Some of the risk issues faced by firms in connection with their IT systems and policies, and some simple steps that can be taken to minimise risk

The Department of Trade and Industry regularly publishes an Information Security Breaches Survey. The latest report suggests that approximately 44% of businesses in the UK suffered at least one malicious security breach in the preceding 12 months, with one fifth taking more than a week to recover fully from each incident. A third of the incidents were due to virus infections, despite the vast majority of organisations using anti-virus software.

Firms face a range of risks including virus attacks, inappropriate usage, unauthorised access or systems failure. Like all risks, these can be managed effectively, provided they are properly understood.

All practices (regardless of size) should consider the risks to the security of the information which they hold. It is tempting to assume that responsibility for the IT system rests with either the IT manager or the external consultants who set up the system. However, responsibility ultimately rests with the owners of the firm.

Viruses: keep up to date

A virus is a program designed to alter the way in which an IT system behaves without the consent or knowledge of the user of the system. These programs have two characteristics – they will run by themselves (possibly after inadvertent user intervention), and they are self-replicating (by copying themselves either on to other programs or on to other machines). Some viruses are relatively harmless, whereas others have the potential to have a catastrophic effect on PC systems. Worms are similar types of self-replicating programs – these drain computing resources simply through continued replication, often until the entire network fails.

Action points

Most firms will already have anti-virus software. This should, however, be updated on a regular basis. With effect from 1 November 2003 the Master Policy cover for loss of documents became subject to a market standard exclusion in respect of loss or damage caused directly or indirectly by transmission or import of any virus. The information sheet issued to all practices relating to the summary of policy exclusions, gave guidance on the risk controls which practices should have in place. User awareness is critical in preventing virus infections. Every individual in the firm who operates a computer should feel able to identify likely sources of viruses and the correct procedure if a virus infection is suspected.

Spam: filter it out

The term “spam” refers to emails sent to a large number of recipients without the consent of the recipients. These messages are usually commercial in nature, often promoting illegal schemes or products. Spam takes up computing resources and is a distraction and waste of time for recipients.

Action points

The firm should have a clear policy on spam in order that users know how they should deal with this. The firm may want to take a view as to whether or not it is worthwhile reporting spam messages to the firm’s internet service provider (ISP). Recipients of spam messages should be aware that they should not respond and that, where appropriate, opt out boxes in online application forms, etc should be completed. Practices themselves should consider making use of blocking and filtering products in order to minimise the amount of spam messages that actually arrive in users’ inboxes.

Frauds: spotting, and reporting

Increased use of the internet has proved a fertile breeding ground for various types of frauds and scams. The most common is the advanced fee fraud, often called “419 schemes”. This fraud involves emails from individuals claiming to represent a foreign government agency or a wealthy individual with a request to transfer large amounts of money into the email recipient’s bank account on a temporary basis to enable the facilitation of a particular transaction. The sender promises a large fee in exchange for this service. These well publicised frauds are attempts to obtain bank account details. Bank request frauds may be slightly harder to spot initially – an email is received which looks as if it has come from a bank asking the email recipient to confirm their account details for security purposes. Such emails can often seem relatively plausible to those recipients who happen to have online accounts with the relevant institution.

Action points

Frauds are particularly difficult to prevent simply by relying on technology. They are a prime example of why education and awareness are as important as having technological controls. Firms should make individuals aware of the most obvious types of fraud that can be perpetrated by technology. There should be a clear policy regarding the reporting of instances of these to an appropriate individual within the firm.

Unauthorised access: external/internal

Unauthorised access can be both external and internal. However, the extent of the risk of unauthorised external access to a firm’s systems needs to be kept in perspective. It may not be particularly likely that a third party may make a conscious decision to test the security of a small practice. However, automation has ensured that random scanning of the internet may detect weaknesses in systems connected to it. The “always on” technology of broadband connection means that it is important for users to be aware of such risks. If a firm has a broadband connection and all the computers are switched off there is no risk. However if there is a broadband connection and the computer is switched on, that computer can be vulnerable if appropriate security measures are not in place. Unauthorised internal access is, for many organisations, a more likely scenario. This is principally because people who have access to the computer system know how it works (including knowledge of passwords).  Even in a small practice, there is likely to be a considerable amount of information held on the computer system to which it would be inappropriate for all staff to have access, for instance salary details and personal information.

