Virtually every day we receive warnings about new viruses, worms or trojans, while spam also adds to everyone’s misery and blocks up mailboxes. However, anyone who believes an anti-virus and anti-spam program will work wonders and ensure a secure IT environment is making a mistake. IT breakdowns and damage have many and varied causes. The industry association BITKOM has systematically identified four key categories in this regard, namely Acts of God (fire and floods), technical failure (software errors and power failures), intentional acts (theft and hacking) and organizational shortcomings (unclear regulations and responsibilities or lack of employee training).
Conveying the benefits of IT security
IT security is thus crucial for ensuring confidentiality, availability and the integrity of information technologies and ought to be an elementary element of any corporate strategy. Despite the serious consequences of an IT failure and the resulting loss of data or access by third parties to sensitive business information, SMEs often neglect to protect their own IT infrastructures. This is the sobering conclusion of a joint study conducted by Netzwerk Elektronischer Geschäftsverkehr (NEG) and the market research institute Market Research & Services (MR&S).
While almost two thirds of the SMEs questioned by NEG and MR&S attached high to very high priority to IT security, only just under one quarter actually had written security guidelines in place. The study also found that the increasing complexity of the subject matter, the high rate of change and the lack of personal resources are issues that often prevent companies from carrying out a thorough investigation of their IT security. Low budgets are an additional risk factor. According to the survey, 45% of respondents invested no more than Euro 5000 per year in IT security.
A cross-industry study in which the KPMG Innsbruck-Linz questioned 340 primarily SME companies in Austria came to similar conclusions (see Figure 2). Markus Oman, Head of the KPMG Business Services Information Risk Management (IRM) Department, has noted a “trend towards management becoming more involved in IT security issues.” This, he claims, is evidence of management’s growing awareness of the importance of this issue for corporate success. “However, this awareness of the importance of IT security is not reflected sufficiently in the internal measures adopted by companies, since the specialist departments often fail to make decision-makers aware of the benefits of IT,” states the KPMG security expert. “This generally results in poor decisions and measures as regards IT security.”
Sharpening perceptions, minimizing risks
“Companies fail to recognize that security risks are often the result of internal shortcomings,” states Markus Oman, “since most attacks originate from within the company.” To minimize potential security risks, he repeatedly calls on security experts at SMEs to focus on organizational and cultural measures. These include structured rights concepts for employees and evaluations of system accesses using log files. “Most important of all, however, is that the company’s own staff show greater awareness of the problem, for example by improving password security, and by fostering an openness as regards IT security,” adds Oman.
One area that is often ignored and underestimated are the legal obligations that confront companies and their managers (for example CEO, Executive Board or IT manager) when it comes to IT security. In Germany, for example, these include legislation relating to information and communication services such as the Electronic Business Communications Act (EGG), the German Teleservices Act (TDG) and the German Federal Data Protection Act (BDGG). Attorneys Robert Niedermeier and Markus Junker stress in a guideline devoted to IT security that, from a legal perspective, a professional working in IT security must be as familiar with the major legal requirements for the area he works in as a car driver needs to be with road traffic regulations.
Naivety can be an expensive business
A case heard by the Higher Regional Court in Hamm (ref.: 13 U 133/03 OLG Hamm) illustrates that this is not always the case. A travel agency had commissioned an IT company to carry out repairs on its IT system. Error messages occurred on the system after the repair had been completed. When one of the IT company’s employees then attempted to eliminate the error by exchanging a hard disk, the server crashed and important company data was lost. In addition to the actual repair work amounting to Euro 14,000, the company was also called upon to pay a further Euro 14,000 to rectify the damage. The company took the case to court and lost. In its ruling, the court decided that the company had “not backed up the data before the crash and had therefore acted negligently”. It was therefore responsible for the damage that had occurred.
Lack of protection against virus attacks can also be expensive. A study conducted by ICSA Labs, a supplier of tests and certifications for security products and part of Cybertrust, discovered that the frequency and intensity of attacks involving for example substantial damage and financial loss had increased since 2003. To restore computer systems that had crashed or suffered damage as a consequence of virus attack, the 300 companies questioned by ICSA Labs had spent an average of around USD 130,000.
Personal liability cannot be ruled out
Peter Tippett, Chief Technology Officer at Cybertrust, therefore calls upon companies to develop a comprehensive and proactive understanding of security. But this is a problematic area with SMEs. The NEG-MR&S study revealed a general lack of awareness about the problem among decision-makers and an absence of IT security strategies. This is amazing given that both intentional and negligent violations of data detection guidelines in electronic business communications are also punishable by law. This is quite apart from the financial losses and any loss of image a company may suffer. Particularly serious cases can even involve custodial sentences of up to two years.
BITKOM has highlighted the company officials who bear personal liability for any damage suffered and categorized their duties into three key areas, namely strategic, conceptual and operational. While the Executive Board (management / Supervisory Board) is fundamentally responsible for strategic duties, data protection officers and IT managers can also be held liable for conceptual and operational aspects.
Comprehensive and systematic IT security
“Efficient security management in midmarket businesses therefore always has to be structured as a continuous, fully integrated process that embraces all areas of the company,” explains Markus Oman. To ensure the long-term security of corporate data and maximize performance and efficiency, companies need to continually re-examine their security strategies and concepts in the areas of IT and communications technology and draw up technology plans to improve these. “While this always involves cost issues with SMEs, such solutions need not necessarily involve any greater investment in IT security. Instead, existing IT budgets merely need to be used more effectively and intelligently,” states Oman.