13.5 Protecting Computers and Information

Data Security Issues

Unauthorized access into a company’s computer systems can be expensive, and not just in monetary terms. Juniper Networks estimates that cybercrime will cost businesses more than $2 trillion in 2019, compared to just $450 million in 2001. The most costly categories of threats include worms, viruses, and Trojan horses (defined later in this section); computer theft; financial fraud; and unauthorized network access. The report also states that almost all U.S. businesses report at least one security issue, and almost 20 percent have experienced multiple security incidents.¹⁶

Computer crooks are becoming more sophisticated all the time, finding new ways to get into ultra-secure sites. “As companies and consumers continue to move towards a networked and information economy, more opportunity exists for cybercriminals to take advantage of vulnerabilities on networks and computers,” says Chris Christiansen, program vice president at technology research firm IDC.¹⁷ Whereas early cybercrooks were typically amateur hackers working alone, the new ones are more professional and often work in gangs to commit large-scale internet crimes for large financial rewards. The internet, where criminals can hide behind anonymous screen names, has increased the stakes and expanded the realm of opportunities to commit identity theft and similar crimes. Catching such cybercriminals is difficult, and fewer than 5 percent are caught.¹⁸

Exhibit 13.8 Data security is under constant attack. In 2017, cybercriminals penetrated Equifax, one of the largest credit bureaus in the nation, and stole the personal data of more than 145 million people. To date, it is considered one of the worst data breaches of all time because of the amount of sensitive data stolen, including consumers’ Social Security numbers. What impact do identity theft and other data-security issues have on global networking and e-commerce? (Credit: Blogtrepreneur/ flickr/ Attribution 2.0 Generic (CC BY 2.0))

Firms are taking steps to prevent these costly computer crimes and problems, which fall into several major categories:

• Unauthorized access and security breaches. Whether from internal or external sources, unauthorized access and security breaches are a top concern of IT managers. These can create havoc with a company’s systems and damage customer relationships. Unauthorized access also includes employees, who can copy confidential new-product information and provide it to competitors or use company systems for personal business that may interfere with systems operation. Networking links also make it easier for someone outside the organization to gain access to a company’s computers.

  One of the latest forms of cybercrime involves secretly installing keylogging software via software downloads, e-mail attachments, or shared files. This software then copies and transmits a user’s keystrokes—passwords, PINs, and other personal information—from selected sites, such as banking and credit card sites, to thieves.

• Computer viruses, worms, and Trojan horses. Computer viruses and related security problems such as worms and Trojan horses are among the top threats to business and personal computer security. A computer program that copies itself into other software and can spread to other computer systems, a computer virus can destroy the contents of a computer’s hard drive or damage files. Another form is called a worm because it spreads itself automatically from computer to computer. Unlike a virus, a worm doesn’t require e-mail to replicate and transmit itself into other systems. It can enter through valid access points.

  Trojan horses are programs that appear to be harmless and from legitimate sources but trick the user into installing them. When run, they damage the user’s computer. For example, a Trojan horse may claim to get rid of viruses but instead infects the computer. Other forms of Trojan horses provide a “trapdoor” that allows undocumented access to a computer, unbeknownst to the user. Trojan horses do not, however, infect other files or self-replicate.¹⁹

  Viruses can hide for weeks, months, or even years before starting to damage information. A virus that “infects” one computer or network can be spread to another computer by sharing disks or by downloading infected files over the internet. To protect data from virus damage, virus protection software automatically monitors computers to detect and remove viruses. Program developers make regular updates available to guard against newly created viruses. In addition, experts are becoming more proficient at tracking down virus authors, who are subject to criminal charges.

• Deliberate damage to equipment or information. For example, an unhappy employee in the purchasing department could get into the company’s computer system and delete information on past orders and future inventory needs. The sabotage could severely disrupt production and the accounts payable system. Willful acts to destroy or change the data in computers are hard to prevent. To lessen the damage, companies should back up critical information.
• Spam. Although you might think that spam, or unsolicited and unwanted e-mail, is just a nuisance, it also poses a security threat to companies. Viruses spread through e-mail attachments that can accompany spam e-mails. Spam is now clogging blogs, instant messages, and cell phone text messages as well as e-mail inboxes. Spam presents other threats to a corporation: lost productivity and expenses from dealing with spam, such as opening the messages and searching for legitimate messages that special spam filters keep out.
• Software and media piracy. The copying of copyrighted software programs, games, and movies by people who haven’t paid for them is another form of unauthorized use. Piracy, defined as using software without a license, takes revenue away from the company that developed the program—usually at great cost. It includes making counterfeit CDs to sell as well as personal copying of software to share with friends.

