Computer hacking has been a hot news item recently. Over the last few months, the press has reported attacks on the White House, FBI, BellSouth, Wichita State University and Coca-Cola. Your company or organization can be a victim too if you don't pay attention to this issue.
The motivation behind hacking can run the gamut from political protest, economic gain, and being a childish prankster. At a minimum, the result can be company or organization embarrassment.
Imagine waking up to find obscenities or child pornography on your corporate website. It's a nightmare that can undermine trust in your product, brand name and technological competence.
Still, even worse is that hackers can cause losses of millions of dollars if they can manage to steal or destroy corporate data.
One group of hackers, believed to be from Portugal, disabled over 60 websites in retaliation to the FBI's arrest of several American hackers.
The websites of the White House and four other government agencies were hacked in response to NATO's accidental bombing of the Chinese Embassy in Belgrade. The FBI and the Senate sites have been hacked too.
Moreover, it's not just government sites being hit. On New Year's Day, a hacker named "Zyklon" decided to use BellSouth's website to post a love letter to his sweetheart, "Crystal." What do you think that does to the public image of the telephone company as being a technologically savvy company?
According to security experts, the hacks on the government sites could have been prevented had some reasonable security checks been made. The simple truth is that weeks may go into planning graphics, layouts and links, but website security is often the skunk nobody wants to touch.
As you might expect from the rapid growth in computer literacy, hacking is on the rise according to a 1999 survey by the Computer Security Institute. According to this survey, computer security breaches cost U.S. businesses over $120 million dollars last year. Some experts believe that the actual cost is much greater because most organizations are reluctant to reveal security breaches. In the same survey, only 30 percent of the computer security professionals say they had publicly reported their incidents of system intrusions.
Protecting Yourself from Insiders
While outside hackers get all the publicity, you need to know that there's more risk from insiders, like disgruntled employees, than outsiders. The FBI has estimated that insiders are responsible for more than 80 percent of all hacks.
You can start by monitoring computer use. Have your technology attorney prepare an appropriate warning banner for you to post on your company computers. It should notify users of the possibility that you may monitor their activities.
You're serving two purposes with this tactic. You're defining your employees' expectation of privacy on the organization's computer system as limited. You're also putting yourself in a stronger legal position if you ever want to pursue a criminal charge against a hacker, whether from the inside or outside. It's hard for a hacker to argue that he didn't have criminal intent and didn't know that his activities were unauthorized in the face of a well-drawn warning banner.
In a similar vein, you should also use software that creates audit trails. You want to monitor log on and log off activity, file access, and possibly even keystrokes. Without reliable audit trails, your ability to criminally prosecute could be severely hampered.
The reason for this is that often the hardest part of a criminal prosecution of a hacker is showing criminal intent. Their best defense may be, "I didn't know I was hurting anything" or "I didn't know I was accessing something I wasn't allowed to access."
You decapitate these types of defenses if you can present evidence of things like repeated attempts to access data with wrong passwords before he got in. It's hard to say, "I accidentally typed the password that got me in" in the face of a log that says he tried 200 other passwords before the "accident."
Some basic advice is that you must use and frequently update anti-virus software, and only accept software and data files from reliable sources. Here, there's no substitute for employee education. Teach them to be cautious with the file attachments to e-mails.
When dealing with particularly sensitive information, use encryption. Today, commercially available and inexpensive encryption software is strong enough to offer substantial practical protection.
Legal Protection
Both federal and state laws can offer you substantial protection from hackers and thieves. Although, silently sealing the breach may seem tempting, you should strongly consider criminal prosecution.
While it may be embarrassing to publicly admit to a security breach, you need to make a statement that when it happens, it won't be tolerated. You should have your attorney approach authorities about criminal prosecution. You should also institute appropriate civil actions to make your attacker's life miserable. Create your own future deterrent by counterattacking as viciously as possible.
Remember that it's a war between you, hackers, and saboteurs. I assure you that those who want to attack your computers put energy and enthusiasm into their efforts. Defending yourself likewise requires energy, enthusiasm and your own security expert.
Mark Grossman's "TechLaw" column appears in numerous publications. Mark Grossman has extensive experience as a speaker as well. If you would like him to speak before your group or corporate meeting, please call (305) 443-8180 for information.
You can find a TechLaw archive at: www.DeWittGrossman.com.
If you have any comments, please send them to MGrossman@DeWittGrossman.com.
Disclaimer: The advice given in the TechLaw column should not be
considered legal advice. This newsletter only provides general educational information. You must never rely upon the advice given here. Your individual situation may not fit the generalizations discussed. Only your attorney can evaluate your individual situation and give you advice.
Except as provided below, you may feel free to forward, distribute and
copy the TechLaw column if you distribute and copy it without any changes and you include all headers and other identifying information. You may not copy it to a Web site.