THE COMPUTER LAW AND SECURITY REPORT 5 CLSR

know that a £200,000 contract has been lost as a direct result of one of the incidents described above. All of the incidents .arose out of simple errors or component failures. They were serious because the cordpute~ user had no resilience to such comparatively minor events. On the basis of the many computer risk audits undertaken by my own company in the last two years it is fair to estimate that something in the region of 90% of computer users are extremely vulnerable to simple errors, breakdowns or amateur criminal attack.

What should give rise to greater concern is that the sample to whom we have spoken consists in the main of companies with a positive attitude to risk management - they have paid for professional advice and have been prepared to have their weak spots identified. There are many more companies who are even more vulnerable but who insist on keeping their heads buried firmly in the sand.

D a v i d D a v i e s

i

THE RISK INVOLVED IN COMPUTERISATION WHAT CAN GO WRONG

INTRODUCTION Security is the protection of the well-being of the organisation in conducting its business operations and achieving business objectives. Computer security is the protection of computer facilities and resources to safeguard the proper functioning and survival of computer services against disruption, destruction, and unauthorised disclosure of computer systems and information processed in the organisation. The question of budgeting for computer security and contingency planning always causes controversial arguments between managers with responsibilty for risk control and senior management who allocate the appropriate funds. The former would most probably opt for high security, thus incurring heavy expenditure on capital provisions for protection equipment and software; the latter would prefer to set aside the minimum expenditure for all non-profitable undertakings, while retaining full control of finance to take advantage of any business opportunities that might arise. Somewhere in the middle of these two extremes lies an acceptable level of security which is commensurate with the size and business of the company. The problem is that neither party has the relevant resources or expertise to determine objective criteria enabling them to set down guidelines for security budgeting. This is one area where an experienced security practitioner can offer impartial advice to both parties in search of a compromise solution to risk management, which can be both cost effective and practical.

C O R P O R A T E I M P L I C A T I O N S

Figure 1 shows the typical usage of computers in various business functions in an organisation.

J Company |

[ Computer I

Figure 1 D P - interaction in an organisation. The increased dependence on computing tends to result in a reduction of clerical manning level. In the face of an extended computer disruption, many organisations would have difficulty in coping with the situation by temporarily reverting to clerical back-up.

For companies with a long history of computing, the manual back-up procedures may have never been invoked in the past. or tested for acceptance. Worse still, the alternative manual procedures may not be suitable for simple conversion to computer input. This would further aggravate and prolong the recovery operation. In the meantime, the company would suffer the following consequences:

1. Loss of income through invoicing delays to customers, lost interest on accounts receivable, lost sales and lost future business.

2. Additional cost for extra manning and interest payments on bridging loan.

3. Loss of discount on accounts receivable. 4. Operational inefficiency through lack of control on

production and scheduling, and delays in supply and distribution.

5. Legal and contractual penalties for late delivery and potential lawsuits.

6. Loss of goodwill to staff through delays in wage payment,, and customers through missing delivery dates.

7. Delays in management reports could lead to inadequate market planning and sales forecasting, and delays in year-end accounts could result in loss of public confidence, and cause a slide in the company's shares.

Business interruption losses are often difficult to ascertain because computer management is rarely provided with the full facts and figures of the company's profit and loss potential. The following are highlights of some of the security review findings of potential corporate losses arising from an extended computer disruption:

- £1 million of new business per week for a financial institution would be lost throughout the disruption period.

- Serious delays in sending out invoices would cause a publishing house a cash flow of £50 ,000 per week being held up.

12

J A N U A R Y - FEBRUARY THE COMPUTER LAW A N D SECURITY REPORT

- Between£2 and 3 million of business perweektoa manufacturing company would be at risk. Since the products being manufactured are seasonal, a serious disruption in the peak season could cause permanent damage to the company's reputation in the market place.

- Invoicing and stock control in a commodity company would run completely adrift. Besides having to finance a cash flow delay of £21 million per month, customer dissatisfaction could result in some profitable outlets lost permanently to competitors.

Calculation of wages to hourly paid employees in a brewery would be held up. If disruption lasts for more than two weeks, unless agreement can be reached on alternative pay procedures, union withdrawal of labour would be almost certain. For a company operating on tight profit margins or high turnover of stock, a major disaster could reduce public confidence in the management and cause a slide in share prices in the stock market. Worse still, the business may never fully recover from such financial losses, culminating in a permanent setback to its operations. To avoid serious omissions, adequate resources and specialist expertise are needed to build up an assessment

FUTURE IMPLICATIONS

With more organisations moving into distributed processing with intelligent terminals or minis linked up in a corporate network, the total cost of security and protection is likely to be thinly spread over each and every site. As a result, the risk of a local disaster such as fire or arson is likely to be higher than that in a central mainframe installation. On the other hand, the severity of corporate loss arising from such a disaster is unlikely to be of the same scale as that from a disaster in the central installation. Also, the prudent corporate DP executive can direct individual sites to procure mutually compatible hardware, software and storage devices to provide effective mutual backup between sites to cope with both major and minor disruptions.

The new electronic office would be a mixed blessing. Operational backup through swapping or sharing the use of workstations should not pose any serious problems in local area networks. But unless adequate redundancy and backup to communications control equipment is provided and kept on split sites, and alternative power supply is available to the network, a major loss in an area where such equipment is located, or a serious disruption to the power supply could paralyse the entire nerve centre for voice and data communiation in the company. Many of the business activities may have to be held in limbo until management successfully restore the automated facilities. As more and more personal computers and word processing equipment are introduced into an organisation, the unsuspecting first time user may not attend to such needs as off-site backup of floppy disks and other magnetic files. A fire in the office could

create havoc to business operation. System reovery may be extremely difficult and time consuming, if it is at all possible. In our view, the cause of industrial disputes in the next decade will shift from being a weapon to force a quick settlement in wage negotiation to a last resort to fight for job security against forced cutback and staff redundancy.

Many of the frauds were successful because the victim companies failed to appreciate the need for proper segregation of duties in key functions. Some small companies or installations could ill afford the luxury of separate manning for input, data control, system design, programming and computer operation. As more small business computers come into use in individual business departments and inadequate attention is given to the control and auditability of business applications, more organisations would fall prey to clandestine activities by rogue staff who hold key positions in data processing in what used to be traditional user departments. Suitable training on computer security is necessary to increase the security awareness of staff. Some proprietary packaged systems for microcomputers offer little or no safeguards against unauthorised access to business data and software. An unattended office computer can be easily powered up, the database compromised, and the system powered down, all within a matter of minutes, and no one may ever find out that damage was done. The role of internal auditors in combatting computer fraud becomes more urgent as the number of potential perpetrators with the necessary computing skills grows with the proliferation of personal computers. Sharing of computer skills among more business users would facilitate the introduction of proper job rotation for sensitive duties and dual control of sensitive tasks.

Financial institutions are increasingly aware of the potential for frauds in electronic funds transfer systems. This is evidenced by increasing demands for BIS' computer fraud surveys from insurance underwriters to provide banks with cover against high value frauds. Several pilot schemes are also underway among clearing banks to gain first hand experience with encryption devices with the view to adopting these in EFT systems to provide better protection for financial transactions transmitted across national boundaries.

Dr Ken Wong

BIS Appl ied Systems Ltd.

13