NETWORK SECURITY, PHYSICAL SECURITY, AND LIABILITY

Did you know that your insurance may not cover loss due to information loss? According to information available on the American International Group (AIG) web site, your business insurance may not protect you from damage caused by "computer viruses, denial-of-service attacks, cyber extortion and cyber terrorism". The article goes on to state that "Failure to properly insure against these perils frequently stems from the mistaken belief that protection for network security and cyber-related risks is already provided under traditional insurance policies. This mistake can be costly to a company’s bottom line, brand, and reputation".

These kinds of liability inspired AIG to launch a whole new line of policies. Among the items cited...Website publications that open your firm to alleged libel, slander or defamation, copyright, title or trademark infringement, or invasion of privacy...Cyber extortion...Injury to information assets...Network business interruption...Identity theft...The list goes on for several paragraphs and even describes a policy for "Bad Press" caused by a security breach.

Some of the questions on the Information Security Self Assessment give an idea of what sort of steps you'll need to get this coverage. Are you ready, for instance to answer the question, "Does your company have an information security infrastructure and organization?" How would you answer "Does your company enforce a patch management process?" or "Does your company have a virus protection program in place?". There are a host of questions you may never have anticipated, such as "Are internal systems secure?" and "Do critical systems receive full security testing before deploymant?".

By now you're probably muttering to yourself, something along the lines of "I'm a business man, not a computer geek!". You're perfectly right of course, but like every technological advance computers bear a hidden responsibility. We are in the midst of another Industrial Revolution. Just as the steam engine opened a Pandora's Box of challenges, so too do the electronic marvels of our modern business environment. It's not enough anymore to learn the latest spread sheet application. Our dependence on these machines has put us in the position of responsibility for the computers and the data contained within.

AIG is not the only company thinking this way, a look at the site of Baker Donelson Bearmn, Caldwell & Berkowitz claims that "Maintaining Network Security Is One of the Top Priorities of Most Companies". The age of information has brought new concerns to the business world. You are responsible for the content of your corporate mail, whether it's a job quote or sexually explicit material. It's a headache you can do without, but it's the cost of doing business in a computerized society.

These companies are warning us to be on our guard, and for good reason. The state of California recently passed "a law requiring persons and businesses to disclose to the State and any relevant person the breach of a network security system resulting in the unauthorized acquisition of unencrypted personal information". Similar legislation is being reviewed by the United States Congress. There are already Federal rules enacted for information security in financial institutions and health organizations. According to an article posted by Sidley Austin Brown and Wood, the insurance companies themselves are creating their own standards..."Some insurance providers, which sell professional liability or anti-hacker insurance policies to companies at risk of an information security breach, base their rates in part on whether the company employs appropriate security measures. For example, ARAGON-HAAS Insurance Brokers Inc., which offers policies underwritten by Lloyds of London, asks prospective clients if their computer systems utilize firewalls to prevent unauthorized access to their networks, and whether they have created backup and recovery procedures to be used in the event of a breach".

Network security also depends on how secure the company premises are. A network firewall is little good if the culprits can walk right into your office and steal information. This physical security is another deterrent insurance companies will insist on before they grant coverage. Access by employees and non-employees will need to be controlled and even denied in sensitive areas such as computer rooms. Since personal data is a valuable commodity these days, you must also take in account that employees may find it profitable to share your corporate data. If so, they won't be the only ones liable for prosecution. The first line of defense is to secure you information systems against internal and external intrusion.

While we are on the subject of premises security, keep in mind that not all fraud is high tech. In a society where consumers can sue over hot coffee, scams like "slip and fall" are getting a second wind. Convenience store cameras are not limited to survellience of the cash register. Like as not they are also trained on the aisle in front of the beverage cases and other areas where the scam artist usually claims a slip on a liquid spill. Liability lawsuits can come disguised in the most mundane circumstance. Isn't it time you took steps to protect yourself?