Critical. Authoritative. Strategic.


CBR is proudly produced & published
by Technews
Issue Date: August 2002 (es)

Information protection - why bother? Part 1

August 2002
Patrick Evans, Symantec's regional manager for Africa

Protecting critical business-related information is one operating expense that is not a high priority for many companies. In a profit-oriented company, the overhead costs are typically reduced to the lowest possible amount. So how can a company quantify the need to protect critical information if the association between this information and the business's profits are difficult to demonstrate?
Results of the 2001 Computer Security Institute/FBI Computer Crime and Security Survey show a dramatic upsurge in computer crimes, as well as the resulting financial losses suffered by businesses. One hundred eighty-six respondents of the survey reported $377,828,700 in financial losses. (In contrast, the losses from 249 respondents in 2000 totalled only $265 589 940. The average annual total over the three years prior to 2000 was $120 240 180.) Furthermore, the survey continues to conclude that the most serious financial losses occurred through theft of proprietary information.
Even information that is not typically perceived as sensitive could become harmful to your business and its reputation if it gets into the wrong hands. Do not make this costly mistake. Identify and evaluate any vulnerable information your business holds, and implement proactive protection measures to keep it secure.
Patrick Evans, Symantec's regional manager for Africa
Patrick Evans, Symantec's regional manager for Africa
What information is sensitive?
The following examples highlight a few of the many factors necessary for a company to succeed. The common thread in each case is the critical information that each generates.
Strategic plans
Most organisations readily acknowledge that strategic plans are crucial to the success of a company. But do most companies really make an effort to protect these plans?
Take this example: a competitor learns that a company is testing a new product line in a specific geographic location. The competitor removes its product from that location, creating an illusionary demand for the product. When the positive results of the marketing test are provided to the company's executives, they decide to roll the product out nationwide. Only then did the company discover that in all other geographic regions the competition for their product was intense. The result: the company lost several million rands as its product sales faltered.
Although it might have been impossible for the company to completely prevent its intentions from being discovered, this situation does illustrate the real value of keeping strategic plans confidential. In today's global environment, the search for competitive advantage has never been greater. The advantages of achieving insight into a competitor's intentions can be substantial. Industry studies bear witness to this fact.
Business operations
Business operations consist of an organisation's process and procedures, most of which are deemed to be proprietary. As such, they may provide a market advantage to the organisation. This is the case when one company can provide a service profitably at a lower price than the competition. A company's client lists and the prices charged for various products and services can also be damaging in the hands of a competitor.
While most organisations prohibit the sharing of such data, carelessness often results in its compromise. Such activity includes inadvertent storage of data on unauthorised systems, unprotected laptops, and failure to secure magnetic media.
Financial information, such as salaries and wages, are very sensitive and should not be made public. While general salary ranges are known within industry sectors, precise salary information can provide a competitive edge. As salaries and wage-related charges normally comprise the majority of fixed costs, lower costs in this area contribute directly to an organisation's profitability. When a competitor knows specific information about a company's wages, the competitor may be able to price its products accordingly. When competitors' costs are lower, they can either under-price the market or increase profits. In either case, the damage to an organisation may be significant.
Establishing better information protection
The examples above highlight only three of the various types of sensitive information every business holds. Protecting this information is crucial to the overall success or failure of a company. Businesses hold such a vast array of data, what steps do they need to take to keep all of their critical information protected?
Consider these points:
* Not all data has the same value. And, as such, the information may be handled and protected differently. Organisations must determine the value of the different types of information in their environment before they can plan for the appropriate levels of protection.
* Know where the critical data resides. In today's business environment this is normally the company's information systems infrastructure. Because each piece of information may require different levels of protection, identifying where each is located enables an organisation to establish an integrated security solution. This approach also provides significant cost benefits, as the company does not need to spend more on protecting data than the data itself is worth. Protection solutions must be based on the most valuable information assets. The network environment also presents additional challenges to protecting information.
* Develop an access control methodology. Information does not have to be removed to cause damage or to have financial impact. Information that is inadvertently damaged, disclosed or copied without the knowledge of the owner may render the data useless. To guard against this, organisations must establish some type of access control methodology. For important data, this access control (and the associated auditing) should extend to the file level. Such access control extends from the host to the network. There are many types of solutions designed to provide this protected access.
* Protect information stored on media. Employees can cause considerable damage by walking out the door with information on disks or CD-ROMS. In addition, companies should control magnetic media to reduce the loss of software (both application and operating system). And finally, when migrating from one platform to another, the status of all hard drives, and the associated data, should be controlled.
* Review hardcopy output. The hardcopy output of employees' daily work should also be reviewed. Although strategic plans in their final forms may be adequately protected, what measures are used to safeguard all drafts and working papers? What information is regularly placed in the recycle or trash containers without thought to its value?
Based on this limited discussion, it is clear that much of the information that is so essential to successful business operations could be destructive if it is misused by employees, or should fall into the wrong hands. The exposure of this information to unauthorised individuals is greatly increased when companies connect their computers to other networks and the Internet. Computer systems and networks are inherently prone to data theft, loss, damage or destruction. Protecting such information must be done holistically, providing the organisation with the appropriate level of security at a cost that is acceptable to the business.
(This is the first of a two-part series about protecting information. Part 1 presents the case for protecting information. Part 2 will address the specifics of implementing security methodologies in more detail.)

Others who read this also read these articles

Search Site

Search Directory

  • Search for:


Previous Issues