Biggest threat to business may be on inside
By David Van Homrigh and Dean Ellinson | smh.com.au | 02 June
Consider this. An employee is developing software for a company that is fundamental to its business. He copies the software and sells it to an entity in which he has a controlling interest.
The consequences could be that the software, which might be carried on the balance sheet for a substantial sum — on the basis of competitive edge and innovation — might soon be of little or no value.
Take another example. A competitor poaches a highly placed business development manager. A month before his resignation, the manager requests documents relating to business proposals of the company's biggest client. Some months later, the competitor wins a large tender agreement with that client, resulting in potential loss of hundreds of thousands of dollars to the manager's previous company.
Most business-related documents are in electronic form. Electronic data can easily be altered, damaged or stolen. Intellectual property and information can be removed or transmitted by methods not envisaged a few years ago. External hard drives, iPods, MP3 players, thumb drives, mobile phones and digital cameras have been used to remove sensitive information.
The most valuable and sensitive asset in organisations is often their confidential information and that of their clients. Loss of or damage to such information can become a crisis, financial or otherwise. This is happening in many ways. For example, an employee alters supplier data and then interposes an entity associated with a staff member who starts invoicing the organisation for goods that it has acquired and takes a margin.
There are several reasons why organisations do not report this problem, one being the issue around whether the matter is criminal or civil. There is also an organisation's normal reluctance to report fraudulent events, and the extent to which this type of damage and alteration to data is occurring is unknown.
So how should businesses assess their risk and protect their organisations?
Organisations should have an experienced person (or team) with information security responsibilities. Their first step would be to identify the types of information held and the organisation's risk profile.
There is a need to know where data is stored, what devices can be connected to the network, and how this affects risk. For example, information on local hard drives may be more susceptible to theft or copying.
There is also a need to consider who has access to the information and whether unnecessary risk is being introduced at this point. The security of the physical device is also important, so organisations should ensure laptops are safely locked away and encryption tools (in case the laptop is lost or stolen) are used.
Once a risk assessment has been conducted, it is vital to incorporate this into an effective information security policy. The internal communication of this policy is key — the policy and its implementation will only be as strong as its weakest link.
Theft and loss of an organisation's intellectual property are serious, but all too often they are not given the attention they warrant.
Information security needs a high priority — a much higher priority than it now has in many organisations.
Corporate Australia, government bodies and other organisations have progressed to having disaster recovery contingency plans in case IT systems go down, but what of the risks if their valuable information gets into the wrong hands or is damaged?
David Van Homrigh is managing partner of KPMG Forensic and Dean Ellinson is chief executive of TECH IP Professional Development.
There is also a need to consider who has access to the information and whether unnecessary risk is being introduced at this point. The security of the physical device is also important, so organisations should ensure laptops are safely locked away and encryption tools (in case the laptop is lost or stolen) are used.
Once a risk assessment has been conducted, it is vital to incorporate this into an effective information security policy. The internal communication of this policy is key — the policy and its implementation will only be as strong as its weakest link.
Theft and loss of an organisation's intellectual property are serious, but all too often they are not given the attention they warrant.
Information security needs a high priority — a much higher priority than it now has in many organisations.
Corporate Australia, government bodies and other organisations have progressed to having disaster recovery contingency plans in case IT systems go down, but what of the risks if their valuable information gets into the wrong hands or is damaged?
David Van Homrigh is managing partner of KPMG Forensic and Dean Ellinson is chief executive of TECH IP Professional Development.
First published by Smh.com.au on June 02 2008
Visit smh.com.au for the latest news updated throughout the day
