If risk management is defined as the process of identifying, assessing and reducing risk to an acceptable level, the question remains: What is acceptable? In terms of risks to employees, acceptable is that in the event of an emergency, no one gets hurt. When it comes to company data systems, the mantra is backup, backup, backup. Most will have secondary systems set up off site. Keeping going, no matter what, is the name of the game.

But is risk management as simple as that? Is it only about threats to life and limb, property and commercial capability? Focusing on the big risks – the ones which will get us sued or put us out of business – is like covering one eye. It ignores one whole side of the issue. As much attention needs to be paid to the everyday risks because the everyday risks are the ones which are most likely to cause us pain.

It’s an uncomfortable truth but a truth all the same that when it comes to data security, humans are the weakest link. That means our staff, however much we love them, potentially pose as great a risk to our business as any terrorist-inspired incident or Act of God. A recent survey for the DTI, for instance, found that staff misuse of information systems accounted for 65% of security incidents in large businesses in 2006. Other studies confirm that data theft and corporate sabotage is most often conducted from the inside. Yet are companies prepared for this threat? More often than not the answer is no.

It is not just that organizations lack the appropriate security policies or forget to update them from time to time, though these are common faults. It is often that, once an incident happens, containing it becomes the overriding concern. Whilst it is obviously necessary to make sure that business continues as normal, there is a danger that important information - evidence which will be wanted, later – will be lost in the frenzy. Digital data is incredibly fragile yet it is digital data which will be needed when it comes to making a case against a culprit down the line.

What is crucial, then, is an awareness of proper practices and procedures as they apply to the gathering and preservation of digital evidence. For not knowing the rules may mean that the best proof is rendered inadmissible. Happily, the basics are easy to grasp and excellent guidelines have been laid down by the Association of Chief Police Officers (ACPO)*. Nevertheless, the deeper the understanding, the less likelihood there is that something will foul up. Those in charge of system security should therefore make a mission of arming themselves with the right knowledge.

Forensic preparedness of this type is essential if companies expect their cases to hold water when they come to court. Even where a law suit is not envisaged, adhering to best practices helps demonstrate due diligence and compliance - a fact that should tip the balance on its own.

* ACPO Guidelines

Like most people in IT, I belong to too many professional bodies. I am reminded of this every time another subscription invoice rolls in - mostly to the tune of £150 per year, or more. And each time I reach for the cheque book I ask myself the same question. Do I really need to belong to all these institutions, worthy though they may be ?
It’s a dilemma that I’m sure afflicts the majority of IT professionals. I’m equally certain that most aren’t sure whether they ought to continue shelling out or not. The problem is that membership of a professional body is both expected and respected in industry. It looks good on the c.v. It can also look good on the business card, since several institutions grant their members important-looking post nominals. But how many memberships is enough? As more and more Institutes of This and That spring up, one is given to wonder whether there is much benefit in spreading ones bets.
There is another issue, here, too. In recent times, some of the older professional bodies have been reformed, renamed and rebranded. With the make-over has come a new membership drive - the thrust of it aimed at almost anyone who works in or with IT. The long-standing barriers between designated professional groups are becoming blurred as a result. There used to be, for instance, a difference between engineers and computer professionals. Both groups now happily embrace IT workers of various varieties. Whilst many plausible arguments have been offered as to why this is A Very Good Thing, the not-so-casual observer cannot help but remark that the reasoning seems to have had more to do with the ungainly scrabble for bums on seats - and therefore cash in the bank - than the inevitable march of time and merging of skills.
To be fair, certain professional bodies have struggled to keep their doors open in the past and it would have been terrible to lose them since they provide a focal point as well as networking opportunities and, often, excellent free or very cheap lectures. I cease to feel so generous about others, especially those which sound very grand, charge a lot of money and offer few or no benefits to members. One, in particular, incurred my wrath by inviting me to join, on the one hand, and sending around a fait accompli email on the other. This explained that since the CEO and other officials needed a raise - ooh… and a classy PR company had been taken on to aid publicity - membership charges would now be set at not much short of £200 p.a. The likely impact of that particular double-whammy was clearly lost on the perpetrators.

Security policies. You’ve got yards of them, right? Fire, flood, terrorism, four horsemen of the apocalypse – pretty much everything’s covered. So you save the documentation, breathe a sigh of relief and get back to the business of doing business.

And that’s where the potential problems start. That file ‘em and forget ‘em attitude which abounds in companies of every size and significance. The point about security policies is not that it’s OK because they exist. Like any laws, they have to be workable and enforceable. Just as importantly, they have to be reviewed and updated on a regular basis. Read more

It was partly my own fault.  Enraged by a quarterly bill for more than £45 of which only 0.06 pence represented call charges, I let them pull the plug.  Words like: ‘Cheek’, ‘Nerve’ and ‘Almighty arrogance’ bounced off the office walls.  With a liberal sprinkling of the customary expletives, of course.  Half an hour later, a horrible truth hit home.  That line had had my broadband on it.  I was now adrift in a technological vale of tears; a cyberspace where no-one could hear me scream.

