Protecting Your Good Name

Document Sample
Protecting Your Good Name Powered By Docstoc
Introduction and Overview
 Overview
  – History
  – The Problem: Escalating Risks from Internet
  – Cyberliability
      •   Discrimination
      •   Harassment
      •   Information Leaks
      •   Offensive Content
      •   Defamation and Libel
      •   Spam
 Overview
  – Monitoring Internet Usage: Employer’s
    Rights and Responsibilities
  – Internet Usage Policy Quiz
  – Policies, Management Support
  – E3 + E 3
A quick update…
The Internet is Changing Today’s
Business Model

   LAN                  WAN

  Intranet       Telecommuters
No More Business as

New Business Model
New Rules for a New
Type of Business. . .
 Instant access to information
 Speed of execution is critical
 24 hours per day (7X24)
 Global competition & access
 Provide information without barriers
 End-to-end security

      It is Not a Luxury, it’s a Competitive Reality
The Internet is Changing Today’s
Business Model

   LAN                       WAN

  Intranet            Telecommuters

 There is one enterprise and it’s global.
There is one network and it’s the Internet.
In the near future…
 By the year 2002, more than 88
  million users in the United States will
  be connected to the Internet at work,
  using it as a tool for e-commerce,
  marketing, supply chain management,
  remote site connectivity and
  customer support. (Source: Estats,
 Once connected, these users will
  have the ability to:
  – Disseminate product and company
    information at a faster rate
  – Communicate instantly across
Once connected, these
users will have the ability
to: (cont.)
– Lower the costs of providing
  information and services
– Share information with partners and
– Leverage the power of e-commerce
  and multimedia applications
You’re not paranoid, they are out
to get you…
Who are We Protecting
Ourselves From?
  Hackers/Crackers/Phreakers
  Interior or Exterior attack
  Corporate Raiders
  Competitive Intelligence gathers
  Legitimate or Illegitimate inquiries
  Contractors
  Hacktivist
  Information Warfare
More risk…
Sources of Internet & Intranet

 Web surfing
 Email
 Downloads
 Spam
 Newsgroups
 Cyberliability:

  “legal proceedings and related costs due
    to unmanaged Internet & intranet use,
    including e-mail, web surfing, ftp,
    newsgroups and spam.”
For Example…
  Cyberliabilty:
   – Legal liability: case preparation fees
   – Legal liability: settlement or
   – Damaged image or brand
   – Lower shareholder value
  Other Risk
   – Decreased employee productivity
   – Productivity slowdown
Remember we are all
               Of all the Internet
                risks, cyberliability
                exposes organizations
                to new level of cyber-
               e-documents are as
                binding as those
                written on company
               There is a trail of “e-
Bottom Line…
 E-mail or web surfing that contain
 offensive or company confidential
 information can quickly result in:
  – Legal fees (including costs to prepare,
    litigate and settle cases)
  – Depressed stock price
  – Negative effect on brand, reputation and
    organization confidence
Internet & Intranet Environment
 Combine the casual atmosphere of Internet
  communications with this substantial
  electronic paper trail, and it’s easy to see why
  the use of “e-evidence” has become the new
  evidence within the following categories of
  –   Discrimination
  –   Harassment
  –   Obscenity and pornography
  –   Defamation and libel
  –   Information leaks
  –   Spam
Cyberliabilty Risks
Cyberliability Risk

  – Discrimination
  – Harassment
  – Information Leaks
  – Offensive Content
  – Defamation and Libel
  – Spam
 A complete listing of
  cyberliability cases
  and press coverage
  could fill several
 Lets chat about a
  few recent examples
 A Federal court in New York has allowed a class
  action discrimination suit based on racist e-mails. The
  defendant is a large Wall Street brokerage firm and
  the plaintiffs are seeking $60 million in damages.
  (Owens and Hutton v. Morgan Stanley & Co., Inc.,
  Case No 96 Civ 9747)
 Female warehouse employees alleged that a hostile
  work environment was created in part by
  inappropriate e-mail. Plaintiffs ask for $60 million in
  damages; case settles out of court.
 (Harley v. McCoach, 928 F. Supp. 533, E.D. Pa.
 International Microcomputer Software pays a former
  employee $105,000 after she received sexually
  harassing messages on the firm’s electronic bulletin
  board, even though the company reported the
  incident to authorities and launched an internal
  investigation. (Staff Writer, CNET, April
  14, 1999)
 Chevron settles sexual harassment lawsuit for $2.2
  million over e-mail postings such as: “25 reasons why
  beer is better than women.”
 (Jerry Adler, Newsweek, “When E-mail Bites Back,”
  November 23, 1998)
Information Leaks
 Information Leaks
 The Justice Department’s anti-trust lawsuit against
  Microsoft Inc. is based in large part on internal e-mail
  messages about efforts to insert a bug into Microsoft
  products to disable competitor’s products. (Wall
  Street Journal, John R. Wilke, August 27, 1998)

 The defense contractor Raytheon sued 21 “John
  Doe” employees for posting company confidential
  information on the Internet. Two workers have since
  been identified and have elected to resign. (Staff
  Writer, CNET, April 6, 1999, 1:30 p.m. PT)
Information Leaks
 The restaurant chain Shoney’s is
 demanding that Yahoo reveal the
 identity of 100 people who posted
 confidential information concerning
 restaurant closings and an alleged
 pending bankruptcy filing on message
 boards. (Staff Writer, CNET,
 April 12, 1999, 5:00 a.m. PT)
Offensive Content
Offensive Content
 The New York Times dismissed 23 employees at an
  administrative center for violating the company’s e-
  mail policy regarding “offensive or disruptive
  messages, including photographs, graphics and
  audio materials.” (Staff writer, NYTimes, December
  1, 1999)

