One in five businesses suffer break-ins, breakdowns, or rip-offs
By Rick Telberg
Special for HP
September 2005
Businesses’ information technology systems are more vulnerable to crippling security break-ins from the Internet than many business owners or even IT professionals would suspect. Twenty percent of commercial and nonprofit enterprises have suffered some kind of system failure caused by attacks from outsiders on the Internet and more than half of those attacked expect to be victimized again, according to fresh data from Quocirca Ltd., United Kingdom-based international analysts of IT and communications systems.
It’s not just Spyware, worms or viruses. The types of software agents causing devastating IT breakdowns are changing shapes and forms everyday and are so malicious that a new term has been coined – “malware.” New malware is being created at such a fast and pervasive pace that traditional security models cannot possibly handle them all, Quocirca says in a chilling white paper on the vulnerabilities in Internet communications.The costs in time lost to security breakdowns are killers. Thirty percent of both operations staff and executives and personnel and IT personnel interviewed for the white paper said they spend one full day per month day dealing with security problems, and 18 percent spend at least a few hours on it every week. That does not factor in the time and revenue possibilities lost when malware wipes out someone’s hard drive.
What’s more, businesses that use the Internet cannot avoid malware. While e-mail is malware’s most popular form of transportation, it is easily embedded into any HTML coding, which makes it a threat on all Web sites. And you no longer have to open a questionable link to set off attack. With advanced malware, just passing a cursor over the link can set off a system-crashing virus,
Malware threats are devastating, will increase and there’s no single, simple answer. Even giant multinationals with millions to invest in IT have been hit, such as Lexis-Nexis and Bank of America. It’s a new problem that requires a new answer that can and should be employed at big and small enterprise alike.
The answers involve things that almost any accountant can help their clients implement ? after they first put it into place in their own firms.
You can start with these steps:
1. Security Policy – Define a policy that assesses existing and potential IT threats that the company faces, and sets the processes, standards and guidelines for responding to each threat.
2. Risk Management – In today’s economy, workers cannot avoid the Internet, so establish training programs on how to recognize and avoid malware traps.
3. Disaster Recovery Planning – Audit data backup and data recovery capabilities to ensure the ability to responds when the inevitable attack occurs.
4. Manage the Issue – Build security considerations into all departments’ policies. This can be as simple as requiring HR to inform the IT department when personnel leave the company.
5. Delegate – Assign security responsibility to an appropriately-placed person or group and make sure they have the tools to carry out the job.
The AICPA’s annual Top Ten Technologies list has for years identified IT security as a top issue. Now is the time for CPAs to act on it by helping their firms and their clients with this multiple step process.
Bear in mind that risk management is the process’s most significant step because, Quocirca says, risk avoidance “would be too expensive and ultimately impossible to achieve.”