such costs to reissue credit cards to the consumers?
* Will directors and officers be sued by stakeholders alleging that lax internal controls over IT processes led to a fraud and caused millions of dollars in direct losses, brand damage and a drop in the stock price?
* Will a company's network and IT infrastructure be able to recover quickly and provide functions that will support the business applications and customers?
* Will an extortionist threaten to post the confidential information on the Internet for all to see unless paid tens of thousands of dollars?
* Will a company be able to restore consumer confidence?
In March 2004, a major retailer alerted its 8 million customers that "a small fraction" of them (it couldn't pinpoint which ones) may have had their credit card information stolen. The company released little detail on how the information was stolen, but admitted the cost was significant--as much as $16 million. The U.S. Secret Service has since said the case may be tied to an international identity-theft ring. More than a dozen banks filed claims against the retailer, seeking restitution for fraudulent purchases made with its customers' cards and for the costs associated with reissuing hundreds of thousands of credit cards.
The Federal Trade Commission (FTC) considers identity theft the fastest-growing crime in the U.S., estimating it affected more than 27 million Americans between April 1998 and April 2003; nearly 10 million individuals were affected in 2003 alone. The FTC reports that in 2002 businesses absorbed more than $48 billion in losses and victims spent nearly $5 billion in out-of-pocket expenses to correct their financial histories.
Although there is no clear breakdown as to how much identity theft involves computer break-ins as opposed to "traditional" thievery, there is no doubt that technology has increased the amount of confidential information at risk. Two of the newest tools of identity thieves are "phishing" and "spyware."
Phishing is one way fraudsters obtain the information needed to commit identity fraud. In this email-based fraud, perpetrators pretend to be a trusted bank, retailer or other organization and lure victims into providing identifying information, such as a Social Security number, home phone number, passwords and other account information. Research firm TowerGroup estimates last year's worldwide fraud losses from phishing to be $137 million. Although phishers have tended to target large corporations, smaller firms ultimately may be targeted as phishing "tool kits" gain wider distribution over the Internet.
Another villian, "adware" or "spyware," in its most benign form, tracks the sites a user visits on the Web and reports back to advertisers who use the knowledge of an individual's Web-surfing habits to target them with specific pop-up ads, which, while annoying, are generally harmless. Significant problems with spyware stem from the ease with which it allows criminals to gather sensitive information. Spyware can add other costs to a business--such as time spent rooting it out and lost productivity. Microsoft estimates that about half of all computer crashes are caused by spyware.
Another growing e-menace threat is cyberextortion. In a 2004 survey of small and mid-size companies by Carnegie Mellon University, 17 percent reported having been threatened by cyberextortionists. Also, the study indicates that small companies--viewed as more likely to pay up--are more likely to be targeted by extortionists. Threats being used against the companies include: theft or destruction of customer data or intellectual property; launch of a denial-of-service attack and Website defacement.
Regulatory & Legislative Issues
Management of information risk is increasingly tied to regulatory mandates. Over the past 10 years, laws enacted at the federal and state levels have forced companies to be even more careful in protecting the confidentiality and reliability of medical, financial and other information held on their computer systems. Failure to comply can lead to civil and criminal penalties, lawsuits and related litigation costs and damage to reputations.
While some of the earlier laws focused on financial and healthcare companies, two of the most recent laws--the 2002 Sarbanes-Oxley Act and the California Data Protection Law (SB 1386)--broadened the range of companies that need to comply.
The Gramm-Leach-Bliley Act (GLB), known as the Financial Services Modernization Act, sets privacy standards for financial institutions and for financial activities. The Health Insurance Portability and Account-ability Act (HIPAA) holds businesses accountable for protecting patient health information in an industry that handles extremely sensitive information about individuals, that is increasingly transmitted over the Internet, stored in digital formal and open to security breaches.
Managing Information Risk
Instead of only analyzing how a cyberattack would affect individual business units, companies must consider how a security breach would affect the entire enterprise. Thus, managing IT risk must be integrated with the company's overall risk management strategy.
Technology infrastructure--including servers, network monitors, and firewalls--needs to be assessed and managed in terms of its relation to people, operations, supply chains and other business drivers. Some of the steps involved with IT risk management include paying attention to human factors, putting proper security policies in place, identifying critical assets and fostering better communication and an enterprise-wide perspective among IT managers and risk managers. Building networks and databases and bringing applications online has the focus of IT and the financial support of the firm. Security and risk management across all functions of the enterprise is often secondary or an afterthought.
