A global economy, falling profits, and many other business factors have caused countless businesses to make dramatic changes to their business organization. Many of these have resulted in personnel being relocated, demoted, or let go. The uncertainty of business reorganization leads to employees who lose trust and loyalty to their employer and become unhappy. Disgruntled employees are responsible for nearly 90 percent of computer crimes that result in financial loss to the company. They know the business, the computer systems and what information is the most valuable.

The new economics with which businesses are faced has led some businesses to be less ethical in the methods they use to gather competitive information. Corporate espionage is on the rise. In one survey, respondents reported that more than 20% of break-ins were industrial espionage or sabotage by competitors. Political changes have made industrial secrets more valuable than political secrets and have caused professional information-gatherers to be looking for work

Increasing the speed in which a product can be brought to market may force a company to accept new technologies more rapidly than it is prepared to. This can move a company from the leading edge to the bleeding edge. It can also cause employees difficulties as they have new technologies thrust upon them at a rate that may be faster than they can absorb them, causing frustration and confusion. Employees may not know how to use the available security, or may put security aside as just "one more thing" that seems unimportant when they don't feel comfortable using the technology in the first place.

The global economy has put dramatic economic pressures on business -- to produce products less expensively, to bring products to market more quickly, to address foreign markets, etc.

Reducing the costs of manufacturing on a mature process often requires moving the process to areas with a lower cost of labor. This generally means moving production outside the United States. However, along with the manufacturing process, information and infrastructure must also be exported. Other countries have different laws and attitudes about the value, confidentiality, and privacy of information and electronic data.

Many countries do not allow completely foreign-owned businesses to operate within their borders. To do business in the country some type of relationship must be established with a local business. In some instances this relationship has been used to gather information and technology -- industrial espionage.

A Michigan University study reports that "there is an increasing threat of computer crime from organized crime groups from Eastern Europe." There are also reports of strenuous efforts on the part of some foreign intelligence agencies to gather information for the benefit their national industries; these efforts have included eavesdropping, hotel room burglaries, and the introduction of "moles" as well as other sophisticated intelligence-gathering methods. Our foreign competitors’ interest in our information has never been more intense.

Businesses are looking for ways to make people more productive more rapidly. Often, this leads to hiring temporary contract employees or to outsourcing -- alternate workers. The use of temps has grown enormously, about 500 percent over the past 15 years. The number of workers employed by temporary help agencies has grown to over 2.2 million. Temps have access to an amazing amount of company-confidential information. Temps in the mailroom handle all of the company's information, and receptionists know who is talking to whom and can eavesdrop. Many security positions, especially guards, are often outsourced.

A company who is using contract employees loses control of the quality of the employees. It no longer has control over background checks and screening of potential employees. Alternate workers are susceptible to the same factors that cause company employees to be the largest threat to corporate information–money problems, personal stress, fear of firing/layoffs, or just plain greed -- and they do not feel the level of loyalty to the company to which they are contracted.

To rapidly gain access to specialized knowledge, many businesses are hiring consultants at very critical positions within the company where they have access to crucial information. These same consultants may also be working for your competitor where information may be disclosed accidentally. They may be unaware of the proprietary nature or the business-critical nature of the information. Independent consultants may be tempted by monetary gains. Temps and contract employees are often the targeted by industrial spies.

Employee policies do not apply to contract employees. Issues of security, non-disclosure, and appropriate behavior must be spelled out in the contract with them. These contracts are often with a contracting company, not specifically with the contract employee and the individual's understanding of your company's security policies may be lacking.

Cooperative business ventures have become a popular business tactic to reduce the risk of entering unfamiliar territory. These ventures generally require a significant amount of sharing confidential information. So even though the financial risk of the venture is reduced, the increased access to company information may increase the security risk.

Ventures into areas of new technologies often require creating close relationships with start-up companies that may have very little history. It may be difficult to get good background information about the company and about the quality of workers that they employ. When you enter into an partnership with another company you inherit any hostilities that individuals may have toward the other company.

Large, established companies are not immune to problems either. Larger companies may have other business activities that may make them tempting targets. The likelihood of this increases when working with foreign companies where you do not know all the political aspects.

Often companies will find themselves needing to partner with a company on one area, while that same company is a competitor in another area -- requiring granting access on one hand while denying access to others in the same company on the other. These complicated business relationships often blur the usual lines of trust and make security issues more complex.

