Print this article | Return to Article | Return to CFO.com
It's easier to keep hackers out of corporate computers than to keep data in.
Tim Reason, CFO Magazine
September 1, 2003
Last October, a Reuters reporter noticed that Swedish software company Intentia used nearly identical URLs, or Web-page addresses, when posting its first- and second-quarter financial results to the Web. Following the pattern, the reporter typed in the likely URL for the third quarter. Lo and behold, the results, which Intentia had not yet officially released, popped up on the screen. Within minutes, Reuters ran a story about the disappointing numbers.
The company promptly filed criminal hacking charges against Reuters. But in the end, it was only Intentia that was punished — censured by the Stockholm Stock Exchange for failing to protect its financial information by posting it to a publicly accessible site.
Internet technologies can be a huge boon when it comes to quickly and widely disclosing information to investors and the public. But as Intentia's faux pas illustrates, these technologies — including the Web, E-mail, and instant messaging — can be as dangerous as they are useful. These days, all sorts of financial information can move casually, and at the speed of light, around an organization. It is just as easy for employees — innocently, accidentally, or maliciously — to send that information outside.
In fact, according to responses to the 2003 CSI/FBI Computer Crime and Security Survey, as many security incidents originate from inside the organization as from outside. Theft of proprietary information, which insiders typically know best how to find, costs companies far more than common external security problems such as viruses. While firewalls and other security devices may be able to keep hackers out, companies are increasingly challenged to keep financial information in. "CFOs who don't aggressively protect their companies' information pose a far greater threat to shareholder equity and the health of their companies than anything we saw at Enron, Tyco, or WorldCom," says Thomas J. Parenty, author of Digital Defense: What You Should Know About Protecting Your Company's Assets, released this month by Harvard Business School Press.
I've Got Your Mail
Government regulation is only exacerbating the security problem. Both Reg FD and the relatively new Reg G, which restricts the release of non-GAAP financial measurements, make financial data leaks a potentially serious compliance problem for U.S. companies.
Then there is Section 404 of the Sarbanes-Oxley Act of 2002, which, according to the Securities and Exchange Commission's proposed final rule, requires CFOs to attest that their companies' internal financial controls "provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or disposition of the registrant's assets." Section 404 is an "IT regulation by inference," says Marne Gordon, director of regulatory affairs for Herndon, Virginia-based security intelligence and services provider TruSecure Corp. "It doesn't say specifically what companies need to do with those systems, but it is telling them to protect those systems [responsible for internal controls]."
The biggest threat to data in those systems may be E-mail and attachments. "The sensitive stuff is all there in E-mail, and it can go anywhere," says Greg Olson, chairman and co-founder of Emery, California-based Sendmail Inc., whose offerings include E-mail-monitoring software. "Companies may be protecting data [from outsiders] with network controls like firewalls," agrees Jim Schoonmaker, CEO of Lexington, Massachusetts-based Liquid Machines Inc., but employees can E-mail data outside the network, print it, or carry it out on laptops, disks, or PDAs.
The technologies to cope with this challenge are still being developed. Liquid Machines's technology, for example, allows a sensitive file to move freely, but encrypted and accompanied by a sort of electronic security guard that allows users to open it only if authorized to do so by that particular document's security policy. The policy also controls whether the file can be printed, altered, and so on, and any such activity is monitored by Liquid Machines software installed on all authorized computers. If the file is copied or mailed, the security guard is also duplicated. Files sent to computers outside the company — an employee's home computer, for example — will open only if Liquid Machines software is installed there as well. Schoonmaker says the software is now in beta trials at six companies — including investment banks anxious to step up compliance with NASD 2711, the regulation prohibiting communication between analysts and investment bankers.
While more-mature technologies available for monitoring E-mail and other Internet transmissions don't offer the same level of control, they at least raise red flags. Sendmail monitors a company's official E-mail system — a good solution for detecting inadvertent transmissions of sensitive data — but employees can bypass it if they use personal Web-based E-mail accounts such as Yahoo or AOL.
A more omniscient offering is View, from Englewood, Colorado-based Vericept Corp. This software scrutinizes all of the raw data passing through a company's firewall to the Internet outside, including company E-mail, messages (and attachments) sent via personal E-mail accounts, postings to message boards on the Web, instant messages, and even peer-to-peer music-sharing applications.
Lawrence H. Midler, executive vice president and general counsel at Norwalk, Connecticut-based Micro Warehouse Inc., a $2 billion computer-products reseller with 1,500 U.S. employees, says the company recently installed Vericept's software as a replacement for Website-blocking software, which left no audit trail and was easily circumvented. Now, if a transmission falls into one of several categories defined by Midler, it is flagged and appears on a report screen. Among the categories, he says, is "resignations," which detects résumés or discussions about leaving the company.