Bringing together IT, risk management, internal audit, legal and human resources (HR) departments to address information management issues can bring consensus to the identification of threats, the areas of operation (ranked in order of most critical and sensitive) that could be affected by a threat, potential financial or reputational loss, and the most cost-effective way to reduce the risk.
Elevate Security, Starting at the Top
Financial executives need to understand the importance of security. The value of a brand and reputation are critical corporate factors to be considered, but shareholder lawsuits arising out of a cyber crime-generated financial loss could adversely impact a corporate director or officer's own personal property. Awareness starts at the top, but there is a role for all in the organization.
Financial and risk management executives and IT may not see eye-to-eye. IT may perceive the risk manager as a deterrent in bringing an application forward and on time. Risk managers recognize the growing risk and the need to establish prevention strategies, such as minimum standards for IT. The standards not only provide guidelines along the road to development, but also establish tools for internal audit and potentially a defense for the legal department. Minimum standards guidelines can hold individuals accountable for security across all functions.
HR also plays a major role protecting against cyber crime. Employees are the number one risk to shutting down a system or gaining access and distributing critical corporate data. Employment policies and how they are conveyed to employees could prevent a theft or unauthorized access to data.
Legal needs to review content with respect to intellectual property issues and address the company's privacy statement. Legal should also review indemnification agreements with the service providers (ASPs, ISPs) and IT should perform due diligence on the service providers' security protocol; firms should encrypt as much personal information as possible.
An Information Risk Assessment
A financial officer should work with a risk assessment firm and key internal personnel (legal, IT, information security, internal audit, risk management, HR) utilizing a security framework like ISO 17799 for the following:
System Characterization -- Assess and identify the resources and information that constitute the system. Identify the critical business systems with key management, IT personnel and users. Automated tools could assist with mapping networked assets and identifying the boundaries of the IT system.
Threat Identification -- Conduct onsite interviews and small work-group sessions with key management team members, technology administrators and system users to uncover potential threat agents that may impact the confidentiality, integrity and availability of the information. Leverage resources provided by industry and federal agencies to determine the risk from natural, human, environmental and technical threats.
Vulnerability Identification -- Conduct a technical assessment to detect vulnerabilities and to check how effective the controls are preventing unauthorized access due to those vulnerabilities.
Control Analysis -- Assess countermeasures currently implemented to manage the security of information in the organization. Using ISO 17799 security controls, review and assess security policies, system documentation, security architecture, third-party service provider contracts, interfaces/access controls for vendors and the capabilities of the company's information security. Current IT controls regarding items such as change-management procedures, currency of software and plans for hardware maintenance and physical environment should also be reviewed.
Insurance Gap Analysis -- Assess current insurance policies in terms of coverage for financial loss arising out of unauthorized access or use of confidential information, damage to third-party software or data as well as damage to the business network or data.
Risk managers or related responsible parties need to review the organization's property and casualty insurance policies. Traditional insurance does not cover or provides limited coverage for unauthorized access or use and the release of confidential information, extortion and other risks posed by identity theft. Some insurers now offer endorsements to cover identity theft, while others have introduced cyber-risk insurance policies to protect corporations financially from the increased risk of identity theft.
The assessment can not only help identify the critical areas to be addressed, but ultimately can be used to recommend best practices to remediate the risk.
Given the cyber realities, every organization is seeking answers. Creating a more secure environment can help produce and maintain consumer confidence and deter financial loss, which could, in turn, provide an organization a competitive edge.
RELATED ARTICLE: take aways
* Identity theft is considered by the Federal Trade Commission the fastest-growing crime in the U.S., having affected more than 27 million Americans by April 2003.
* Identify theft cost business more than $48 billion in 2002 and its victims have spent nearly $5 billion in out-of-pocket expenses to correct their financial histories.
* Consider how a security breach would affect the entire enterprise, and integrate risk with a company's overall risk management strategy.
* A risk assessment can serve to identify critical areas to be addressed and recommend best practices to remediate risk.
Peter C. Foster is Senior Vice President of Marsh Inc., a division of Marsh & McLennan Cos. Inc. He can be reached at Peter.C.Foster@marsh.com.
|Printer friendly Cite/link Email Feedback|
|Title Annotation:||risk management|
|Author:||Foster, Peter C.|
|Date:||Jun 1, 2005|
|Previous Article:||Is accounting education relevant? Many are questioning the quality--not to mention the quantity--of accounting graduates and their abilities to...|
|Next Article:||Get into the value habit: knowing what makes your company valuable is important, but it's not enough. Getting from "knowing" to "doing" requires real...|