Securing Technology Products Without a Technology Policy Isn't Secure at All
by Bennett Tavar

At first glance, it sounds trivial, nothing more than an episode of bad judgment. During the wee hours of the morning, an unknown employee of a logistics company uses its computer system to download inappropriate material from the Internet. Because a logistics company depends on the information highway at least as much as an interstate highway, the consequences of this activity could have been catastrophic. Company executives engaged my company to identify the employee and, more importantly, prevent others from using Internet access inappropriately.

Though specific details varied, the logistics firm's situation mirrors a common plight. The dangers are all too familiar: In extreme instances, corporate spies and malicious intruders slither their way into communications systems to steal proprietary information, corrupt specific files, or indiscriminately wreck entire systems. Far more common - but equally worrisome - employees routinely invite trouble into their technological realm by opening virus-laden e-mails, and by downloading data, images and, more recently, music and videos from websites that should not be visited via a workplace computer. If pornographic material gets into systems, sexual harassment lawsuits frequently follow.

Other lawsuits can follow the indiscriminate forwarding of e-mail messages sent on behalf of a terminally ill child collecting business cards before he dies (one hoax) or in hopes of being rewarded by Microsoft seeking consumer research data (another hoax). Such actions only spread dangerous viruses to other companies computer systems.

The dangers are bound to grow. More than 40 million U.S. employees are now on line - and the number climbs daily. Yet, studies show that the computer systems of up to 85 percent of businesses nationwide are vulnerable to breaches of security. There either are no security measures in place, or practices that offer scant protection. The same studies show this threat is an equal opportunity oppressor, and hangs over organizations of every size and description.

Unquestionably, unauthorized uses of corporate computer capabilities waste time and money. The hours employees spend sending and receiving personal e-mail messages, or surfing the web for that ideal bed-and-breakfast in California wine country, costs a typical 500-person enterprise $1.2 million per year in lost productivity. And lest smaller enterprises feel immune, this waste is not proportional to payroll numbers - employees of smaller firms tend to have more autonomy and responsibility, so the per-hour cost of the time wasted on the web is apt to be higher.

Less obvious but also potentially costly, all this unnecessary electronic traffic clogs a company's bandwidth - the communications lines that carry the messages. This slows communications themselves, and misleads management into thinking they need to spend more money on more bandwidth.

It's better to spend fewer dollars on effective technology security. The protection is quite affordable, and there are scores of worthwhile products on the market. Many are downright amazing, and cost no more than a few thousand dollars. Even spending up to $10,000 for sophisticated capabilities pales into insignificance when compared with the ultimate price of no protection.

The latest software wizardry does far more than sound virus alerts and monitor message. It can read keystrokes in multiple languages, capture screen images, patrol incoming material from many sources, and be programmed to keep unacceptable material from entering not just individual computers and workstations, but entire systems. Security products have become as advanced as the computers they protect. They have to be, now that e-mail messages carry words, full-color images, photos, and enough sounds to impersonate a philharmonic.

As dazzling as these marvels are, however, they all too often can be solutions in search of problems. That's because too many organizations go on buying sprees before taking a critical first step - establishing a technology policy.

Before management starts hanging security products on its servers and PCs, it needs to:

1. Determine what the rules for using the company's technology will be. Of course, employees send personal e-mails during the day. They're not about to stop, either. Yet some clear direction about how computers and communications systems are supposed to be used can work wonders in curbing abuses. So does pointing out the perils of opening messages of unknown origins, signing up for high-tech junk mail, and explaining how misusing company technology can damage an organization's reputation, its relationships and its credibility. If messages are monitored, explain one more thing: Why they need to be.

2. Understand the multitude of risks, and the security lingo. Ask four suppliers to define terms like firewall, filter, and anti-virus and you'll likely get four different sets of definitions. More often than we'd like to admit, hustlers of products exploit this lack of understanding to make a quick sale.

3. Assess current levels of security, and required levels. Most firms have little security, much of it in the form of anti-virus protection purchased for individual computers. Even this protection needs continual updating - and application: if employees don't scan for viruses regularly, anti-virus protection isn't worth much. What's worth far more is an organizational perspective that considers specific work environments, risks likely to be encountered and organization culture.

Only after taking these steps should management think seriously about solutions. I use the term deliberately, rather than products per se. Solutions include service, which is absolutely paramount. Vendors must be able to address installation challenges, and ensure that software and hardware will operate smoothly with existing technological tools.

Vendors also ought to offer standardized solutions. Customization might seem more desirable. But customization is risky business: It puts an organization at the mercy of the customizer. And that can cause hours - if not days and weeks - of frustration if the customizer isn't handy, forcing someone else to figure out a system's complexities. Standardization may sound bland, but it makes service infinitely better.

Your company's performance will improve with the introduction of appropriate technology security and policies.

Bennett Tavar is the President and Chief Executive of Logical Business Solutions Inc., a 20-year-old Jacksonville firm that develops and maintains technology systems and components for companies in Northeast Florida and surrounding areas. Visit Logical Business Solutions Inc. at .

More on technology in The CIO Refresher in The CEO Refresher Archives


Copyright 2002 by Bennett Tavar. All rights reserved.

Current Issue - Archives - CEO Links - News - Conferences - Recommended Reading