Any of these relationships require inter-company communication that often increases the complexity of data and communications networks. Extending the corporate network to interconnect with the associated companies' information infrastructure opens new doors to security risks. These extended-networks allow corporate partners access to internal information through connections that are generally not protected by the company's normal firewall systems which protects the company's information from the Internet. These connections need a more flexible solution that allows communication in both directions but still protects both companies from unauthorized activities.

Cooperative ventures may have a tendency to confuse partners, not knowing what information can be shared with what partners. Who actually works for whom? Employees may not understand which information is appropriately shared and which is not. Accidental disclosure of information is likely.

Historically, most companies would wait until a technology was proven before implementing it -- this could be six months for a new version of software or years for a new operating system. However, the shortened life cycle of technology has made it become obsolete more quickly, forcing companies to adopt new technologies more rapidly. Today the same companies are running their critical business systems on unproven and unsecure technology.

Companies may need to be on the leading edge of technology to remain competitive, but early adopters will pay a price, often in security. It seems to be a fact of life that software has bugs that can be exploited. The longer a piece of software has been used, the more likely that the bugs will be noticed and repaired. Every new version of software will bring new bugs.

New technologies require retraining of employees on the use and administration of these technologies. Employees who do not know how to use a technology, or how to properly secure it, can accidentally cause security risks by their inexperience. Most security incidents are in part because of improper or inadequate administration.

The Internet is a tremendously powerful tool for business. It gives rapid access to information about customers, suppliers, competitors and new market opportunities. However, companies must be aware that all communications over the Internet are susceptible to eavesdropping.

Many companies have rushed to the Internet ill-prepared for what awaits them. A 1996 computer crime survey shows that over half of the attacks of which respondents were aware came from outside the company. A 1995 Internet security survey reports that 39% of its respondents that are connected to the Internet do not have in place an Internet firewall, the foundation for any network security. However, just having a firewall is not enough; it must be properly installed and configured and continually monitored. The same survey shows that 30% of the Internet security incidents occur after a firewall is installed. Another survey indicates that only 56% of companies who have been hacked have implemented firewalls twelve months later.

Firewalls do a very good job of filtering out connections that are not wanted. They can easily refuse connections based on the type of connection, the source of the connection and the destination of the connection. However, they have more difficulty when it comes to excluding connections based on content. This requires a new breed of firewalls, application firewalls, that understand the kind of information that the application should be expecting. These application firewalls can test files transferred via e-mail or FTP for viruses or scan for inappropriate content.

However, there are a number of types of attacks against which a firewall will not be able to defend. A firewall that scans for viruses or inappropriate content may keep viruses out but a it will do little, if anything, to address the issues of privacy, accuracy and authenticity of connections. These are areas that plague e-mail today.

Electronic mail offers quick and easy communications around the globe and is the most used service on the Internet. A survey indicates that 83% of companies make e-mail available to all of their employees, even though e-mail is not secure. It can be misdirected, misrouted, intercepted, monitored, and altered and is a carrier for macro-viruses that can infect the receiver's system and have devastating effects on his data.

There are virtually no checks in the e-mail system. There is no guarantee of authentication of the sender or the receiver or the content of the message. E-mail spoofing, assigning an incorrect return address, is as old as the Internet itself. The e-mail transfer protocol is a simple text-based protocol that incorporates no method of validation.

Today, e-mail contains active content that is more than just textual information. E-mail is used to send formatted text, presentations, and data for all types of applications. These multi-media extensions to e-mail have opened new avenues of security problems. Each of these active documents executes a program with data that is sent from an unverified source. Many programs can be subverted by the data that is used as input. Most commonly known are macro-viruses. These are viruses that utilize the macro functions of word processors, and other applications, to do more than display text. Application-based viruses have been isolated in spreadsheets, presentation graphics and even postscript files.

The World Wide Web is the fastest growing phenomenon on the Internet. The web allows the cheap and easy dissemination of information through the publishing of pages that can contain both text and graphics and are available to anyone on the Internet at any time. This technology brings two areas of concern. First, from being a information provider: publishing web pages, possibly managing a web server; and second, from allowing your employees access to the web from the company’s network.

Companies are rushing to have an Internet presence. Many companies just want to own their name on the internet and want to do a little low-cost advertising, while others are looking to move to making their business functions available through the web. These web sites are on the public Internet and easily available to attack. For companies that plan to conduct business on the web, there are even more items to be concerned about. There have been numerous attacks on the web, which either alter the content of a web site or make the site unavailable. An evaluation of 2200 web sites revealed that nearly two-thirds of the tested web sites could be broken into or destroyed.