 The Xerox Corp. fired approximately 40 people for
  viewing porno-graphic sites at work, most managers,
  directors, and exec-officers (Richard Mullins,
  Rochester Democrat and Chronicle, October 7, 1999)
Offensive Content
 At least six employees of the US Navy
 Naval Supply Systems Command
 (NAVSUP) have been, or are expected
 to be suspended for circulating
 “inappropriate, adult humor material” in
 e-mails. Another 500 were reported
 disciplined. (Staff writer, The Sentinel,
 December 4, 1999)
Defamation and Libel
Defamation and Libel
 Wade Cook Financial sues members of a
  bulletin board for libelous statements about
  the company. (Liz Enbysk, ZDNET
  Anchordesk, March 10, 1999)
 An insurance company is sued for circulating
  an e-mail that accused an employee of using
  her corporate credit card to defraud the
  company. (Meloff v. New York Life Insurance
  Co., 51 F.3d 372, 2nd Cir. 1992)
 GTE blamed spam for the shutdown of
 one of its mail servers. Several
 individuals also complained over the
 year that they were personally shut
 down after spammers used the
 individual’s e-mail addresses as forged
 return addresses. (John C. Dvorak, PC
 Magazine, March 24, 1998)
Monitoring Internet
Usage: Employer Rights
and Responsibilities
Monitoring Internet Usage: Employer
Rights and Responsibilities

 Employer’s Right to Monitor
  – Most experts agree that an employer has
    both the right and the responsibility to
    manage employee Internet use, but…
  – There are no laws on the books that can
    be interpreted as prohibiting an employer
    from watching what its employees do on
    the Internet.
 The Electronic Communications Privacy Act
  (ECPA) generally prevents employers from
  monitoring personal communications, such as
  private phone calls, unless there is reason to
  believe that a crime has occurred or certain
  other exceptions. However, the ECPA does
  support an employer’s right to monitor stored
  electronic communications, such as voicemail
  and e-mail messages in order to protect its
  business, rights or property.
What can and cannot be done…
                What’s an employer to
                Where do we start?
                What are our rights as
                What does the law
                Can I really be
                 charged with any of
 Written Policy
  – There is no legislation that requires employers
    to require a written policy before monitoring e-
    mail and web usage. However, having each
    employee read and sign your Internet Usage
    Policy is an extra step that the courts have
    found to reinforce the employer’s rights:
     • After being terminated for inappropriate e-
       mails, two employees later filed a lawsuit for
       violation of privacy, which was then dismissed
       by the California Court of Appeals.
 Written Policy (cont.)
     • The court concluded that the employees have
       no reasonable expectation of privacy in their e-
       mail messages. The employees had
       acknowledged and agreed to the employer’s
       policies that stated that the use of company
       computers was for business purposes only.
       (Bourke v. Nissan Motor Corp., No YC-003979,
       Cal. Ct. App., June 1993)
 Security Awareness, Training, and
  – Learning Continuum
     • Awareness = what
     • Training = how
     • Education = why
  – Continuous
  – Upgrade & Update
  – Test and Measure
Management Support
Management Support
 Ask for the policies and read them!
 Talk & Listen to your InfoSec Officers!
 Participate in meetings/discussions.
 Write memos on InfoSec matters.
 Test & Measure all employees.
 Financially support the InfoSec efforts…
 SPA-Security Posture Assessment (see
Oh, think about this…
Things that make you go
 While you were here listening to me, one of
  your employees may be sending an email
  that could eventually cost your
  company/organization several millions
 Another may be surfing the Web for personal
  information, or exploring the latest offerings in
 Still others are spending valuable time
  wading through – or following up on –
  volumes of junk email.
Things that make you go
 And while you’re wondering is all of this
 is going on, who is protecting you
 corporations/organizations secrets
 (sensitive material)? In the past year
 alone, according to the International
 Computer Security Association (ICSA),
 employee security breaches increased
 by 35% and the leak of proprietary
 information increased by 58%.
E-Commerce, E-Business, E-

 Doesn’t sound possible? Think
 again. The “E” in email originally
 stood for “electronic.” Now it could
 mean “expensive.”
Does your Internet Usage Policy give specific guidelines for the
   following corporate communications:

Web surfing, E-mail, FTP, Newsgroups, Chat rooms, Spam?

Do you periodically generate usage reports to get feedback on

Weekly, Monthly, Bimonthly, Not at all

Have you posted your policy and given each employee a copy?

Yes or No

Have you vigorously enforced and promoted your policy?

Yes or No

Have you been consistent in your treatment of policy offenders?

Yes or No
Have you periodically updated your policy to reflect current
technology and business trends?

Annually, Semi-annually, Not at all

If you answered “no” to any of the questions above, your
policy is in need of an update.
And Finally...
E3 + E3
E3 + E3
Educate      Establish a good
               policy & program
              Educate based on
               the policy
              Enforce the
USC - Center for Information
Assurance Studies
   The security of networked systems of
    computers is essential for information
    security. USC – Center for Information
    Assurance Studies is the home to what
    many security professionals in the
    computer and network security
    community consider the “Top Gun”
    institution for IA. Combining research
    and studies in Information Assurance (IA)
    and Information Security (InfoSec) since
    its inception. The USC - Center for
    Information Assurance Studies
    encourages an open-environment in
    which students, faculty, staff, and other
    agencies work together to understand the
    information assurance requirements of a
    university setting as well as national
    infrastructure protection. Addressing the
    challenges presented by those
    requirements through education and