"I don't necessarily tell tales on people who have looked at a job posting or have sent [out] their résumés," says Midler, "but I can take a closer look at their other activities." He is concerned that databases of customers and customer information "somehow don't leave the company."
Start with Little Brother
That level of scrutiny, of course, raises the contentious issue of employee privacy. U.S. law comes down strongly in favor of the right of companies to read anything sent over their computer systems (as opposed to, say, Germany, where the employers must get a signed waiver from their employees before viewing their E-mail — and typically compensate them for the privilege).
If companies discover data has been stolen and seek protection under the Computer Fraud and Abuse Act of 1984 or the Economic Espionage Act of 1996, they must be able to prove that they took reasonable steps to prevent the theft. "If you are not going to help yourself, you are not going to be able to get the FBI to help you," says former Assistant U.S. Attorney Nick Akerman, now a partner at New York's Dorsey & Whitney.
Does that mean every company should begin actively monitoring E-mail? Not necessarily. "Courts do not expect you to set up a Gestapo state," says Akerman. In fact, many security experts warn companies that overdosing on technology may not be the best approach.
"It's one thing to act like Big Brother; it's another to act like Big Brother and still not effectively protect yourself," says Parenty. He suggests CFOs start by simply writing down what financial information should be protected, then find out where it is stored and how many employees have legitimate access to it. The number, he says, is often startlingly high, but can be easily reduced using the existing access controls that come with most financial applications. "These are very simple things that can be done without any major capital expenditure," he says.
The simplest solution of all, says TruSecure chief technology officer Peter Tippett, is to have a well-defined data-protection policy that lets employees know what's expected of them. "You really have a hard time firing somebody if you don't have a policy," he observes. Likewise, companies should create a simple system for labeling data. "Probably only about 20 percent of companies do that—for about 20 percent of their data." To make sure such a system is actually used, Tippett suggests using just three categories: public, company-only, and company-sensitive. "If you put an ex-military person or a consultant from some secret organization in charge, you'll get into 27 different labels and create an abysmal mess," he warns.
What's the most effective security technology? Screen savers, says Tippett. Eighty percent of insider security breaches are "physical attacks," he explains: "Someone goes to lunch and an unauthorized user sits down at their workstation." Yet only 30 percent of firms use password-protected screen savers, he says. Want still more security? Don't wait for screen savers to come on, he says; teach employees how to turn them on when they stand up.
Most finance executives, of course, can barely keep up with their own E-mail, let alone monitor that of their employees. Rick Dobson, CFO of Kansas City, Missouri-based utility Aquila Inc., for example, says he can see the argument for E-mail monitoring at more-complex companies, but adds that E-mail leaks "won't hit the high end of [Aquila's] risk spectrum" — that is, 404-compliance issues that must be reported to the audit committee — because the straightforward business model of a utility makes a market-moving financial leak unlikely. Likewise, he says, manipulation of financial results is more likely to be discovered through periodic financial accounting reviews. "A utility can only generate so much growth margin."
Dobson is similarly sanguine about inappropriate use of Web or E-mail systems, emphasizing employee performance, not surveillance. "If people meet their goals, I am not going to worry about whether John Doe is looking at the fishing report for a lake in the region. It is not consuming a lot of resources."
Vendors of security software, not surprisingly, have a grimmer outlook. Sendmail's Olson admits that IT departments haven't been spending much on these types of technology in the past two years. "Nobody wants to do anything they don't absolutely have to. Companies that have paid attention to [security] are those that were forced to by regulations or got bitten by an embarrassing incident." But that attitude, he says, will change. "If nothing else," he notes, "it is only a matter of time until everybody gets bitten."
|Sources of Attacks|
Companies consistently have more to fear from their own employees than from external hackers.
Your Own Worst Enemy
No matter how hard they try, companies will never fully stop employees from leaking sensitive information onto the Web, where eager competitors wait for it.
Case in point: Monster.com, one of the richest sources of competitive data on the Web. The job-search site contains thousands of résumés from technology salespeople listing their accounts, sales quotas, territories, total sales, important wins, and other competitive details that are more than worth the effort required to collect them, says Sanjay Poonen, senior vice president of worldwide marketing for Redwood City, California-based Informatica Corp. "It's unstructured data," he says, "but we have a guy who has perfected the art and science of how to slice and dice Monster.com."
Of course, Informatica's own salespeople also post their résumés on the site. "We find them all the time," says Poonen. But, he says, there's not much point in taking action. "People have a right to look for a job," he says, "and we can't sue everyone on Monster.com."
Besides, salespeople aren't alone. Monster.com's technology makes the data accessible and relatively cheap to gather. But, says one security expert, corporate-intelligence firms are known to use headhunters to extract similar information from executives, who often are all too willing to describe their accomplishments in lavish — and high-level — detail. —Tim Reason