The web has made a wealth of information available. Research organizations publish information. Companies distribute marketing, advertising, product specifications and pricing and availability, as well as software updates, patches, and demos. Access to this wealth of information can be a great asset to a company. However, surfing the web also adds a new dimension to a company's security dilemma. Not only does it have the ability to bring viruses into the company, it can leak information out of the company. Every page that a person visits can log the previous page that the user was on. So if internal systems point to pages that are external, when the link is used the receiving system will log the information that the internal system links to it, thereby leaking information about an internal system to an external system.

Sites know you have been there. Some know who you are, even your e-mail address. Almost all know when you came, how long you've stayed, and, through software bugs, where else you have been. Information about the kind of information that you are accessing may reveal information about what your company is doing.

Mobile computing allows employees to work while they are traveling–working from hotel rooms, accessing time-critical information – never being out of touch. However, it also allows megabytes of company information to walk out of the door every day. Confidential information leaves the security of a company's building in portable computers, generally unsecured. Portable computer thefts are on the rise. 2000 computers are stolen every day–two-thirds are laptops. That is about 23 laptop thefts every hour. Newsweek reported that 1 in every 14 laptop computers sold in the US has been stolen last year.

There have been numerous reports of laptop computers stolen in airports, hotel rooms and other public areas. Reports indicated that many of the laptop computers that were stolen were not random theft, but were specifically stolen for the information that they contained. The FBI reports that over 90% of stolen equipment is never recovered.

Mobile computing has made working while on the road commonplace. Businessmen are working at the airport while waiting for a flight, on the airplane, and in other public places where they have no idea who is sitting next to them. Open laptop computers draw curious glances, but some may be more than curious–they may be intentional.

Airplanes are a common place for information to be "gathered." Conversations are often struck up with strangers and can be overheard by people sitting near by. One salesman told me that he was able to close a $100,000 sale because of information that he overheard on a flight.

Hotels are ripe targets for corporate espionage. There have been numerous reports of portable computers stolen from hotels and many security organizations have warned of leaving computer equipment unattended in hotel rooms, especially in hotels outside the United States.

Wireless communication includes a variety of technologies including radio, cellular, microwave and infrared for the transmission of both voice and data communication. All wireless communications are susceptible to monitoring. It is only a matter of cost.

Wireless communication has become a mainstay of business communication -- pagers, cordless phones, cellular phones, business radio -- all are common place in the workforce. New wireless products are continuously arriving at the office place, including infrared printers and wireless LANs.

Simple numeric pagers are rapidly being replaced with text and voice pagers that allow text or voice messages to be sent to the pagers. Personal digital assistants are becoming more common and allow for easy wireless communication to the Internet.

Forty-five million Americans have cellular phones. Increasingly, businesses provide cellular service to their employees, especially those who travel or cannot afford to be out of touch. Even though the law protects conversations that are conducted over cellular telephone, this does little to prevent the monitoring of cellular conversations or the use of the information overheard.

The first rule of cellular phones is that conversations are not private. With an inexpensive radio scanner one is able to monitor most cellular conversations. If you are talking on a wireless telephone, you must assume that it is being monitored. In addition, all of your touch tones, the codes you enter for your long distance credit card, or your bank-by-phone PIN number or remote access password can be monitored, decoded and used by the people monitoring the conversation. If the information is not public, it should not be used on a wireless telephone.

Use of voicemail over wireless telephones should be discouraged, since not only will the messages be available to eavesdropping, but so are all of your access codes. If someone is monitoring your use of voice mail over a wireless telephone, they will have all the information necessary to access your voice mail, change your password – and end up with complete control.

Businesses have come to rely on their fax machines to send and receive orders or communicate between business units. There are numerous horror stories of important faxes being sent to the wrong number with catastrophic results, but even when a fax gets to the right number, there is no guarantee that the recipient is the only one to see it or that he will get it at all.

In most businesses fax machines are in a public area, so all employees can send their faxes. Fax machines are often not monitored for incoming faxes, so these faxes can sit around on or near the fax machine for hours or days, accessible to all who pass by: employees, contractors, vendors, visitors, almost anyone. Cover sheets do little to stop the curious.

Faxes also do nothing for proof of origin. There is no guarantee that the orders received by fax actually originated from the address or telephone number indicated. There is no guarantee of delivery. Even when faxes are sent to the right number, they may be accidentally picked up by the wrong person or thrown in the trash with scrap paper that tends to accumulate near the fax machine.