Preventing Problems

Creating formal written information security policies to set standards and provide the basis for enforcement is the first step in a company’s security strategy. Unfortunately, a recent survey of IT executives worldwide revealed that over two-thirds expect a cyberattack in the near future. Stephanie Ewing, a data security expert, states, “Having a documented, tested process brings order to chaotic situations and keeps everyone focused on solving the most pressing issues.” Without information security strategies in place, companies spend too much time in a reactive mode—responding to crises—and don’t focus enough on prevention.²⁰

Security plans should have the support of top management, and then follow with procedures to implement the security policies. Because IT is a dynamic field with ongoing changes to equipment and processes, it’s important to review security policies often. Some security policies can be handled automatically, by technical measures, whereas others involve administrative policies that rely on humans to perform them. Examples of administrative policies are “Users must change their passwords every 90 days” and “End users will update their virus signatures at least once a week.” Table 13.4 shows the types of security measures companies use to protect data.

Preventing costly problems can be as simple as regularly backing up applications and data. Companies should have systems in place that automatically back up the company’s data every day and store copies of the backups off-site. In addition, employees should back up their own work regularly. Another good policy is to maintain a complete and current database of all IT hardware, software, and user details to make it easier to manage software licenses and updates and diagnose problems. In many cases, IT staff can use remote access technology to automatically monitor and fix problems, as well as update applications and services.

Companies should never overlook the human factor in the security equation. One of the most common ways that outsiders get into company systems is by posing as an employee, first getting the staffer’s full name and username from an e-mail message and then calling the help desk to ask for a forgotten password. Crooks can also get passwords by viewing them on notes attached to a desk or computer monitor, using machines that employees leave logged on when they leave their desks, and leaving laptop computers with sensitive information unsecured in public places.

Portable devices, from handheld computers to tiny plug-and-play flash drives and other storage devices (including mobile phones), pose security risks as well. They are often used to store sensitive data such as passwords, bank details, and calendars. Mobile devices can spread viruses when users download virus-infected documents to their company computers.

Imagine the problems that could arise if an employee saw a calendar entry on a mobile device like “meeting re: layoffs,” an outsider saw “meeting about merger with ABC Company,” or an employee lost a flash drive containing files about marketing plans for a new product. Manufacturers are responding to IT managers’ concerns about security by adding password protection and encryption to flash drives. Companies can also use flash drive monitoring software that prevents unauthorized access on PCs and laptops.

Companies have many ways to avoid an IT meltdown, as Table 13.5 describes.

Keep IT Confidential: Privacy Concerns

The very existence of huge electronic file cabinets full of personal information presents a threat to our personal privacy. Until recently, our financial, medical, tax, and other records were stored in separate computer systems. Computer networks make it easy to pool these data into data warehouses. Companies also sell the information they collect about you from sources like warranty registration cards, credit-card records, registration at websites, personal data forms required to purchase online, and grocery store discount club cards. Telemarketers can combine data from different sources to create fairly detailed profiles of consumers.

The September 11, 2001, tragedy and other massive security breaches have raised additional privacy concerns. As a result, the government began looking for ways to improve domestic-intelligence collection and analyze terrorist threats within the United States. Sophisticated database applications that look for hidden patterns in a group of data, a process called data mining, increase the potential for tracking and predicting people’s daily activities. Legislators and privacy activists worry that such programs as this and ones that eavesdrop electronically could lead to excessive government surveillance that encroaches on personal privacy. The stakes are much higher as well: errors in data mining by companies in business may result in a consumer being targeted with inappropriate advertising, whereas a governmental mistake in tracking suspected terrorists could do untold damage to an unjustly targeted person.

Increasingly, consumers are fighting to regain control of personal data and how that information is used. Privacy advocates are working to block sales of information collected by governments and corporations. For example, they want to prevent state governments from selling driver’s license information and supermarkets from collecting and selling information gathered when shoppers use barcoded plastic discount cards. With information about their buying habits, advertisers can target consumers for specific marketing programs.

The challenge to companies is to find a balance between collecting the information they need while at the same time protecting individual consumer rights. Most registration and warranty forms that ask questions about income and interests have a box for consumers to check to prevent the company from selling their names. Many companies now state in their privacy policies that they will not abuse the information they collect. Regulators are taking action against companies that fail to respect consumer privacy.