"It's an eye-popping experience to send in our loss-control people," says Rick Maloy, chief executive of InsureHiTech, an online insurance broker in Princeton, N.J. Maloy runs down the list of potential trouble spots: "If you've got a company with poor backups; a free-for-all of the use of the technology; no internal procedures in place . . . willy-nilly, helter-skelter security."
Those loss-control people are among a growing cadre of specialists who visit companies — in person and/or virtually — to find the weak links in security chains.
"We look at three key areas: people, processes and the technology," says Tom King, a management consultant at IBM in Montclair, N.J. IBM provides security assessments independently and in concert with insurers to alert managers to potential points of failure.
People pose the widest range of risks. The obvious worry is someone acting maliciously, but a more pervasive problem is people acting stupidly, because they have not been trained adequately, equipped well or monitored properly.
If a failure occurs, procedures must be in place to handle disaster recovery. "Contingency planning is critical for companies in this particular arena," says Richard Reed, manager of e-commerce and the intellectual property underwriting line at The Chubb Corp. in New York. "They have to think long and hard about when an interruption takes place, what they are going to do."
Insurers will examine not only critical policies and procedures, but the people in critical positions, says Ty R. Sagalow, chief operating officer at American International Group in New York. An insurer would ask, " 'Who reviews the content of your Web page?' If it's simply sent out by any unit of the company, that would be a negative," he says. "On the other hand, if the content is reviewed by your in-house legal staff or outside legal staff, that would be a good factor."
The people providing technical support also face scrutiny.
Knowledge of security procedures must be judiciously balanced between too few people and too many.
"You have to have a back-end business process that carefully meters out information to employees," says Scott Schnell, senior vice president of marketing at RSA Security in Bedford, Mass. "You can't give access to everything to everyone."
RSA develops and disseminates encryption software, tools that convert data into unintelligible gobbledygook, thus rendering it secure. Encryption protects data at three critical junctures: at the user's workstation, in transmission and within the business.
Encryption is "the strongest link in the security chain," Schnell says. "The most serious breaches have been where a hacker successfully worked around or broke through the firewall protection, and then was able to gain access to a system where the system itself did not protect the data it contained."
Operating a business in which all data is encrypted adds operating overhead of 5 percent to 10 percent to a computer processor, he says, but that's a small price to pay to ward off the most insidious hacker — an employee. "Even if the attack comes from an insider, the data is encrypted and available to only a small number of administrators," Schnell says. "We're at the early stages of it becoming standard procedure."
Another familiar security tool, the password, is taking on new dimensions. Most people are familiar with an automated teller machine, where they push in their plastic card, punch in a code and gain access to their bank account. Computer system security as practiced by RSA now includes a two-part password.
To remain secure, an Internet company must challenge its technology at intervals "to see if any of the windows or doors are open," IBM's King says. "Hackers are basically lazy people. They want the easiest way in. They will go through known holes."