The Rise of E-Risky Business

These days, business risks can travel at the speed of light. Viruses can invade information systems with silent stealth, illegal e-mail can race from one colleague’s computer to another, and former or even current employees can steal or destroy valuable data with a few keystrokes. The result can be millions of dollars of corporate damage or liability.

In May, HRI conducted an “e-risk” survey that found that major U.S. firms are indeed taking steps to reduce such risks, though more may yet be needed. The HRI study is based on 70 responses from a variety of government agencies, associations and for-profit companies, most from the Fortune 500. It was conducted on behalf of an HRI sponsoring firm, commercial insurance broker Assurex International.

One particularly interesting finding for HR professionals is that the misuse of e-mail has become a major issue in recent years. Over a quarter of respondents (27%) said they had defended themselves against claims of sexual harassment resulting from inappropriate e-mail and/or Internet use. Some respondents had also experienced network system sabotage or data theft. About 13% said this had occurred with current employees, 7% said it had happened with former employees, 7% said it had occurred with contract employees, and 5.5% said they’d experienced it with consultants.

The cost of such misconduct may be enormous. Another recent survey, this one by the FBI and the Computer Security Institute of San Francisco, found that 70% of information systems professionals said their companies had experienced major computer crimes resulting in direct or indirect losses of hundreds of millions of dollars. Sadly, much of this can be attributed to employees. Security Management magazine reports, “Companies remain in denial about a key window for these crimes: the behavior of their own line employees and executives.”

However, the responsible employees aren’t necessarily skilled hackers. In fact, most problems are caused by ignorance or disregard for information security policies and practices, writes Norman R. Bottom, author of Industrial Espionage. He notes that security teams could “greatly reduce the company’s exposure to information loss through annual training that focuses on human factors.” And he believes that such training should focus on the various ways in which employees lose valuable information: waste, accident, error, crime, and unethical practices. For this type of training, he coins the acronym WAECUP.

The Assurex/HRI survey does, in fact, show that most large firms strive to educate employees about e-risk. Seventy-three percent educate employees about hackers and social engineering issues. Fully 93% have written policies governing employees’ Internet and e-mail use. Most even feel obliged to monitor Internet use (80%) and e-mail (60%).

Another way in which some companies are trying to reduce e-risk is through insurance coverage. Responding companies reported owning the following e-insurance products: Director’s and Officer’s Insurance (53%); Product Liability Insurance (42%); Computer Software and Services Errors & Omissions Insurance (31%); Patent Infringement Insurance (27%); Business Interruption Insurance (24%); Media Liability Insurance (22%); Crime Loss Insurance (18%); Specialized Network Security Insurance (17%); Electronic Data Processing Insurance beyond a general business-property policy (14%); Unauthorized Access and Unauthorized Use Insurance (13%); Crisis Communications Insurance (6%); and Extortion Reward Insurance (2%).

The Assurex analysis of these figures suggests that employers remain underinsured in the area of e-risk, calling this a “serious oversight” in an age when computer losses add up to $10 billion a year. “Employers who think they can protect their assets simply by installing anti-virus software, firewalls, and encryption programs are kidding themselves,” states Assurex president and CEO Thomas W. Harvey.

For HR professionals, it is often hard to know just what the e-risks are because technologies are changing so fast and the legal system is just beginning to catch up with e-risk matters. For example, just last June the New Jersey Supreme Court ruled that if an employer has been informed that some of its employees are using a work-related electronic bulletin board to harass another employee, the employer has a duty to remedy that harassment (Blakey v. Continental Airlines Inc. et al.). The case involves allegations of harassment of a pilot by coworkers who left messages on an independently owned Web site used only by Continental employees. The outcomes of such cases are very hard to predict in today’s dynamic environment, which means employers must walk a fine line between maintaining vigilance against e-risk and urging employees to use new technologies in creative and productive ways.

====================================================

To see the Assurex analysis of the survey results, please go to
http://www.assurex.com/otbtemp/newspecial.asp.

To see the survey data itself, please go to
http://www.assurex.com/OTBtemp/news.asp?ID=107&TheStage=2.

A summary of the FBI and Computer Security Institute survey can be found at
http://www.gocsi.com/prelea_000321.htm.

For more information on Blakey v. Continental Airlines Inc., see
http://lawlibrary.rutgers.edu/courts/supreme/a-5-99.opn.html.

For information on the various certifications of IT security professionals, see
http://www.computerworld.com/cwi/story/0,1199,NAV65-663_STO48432,00.html

For an article about how recent Internet attacks are increasing the demand for some types of insurance, please see
http://www.iwix.net/iwix/news_coverage/page.asp?id=11.