VideoLast October, a Reuters reporter noticed that Swedish software company Intentia used nearly identical URLs, or Web-page addresses, when posting its first- and second-quarter financial results to the Web. Following the pattern, the reporter typed in the likely URL for the third quarter. Lo and behold, the results, which Intentia had not yet officially released, popped up on the screen. Within minutes, Reuters ran a story about the disappointing numbers.
The company promptly filed criminal hacking charges against Reuters. But in the end, it was only Intentia that was punished — censured by the Stockholm Stock Exchange for failing to protect its financial information by posting it to a publicly accessible site.
Internet technologies can be a huge boon when it comes to quickly and widely disclosing information to investors and the public. But as Intentia's faux pas illustrates, these technologies — including the Web, E-mail, and instant messaging — can be as dangerous as they are useful. These days, all sorts of financial information can move casually, and at the speed of light, around an organization. It is just as easy for employees — innocently, accidentally, or maliciously — to send that information outside.
In fact, according to responses to the 2003 CSI/FBI Computer Crime and Security Survey, as many security incidents originate from inside the organization as from outside. Theft of proprietary information, which insiders typically know best how to find, costs companies far more than common external security problems such as viruses. While firewalls and other security devices may be able to keep hackers out, companies are increasingly challenged to keep financial information in. "CFOs who don't aggressively protect their companies' information pose a far greater threat to shareholder equity and the health of their companies than anything we saw at Enron, Tyco, or WorldCom," says Thomas J. Parenty, author of Digital Defense: What You Should Know About Protecting Your Company's Assets, released this month by Harvard Business School Press.
I've Got Your Mail
Government regulation is only exacerbating the security problem. Both Reg FD and the relatively new Reg G, which restricts the release of non-GAAP financial measurements, make financial data leaks a potentially serious compliance problem for U.S. companies.
Then there is Section 404 of the Sarbanes-Oxley Act of 2002, which, according to the Securities and Exchange Commission's proposed final rule, requires CFOs to attest that their companies' internal financial controls "provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or disposition of the registrant's assets." Section 404 is an "IT regulation by inference," says Marne Gordon, director of regulatory affairs for Herndon, Virginia-based security intelligence and services provider TruSecure Corp. "It doesn't say specifically what companies need to do with those systems, but it is telling them to protect those systems [responsible for internal controls]."
The biggest threat to data in those systems may be E-mail and attachments. "The sensitive stuff is all there in E-mail, and it can go anywhere," says Greg Olson, chairman and co-founder of Emery, California-based Sendmail Inc., whose offerings include E-mail-monitoring software. "Companies may be protecting data [from outsiders] with network controls like firewalls," agrees Jim Schoonmaker, CEO of Lexington, Massachusetts-based Liquid Machines Inc., but employees can E-mail data outside the network, print it, or carry it out on laptops, disks, or PDAs.
The technologies to cope with this challenge are still being developed. Liquid Machines's technology, for example, allows a sensitive file to move freely, but encrypted and accompanied by a sort of electronic security guard that allows users to open it only if authorized to do so by that particular document's security policy. The policy also controls whether the file can be printed, altered, and so on, and any such activity is monitored by Liquid Machines software installed on all authorized computers. If the file is copied or mailed, the security guard is also duplicated. Files sent to computers outside the company — an employee's home computer, for example — will open only if Liquid Machines software is installed there as well. Schoonmaker says the software is now in beta trials at six companies — including investment banks anxious to step up compliance with NASD 2711, the regulation prohibiting communication between analysts and investment bankers.
While more-mature technologies available for monitoring E-mail and other Internet transmissions don't offer the same level of control, they at least raise red flags. Sendmail monitors a company's official E-mail system — a good solution for detecting inadvertent transmissions of sensitive data — but employees can bypass it if they use personal Web-based E-mail accounts such as Yahoo or AOL.
A more omniscient offering is View, from Englewood, Colorado-based Vericept Corp. This software scrutinizes all of the raw data passing through a company's firewall to the Internet outside, including company E-mail, messages (and attachments) sent via personal E-mail accounts, postings to message boards on the Web, instant messages, and even peer-to-peer music-sharing applications.
Reader Comments» Post a comment