So You Thought You Were
Protected
and In Control!Utilizing a few
more ounces of prevention
(Robert J. Stuckey and
Kenneth Carlton Cooper, St. Louis Small Business Monthly, January 2003, Vol. 15,
Issue XII, pg. 15.)
Firewalls, routers, passwords, anti-virus software,
etc. … Protecting your information technology (IT) assets and processes is both time
consuming and expensive. This begs several questions:
- How do I know if I’m protected?
- Will this IT spending requirement ever end?
First, getting the best possible protection from and for
your IT investment requires discipline on not only you and your employees’ efforts,
but also discipline in your interfaces with vendors, suppliers, and customers. Having
control over how your technology resources are utilized is not just your IT manager’s
responsibility, it is the responsibility of every employee and associate who utilizes your
systems.
Second, once you depend on IT to operate any part of your
business, you have now incurred a new fixed cost that requires continuous effort,
planning, and expense. The emphasis here is on continuous.
This article provides you with a guide to selecting the
right business controls for your data processing investment by highlighting IT business
exposures that you may or may not have thought of. You’ll notice that "business
controls," not internal controls or financial controls, is the term used. Five
questions to ponder from the business controls perspective are:
- Just what should I protect?
- How many layers of protection are needed?
- What resources are needed for protection?
- What is the frequency(ies) of protection?
- Do I need protection redundancies?
Exposures to the “normal” elements of the
technology function are always a challenge. IT obsolescence, changing employee skill sets,
and equipment reliability are all valid concerns that can affect the success of your
company. Layer in those “intentional” detriments like viruses, hackers, etc.,
and now we are talking about a total business exposure independent of items you may think
you have under control.
Just what should I protect?
In addition to devices that physically protect hardware,
such as surge suppressors and network equipment placed in secure rooms or closets,
software needs its share of protection with anti-virus products. For example, one local IT
small business consulting firm received 70 panicked customer phone calls in its first hour
of business the day the Michelangelo virus became active. By then it was already too late
of those 70 businesses.
Data is also at risk from everyday operations. Protecting
the integrity of the data and the rules for its associated CRUD rights (create, read,
update, delete) need to be evaluated and revised as conditions dictate. Employee turnover
can unnecessarily expose data to either unintentional or malicious corruption. In one
example, before a fired employee left the premises, he corrupted critical data that the
business spent hundreds of thousands of dollars to reconstruct. A preventive procedure is
to cancel access immediately for any employee being terminated. (Note: Any
anticipated change in the composition of the workforce should raise a red flag for a
potential disruption in stored data.)
How many layers of protection are
needed?
Initially, a logon password to the computer was adequate.
The next step was to require a personal password for access to the software on the
equipment. With the advent of networks, regardless of size, a network password became
necessary. With the proliferation of the number of systems on the network, and the
sensitivity of the information on these systems, an individual system or application
password has become necessary.
In businesses with a few employees, it is not uncommon to
disable the password requirements. This puts data at risk. The levels of access control
must match the criticality (i.e., proprietary or sensitivity) of the data and the
availability of the computers. This often requires layers of security. For example, with
any computer that has portability like a laptop, multi-layer passwords should be
implemented. While many people think that computers are frequently being stolen from
office buildings, theft of a laptop in an airport or train terminal is a more likely
prospect. Similarly, any computer available to the public, such as in a library, needs to
have multiple layers of passwords.
A word of caution … The “smallness” of a
business can result in a false sense of security that multiple layers of protections are
not needed. Small organizations are more at risk than large enterprises because of
“all the eggs in one basket” and lax security and backup procedures. Do not be
misled.
Resources needed for protection
There are ample choices for hardware and software
protection. However, one of the most important resources that is overlooked or taken for
granted is the human factor. How people use the hardware and software is your last line of
defense. For example, as companies migrate toward the Internet (i.e., e-business) there is
a host of exposures unique to that environment.
In addition to anti-virus software, having people educated
about the scams on the Internet is critical. The “Nigerian funds transfer” scam
is big business in Africa. The Internet is also full of advertisements and “good
deals” that just require giving the company’s credit card number. People can
easily get sucked into downloading malicious graphics or data files, and participating in
chat rooms. Even if these are non-intrusive, at a minimum the hard drive gets overloaded
with this electronic junk mail. This both slows down processing while requiring additional
storage space—especially if the hard drive is backed up frequently. The moral?
Make certain your employees know how to utilize your IT investment in the most
efficiently, safe manner.
Frequency(ies) of protection
Depending on the type of business you are in, business
control will depend on what you backup and, equally important, how often you will backup
your data. In a high number of transactions per day business this maybe hourly, twice a
day, or daily. In a low number of transaction business, this maybe every other day or even
weekly.
Likewise, the environment (i.e., standalone, network, or
internet) your computer or computers operate in should also help determine frequency. A
common complaint on frequency is … “This is just another thing I have to do
along with a list of must-do’s which make money for my business.” Fortunately,
there are a number of software packages that will do backups simultaneously while your are
doing something else like lunch. A word of caution….Extending the frequency to fit
you timetable for when it is convenient will eventually cost your business money. Schedule
it, do it, and enjoy peace-of-mind knowing that this is one less thing to worry about.
Protection redundancies
Storing backups in a secure location is an inexpensive
"insurance policy" in both protecting your critical and sensitive data, and in
avoiding the operational hassles of running your business. There is a number of portable
mass storage media such as tape, external hard drive, Zip disk, or CD-R discs that can
make this step easy to do on a frequent basis. The key here is making a backup process a
part of the daily or weekly routine—just like opening the mail or paying the bills.
A word of caution… Having the capability to backup
but doing it infrequently is almost like not having backup capability. A long time between
the frequency could cause delays in your operations because of the effort required to
reconstruct the data. Likewise, religiously backing up your data but storing the backup
medium (i.e., CDs, disks, etc.) next to the computer which was backed up, lessens the
value of having backup data since it basically exists in the same physical environment.
One church lost five years of data when a janitor stole not only the church’s PC, but
also grabbed up anything related to the PC that was on the table or in the desk, including
the backup disks.
Next steps
Unfortunately, trying to review all business exposures
your information systems face is more than we can cover in detail. The good news is that
instead of waiting for exposures to affect your business, you can take preventative,
proactive measures by using specialists in business controls to minimize those exposures.
While exposures might seem to be isolated by process, system, or task, the real message
here is exposures crossover processes, systems, and tasks. Just as your business processes
are integrated, you require an integrated approach to managing and improving your business
controls.
About the Authors …
Robert J. Stuckey is the managing partner of BizControls
Solutions. He has lectured and consulted worldwide on business controls, and has over 25
years experience as a finance executive.
Kenneth Carlton Cooper is a partner in BizControls
Solutions. He has consulted on organizational development and process improvement since
1976, and is the author of The
Relational Enterprise (AMACOM 2002) and Effective Competency Modeling
and Reporting (AMACOM 2000).
BizControls Solutions is a St. Louis, Missouri USA
based consulting firm specializing in business controls assessment, consulting,
implementation, and training.
All companies, brands, products, and
services mentioned in this Briefing are the trade names or registered trademarks of their
respective owners.
Information in this report was obtained from sources
BizControl Solutions believes to be reliable.
BizControl Solutions disclaims any and all warranties as
to the reliability, accuracy and adequacy of such information, and BizControl Solutions
shall have no liability for the inclusion or exclusion of information. BizControl
Solutions may, without notice, change expressed opinions. Use of this report to achieve
desired results is the sole responsibility of the reader.
Top |