Action points

Risks can be minimised by a combination of technology, user awareness and firm policies. In addition to having properly updated anti-virus software, firms should have properly configured firewalls for their internet connection. There should be a procedure for checking that these technology protections are working correctly and for the reporting logs to be examined. Similarly, a programme of regular updates to anti-virus and firewall software should be in place. Basic housekeeping measures should also be employed, such as regular data backup and password protection for individual parts of the system. Review the document outlining the summary of Master Policy exclusions referred to above – this contains some brief notes on prevention/detection of unauthorised access to systems.

Inappropriate use: inadvertently?

For firms with email and staff who are able to connect to the internet, there is always a risk of some form of inappropriate usage of the system. Many firms have taken a sensible and relaxed view regarding acceptable use of the internet and email. A balance has to be struck between the potential risks such as lost fee-earning time, reduction in network resources and increased risk of virus infection, and the benefits that can come with some level of personal use, such as better staff morale.

Inadvertent misuse is, on occasion, a problem for firms. This can range from sending documents to home email addresses and simply sending very large files. In the former case, there is a risk that confidential information may be held less securely than it would be within the firm. In the latter, the network system may be slowed down considerably.

Action points

This is best addressed by a clear and unambiguous policy regarding what is and is not acceptable use of the firm’s IT system. This will vary between practices. Some practices may even feel it is appropriate to reserve the ability to monitor the usage of the firm’s systems. If that is the case, practices should take some time to consider the implications of monitoring. Useful guidance on this can be found on the Information Commissioner’s website. Any policy on acceptable use requires to be communicated to all users of the system.

Mobile technology: easy to steal

Mobile technology now brings its own risks as well as benefits. Wireless networks and phone systems (such as Bluetooth) can be monitored. Laptops and other portable devices are relatively easy to steal. Large amounts of confidential data can reside on laptops and handheld PCs. It is all too easy to imagine the situation where a solicitor requires to do some last minute amendments to a contract at home and transports the entire client file from the firm’s network to his laptop. If that laptop is stolen, the confidential data is lost. Firms should also be aware of the confidentiality implications in relation to unauthorised downloading by employees, which is made much easier by mobile devices. Connection of devices such as mp3 players to networks can give an opportunity for vast amounts of information to be copied from the firm’s network.

Action points

One of the best risk controls in this regard is awareness of users in relation to the possible risks. Few individuals actually wish to risk the integrity of the practice’s information. Raising users’ awareness of the potential pitfalls can, therefore, have a significant effect in reducing the chances of an inadvertent breach.

Mobile devices often have certain levels of built-in security. Although these are not foolproof, make sure these are used wherever possible – e.g. a request for a password as soon as the device is switched on. If very sensitive information is likely to be stored on mobile devices, investigate the possibility of additional security devices being installed.

Provide a clear policy on the acceptable use of mobile devices. Also, consider that, by the very fact of their mobility, these devices have a much higher likelihood of getting lost or stolen. Assume the worst and take steps to minimise what the potential impact could be. Check that all of the equipment is insured for off-premises use and what exclusions, if any, there are which would affect a claim on the policy. Make sure that there is an appropriate asset register of all mobile devices.

Conclusion

The risks to a practice’s business in relation to information security are likely to develop further as technology becomes more sophisticated and prevalent. Those listed above merely provide a flavour of some of the principal risk issues that firms can face. These risks can never be fully eliminated. Minimising the risks only comes through an understanding of what the potential problems can be. Often, solutions to these problems are not complex. In many cases, the principal method of managing the risk is not through spending money on new technology but simply by raising awareness of users. It is, however, for someone senior in the firm to take responsibility for managing these risks. 

Charles Sandison is a consultant to the FinPro (Financial and Professional Risks) Practice at Marsh. e: charles.sandison@marsh.com

The information contained in this article provides only a general overview of subjects covered, is not intended to be taken as advice regarding any individual situation and should not be relied upon as such. Insureds should consult their insurance and legal advisers regarding specific coverage issues.

Marsh Ltd is authorised and regulated by the Financial Services Authority

Share this article
Add To Favorites