Some fax machines have memory to store incoming faxes so incoming faxes will not be lost when the fax is out of paper. On some of these machines it is possible to remotely retrieve the faxes that are in the buffer, allowing someone to breach your security without even entering your building.

Many companies have moved employees out of the office and into their homes. With so many employees traveling and salesmen who should be at customer sites, not in the office, it makes sense for companies not to be paying for unused space. However, having business information going to individual's homes adds a variety of information security issues.

Proprietary information will be available in the employee's home, where generally the security is not as tight as at the office. Home offices generally employ most of the aforementioned technologies: portable computers, cellular phones and fax machines, with all of their security problems. In addition, homes often do not have someone available for postal and package pickup and delivery during regular business hours. Packages may sit on the porch or mail in a mailbox for hours or even days.

Home offices often require remote access to corporate resources, requiring that the company extend its network to include access from its work-at-home employees. This increases the number of access points in the security perimeter, thus increasing the complexity of securing the perimeter. If the computer used to access the corporate network is not issued by the company, but only the software to gain access is added to an already existing home computer, the company has little ability to control the security of and the access to that computer, thereby limiting the security to corporate resources.

Every new business venture brings with it new security issues and the use of new technologies adds potential security risks. A risk assessment is a basic business process that should be part of the planning of every major project. A risk analysis is performed to understand the potential losses associated with the implementation of the project, and the likelihood of these losses. The risk analysis should be reviewed every time that there is a major change in the project or when external influences to the project change. Since information system technology is continuously changing, information systems' risk assessments should be performed periodically as well as whenever there are changes to major critical systems.

A risk assessment will help you determine the value of the assets, the potential loss if the assets are compromised, the type and size of threats, where vulnerabilities exist, and what safeguards are appropriate and most effective in your situation.

You must first understand what the company's information assets are, what their value is, who is responsible for each asset and what level of security is appropriate. An information asset's value can be based on the cost to replace the information or on the cost of the damage that the disclosure of the information would have on the company. The owner of an asset should be the person whose job is most dependent on that asset. This individual should be most able to identify the asset's value and define the security concerns that pertain to it. Once the value of the assets is defined then the appropriate cost of security can be determined.

Second, you must assess the threat to your information. Threats are those things that have the potential of causing loss. These threats include inadvertent human errors, system failures, natural disasters and malicious acts from both inside and outside the organization. Even though outside attacks are the most publicized, still only three percent of companies suffered financial losses from outside attacks. Education and planning are the most effective programs to reducing threats. Educated users are less likely to make mistakes and are more likely to use the security features that are available and report those who are violating security policy. Disaster planning that includes security based disasters will minimize the impact of the disaster by minimizing the time that the assets are unavailable and prepare individuals for the tasks that will be required at the time of a disaster.

Third, you will need to identify the vulnerabilities in your current environment. This includes securing your systems from known vulnerabilities as well as evaluating your current information security policies and procedures. Good administration and change management practices will go a long way to minimizing your vulnerability.

Finally, you will need to institute safeguards to protect your assets. These safeguards should protect your information assets from loss of availability, accuracy, and confidentiality. Safeguards address areas of access, identification, authentication, authorization, and accountability. You will also need to implement a detection system that will monitor your system for the occurrence of any of those activities that your protection system does not prevent.

An organization that does not regularly analyze the risk of each of its projects is not doing all that it can to ensure the success of those projects. This lack of prudence can lead to security disasters and legal liability to stockholders.

The ’98 FBI survey reports that even though 72% of companies reported that they have suffered financial losses from computer security breaches, only 17% reported these to law enforcement. However, 83% of businesses report that the main reason that they do not report security incidents is the possibility of bad publicity. PC Week reported that "Fifty percent of the companies that lose those critical business systems for 10 or more days never recover. Ever. Ninety-three percent of the companies without a disaster-recovery plan in place were out of business five years later." Security incidents are more difficult to diagnose than a natural disaster and take longer from which to recover–more time before the computing resources are restored. Business can no longer regard security as an option, only needed for government contracts. Today's business environment makes security a requirement without which the company will most certainly suffer damaging losses.

When a company implements new business strategies, they must perform a risk analysis and update their policies and procedures. The savings or benefits that are promised by new business strategies must be weighed against the cost of the security risk that these strategies may bring.

As businesses' conditions changes, information security most also change to accommodate the changing needs.