Only a few years ago, IT (information technology) was proclaimed a commodity that didn’t matter. However, with database break-ins
making daily headlines, not only does IT matter, it’s now at the vortex of a public debate on privacy.
Computer security breaches are on the rise, according to a survey conducted by the Computer Security Institute and the F.B.I.
Nearly nine out of 10 organizations experienced computer security incidents over the course of one year; 20 percent of them
experienced 20 or more attacks, and 64 percent experienced financial losses.
“The consequences for these breaches of privacy are pretty dire,” says Tom Mescall, managing director of IT solutions for
Armanino McKenna LLP. “Lawsuits, loss of reputation and other costs follow in their wake. Moreover, these issues could reach
the CEO personally as regulations aimed at top management are becoming more numerous.”
Smart Business asked Mescall about the key factors that CEOs and corporate officers should realize about their IT departments, personnel and equipment.
What current regulations affect IT security?
Some include the Sarbanes-Oxley Act, which imposes strict rules for securing financial systems; the Health Insurance
Portability and Accountability Act, governing both security of patient or insured information and privacy rights; S.B. 1386, a
California law requiring all businesses that sell over the Internet to notify their customers of online security breaches; the
Gramm-Leach-Bliley Act, which requires financial institutions to disclose to customers in full detail how their data will be stored
and used, and to provide adequate safeguards for customer information; and many others.
Why should IT security be a high priority — if not the highest?
In this environment, CEOs who dare to believe that ‘nobody wants what we have’ are living dangerously. The fact is, everybody
wants what you have, and here’s why: Not all thieves want your data. In fact, they are just as likely to covet your network and
computing capacity.
Many system intrusions come from thieves who have pirated movies, music, games, computer applications and other copyrighted
material. Through a series of break-ins and set-ups of ‘bounce points,’ these hackers can easily and anonymously store their ill-gotten goods on your hard-drive space and that of many other computers connected to the Internet, which they have linked together.
Legally speaking, you are liable for your computer storage space and must perform due diligence to ensure these types of intrusions don’t occur. If you have failed to do everything possible to secure your systems, you could be held at least partially liable
to the original owners of the material.
Hackers are also disclosers. There are groups of hackers who spend time finding vulnerabilities in corporate and institutional systems. They often notify the corporations or institutions, but if they don’t hear back from them, they disclose the weakness to the
general marketplace.
What can corporate management do to secure their computers?
If you are a CEO, it’s now your legal responsibility to see that your data and systems are secure. To that end, you need to understand a couple of things.
First, most IT staffs are not trained in data or Internet security. They are systems efficiency experts. They may talk a good game
about security to their superiors, but most don’t have the time or the knowledge base to help you meet your increased responsibilities.
Second, turn your attention away from your IT director and focus it on your chief information officer or chief technology
officer. Ask: Do we know what the threats to our data are, and are we taking all precautions to block them? Do we have a daily
systematic method for assessing and repairing security threats? What is the skill set of our IT staff? How can we supplement
the skills of our team with more security expertise?
What if you don’t like the answers you get?
Don’t panic. There are ways to meet your growing obligations for security while maintaining your current staff.
To begin with, you should audit your systems security. There are, of course, many vendor-experts who can quickly audit your
systems, find the biggest vulnerabilities and close them rapidly.
But in the longer term, you’ll want to instruct your CIO or CTO to help you accomplish several officer-level tasks, including
defining the scope of IT activities in your company and specific duties of the IT staff. If security in the safeguarding of data and
capacity and the rapid disclosure of security breaches are not competencies of your IT staff, they should be.
TOM MESCALL, CPA, MBA, is managing director of IT Solutions for Armanino McKenna LLP. He has more than 18 years of experience in public accounting, management consulting and software development. Reach him at (925) 790-2600 or [email protected].