As a risk manager, you make important decisions to help your directors run the business securely, and you may believe that you take a particular interest in all the areas that could jeopardise your company data or business integrity - but do you? How do you know what the cleaner looks at when everyone has gone home, or what a temporary employee might be downloading onto your network?
Here are a few examples of what might happen.
CILLA THE CLEANER
A member of staff has left a PC running, so Cilla sits down and starts surfing the internet. She accidentally comes across some pornography sites and several windows open up automatically on the desktop. Cilla does not know what to do and tries to shut them all down.
Potential outcome Cilla has infected the PC with a virus that cannot be removed from the desktop and creeps onto the network, destroying valuable company data.
HARRY IN HUMAN RESOURCES
Harry is an avid computer games player and downloads a game from the internet by simply clicking on 'I agree' without reading the licence agreement.
Potential outcome It is the company director that is responsible for any breach of the licensing terms that he has accepted. This may result in a fine, or even a jail sentence.
FLO THE FINANCE CONTROLLER
It is Flo's boyfriend's birthday and she downloads some music to burn onto a CD for him.
Potential outcome While downloading music files, Flo has unwittingly put the organisation at risk, as the peer-to-peer file sharing application has planted spyware on the PC, releasing confidential company information into the public domain.
MABEL THE MARKETING MANAGER
Mabel is working on a presentation for a client and orders a design package to complete the finishing touches.
Potential outcome The company pays double what it should have, as its web designer already has a licence agreement that gives two users the right to use the software concurrently.
PRUNELLA THE PA
Pru is searching the internet for a new company mobile phone and orders it online.
Potential outcome Pru has unwittingly given the company details and bank information to a fraud and has become a victim of ID theft.
WILLY THE WORK EXPERIENCE STUDENT
Willy is working in admin for a couple of days. He decides to check his personal e-mails and opens up a spam e-mail.
Potential outcome The e-mail contains a virus, which spreads quickly across the company network and causes hours of downtime while it is cleared, costing the business vast sums of money.
FRANK THE FACILITIES MANAGER
Frank has been reading about the dangers of spyware. He comes across a pop-up advertisement for anti-spyware software and downloads it.
Potential outcome The pop-up was actually spyware disguised as an anti-spyware programme. Valuable company information is unknowingly sent back regularly to the source for illegal use.
LARRY YOUR LEGAL EAGLE
Larry buys the latest update of his office software.
He is very computer literate so throws the box in the bin and all documents with it as he knows exactly how it works.
Potential outcome Larry has thrown away the paper licence agreement and all proof of purchase. Should the publisher question it, there is no proof that the software has been purchased legally. In this situation it is the company director that is liable for any legal action, should the publisher wish to prosecute.
SID THE SECURITY GUARD
Sid has downloaded a Kylie screensaver and copied it for his colleague.
Potential outcome A screensaver is copyright material like most other downloads and software. In this case the licence states it is not to be copied under any circumstances.
SANDRA IN SALES
Sandra takes her laptop home and uses her own software to transfer photographs from her PC to the laptop.
Potential outcome The files she transferred include a virus, which could get onto the company network, presenting a security risk. In addition, the laptop could be missed from the network audit.
Mitigating the risks
Although these examples sound extreme, they are commonplace in many organisations.
Risk managers and directors need to to understand the issues and support the development and updating of IT policies, in order to avoid facing legal action.
Most company directors are unaware that the responsibility of ensuring company software is fully licensed lies with them. As publishers crack down on software piracy, businesses would do well to remember that ignorance is no defence.
All software, shareware, freeware, games, screensavers, music and pictures are copyright material and must therefore be licensed correctly. Few businesses understand that they never actually own the software within their company, no matter how much they pay for it; they are simply buying the right to use it.
One of the first tasks to ensure software compliance within your organisation is to establish clear IT policies and procedures. If you do not have any policies, the business becomes vulnerable in all areas, and it is much harder to safeguard the company directors against vicarious liability.
The IT department must work alongside other departments to ensure that company IT policies are accompanied by clear procedures. These should be reinforced by disciplinary processes to ensure that policies and procedures are adhered to throughout the business.
Businesses need to carry out an IT audit to assess their position with regard to licence compliance and to identify any hardware that could pose a security threat. This should be done by means of an electronic audit as well as by a 'walk-around'.
Employees invariably spend many hours at their workstations and often treat their computer as if it were their own property. Most computer users today are extremely proficient, and quite capable of taking advantage of the latest technologies. Unless the company states what is unacceptable, your employees will not know that they are doing anything wrong. It is important to be aware of new technologies and the risks they present.
You can then take the necessary precautions before an employee unwittingly puts your business at risk.
- Chris Minchin is membership manager at FAST Corporate Services, www.fastcorporateservices.com