But that was just the start.  Little did I know that five days and enough negative adrenalin to pole-axe a polar bear later, I would still be out of contact with the surreal world.  Terrible in its wrath, BT had resolutely cast me into outer darkness, there to remain for another seven to ten working days.

Picture, if you will, the hapless home worker, suddenly left high and dry.  No email, no Internet, no fax.  Having pleasantly asked (FX: whimpering and grovelling)  BT to reinstate my service, I was told I would have to completely re-order a telephone line.  It would take up to 48 hours to get connected.  I would probably get the same number, but that could not be guaranteed.

‘But what about my broadband?’ I flustered.
‘You’ll have to talk to your service provider about that.’
So I did.
‘It’s OK, the pulse is still going down that line.’ I was told.  ‘Everything should be fine.’

There is an ocean of difference, dear reader, between ’should’ and ‘will’.  I would not know how vast that ocean was for another four days.  Inured to the fact that Monday was now totally up the shoot, I reached for the laptop and the 3G coms card.  This, I reasoned, would at least keep the business running, albeit expensively.  There was only one problem.  Emails were coming in but the system was not letting any emails out.  Desperate to get some paying work done, I chose to ignore that ’til the morrow.

Too busy to lose another day to fixing stuff, the email problem did not become insufferable until Wednesday - the same day I was reasonably expecting a return to normality.  With what sounded like a dialling tone on the line, I imagined BT had reconnected me.  A foolish whimsy, in retrospect.  But I was always gullible.  Ominously, though, the soft yellow pulse of broadband light on router was missing.  The ADSL was still AWOL.  So it was back on to BT.  A verbal maze of interactive menus finally led me to a customer service representative.  This was where things got worse. Much worse.

‘Oh, your order was cancelled,’ came the voice.
‘What?’ I squeaked, ‘Cancelled by whom? When?  I didn’t cancel it.  In fact, I paid £50 up front to be reconnected.’
‘Sorry madam, I can’t tell you why it was cancelled, we don’t have that information,’ said the voice, ‘I’ll put you through to sales.  They have that information.’

And guess what?  Yup, the thing was a total mystery to the sales department, too.  According to them, customer services had that information.  And so the fun went on.  My order had been cancelled, no-one was saying why and I had to go through the order process all over again.  Oh, and by the way, that’d be another 48 hours before the line would be reconnected.  Cue Apoplectic Fit Number 149.  To top it all, the salesman sweetly suggested that if I were to tell customer services my sorry tale, they would surely see their way to advancing the order.

You’re ahead of me, now, aren’t you?  The customer services response?  ‘We can’t advance orders.  All orders are treated the same.’

Cue fit of Tsunamic proportions.

Never one to give in lightly, I next got on to my ISP. Just by way of varying the agony, you understand.  I’d tried every type of email setting, I told tech help, but still couldn’t get mail out from the laptop.  Three quarters of an hour later and every email setting laboriously tried yet again, it was, ‘You’ve obviously got a problem with Outlook.  I’ll give you the number for Microsoft.’  A maniacal cackle crept out before I could stop it.  I might be going mad but not so mad that I was ready to get embroiled in that one.  ‘You have to be kidding,’ I managed, the last vestige of politeness in my body packing up and leaving home for good.

So.  Friday. Ha, ha!  I was ignoring the phone by now.  Neyeah, neyeah!  I don’t care, so there!  Around three in the afternoon, my other line rang out and fell silent.  I paused, then carried on with my work.  I was playing this game pretty well.  Come 4pm, I nonchalantly gave the offending phone a try.  Miracle of miracles!  There was a dial tone and it wasn’t a spoof.  But… no light on the broadband.  More calls to BT were of no avail.  By close of business, it was clear I’d have to contact my ISP again.

Bleary, weary and still in my dressing gown, I was on the phone at the stroke of nine the next morning.  ‘Ah,’ said a sympathetic voice, ‘I see what’s happened.  BT have taken the markers off the line.  Your account’s been closed.  I’m afraid you’ll have to open another one.’

Having no energy left to even squeak, I gasped.  ‘But I paid in advance for a year and that was in September.’
‘Oh, we’ll credit you that back.’
(Thinks: Big Deal)
‘So you’re telling me that I have to take out a new contract? I take it that means new passwords and everything?’

It did.  It also meant more money.  They weren’t doing the old deal any more.  With a final twist of the knife, I was told that even though the line had been reinstated with the same number and we all knew it could handle broadband, BT would have to test it.  Not once, but twice. Just to make sure.

A bleak vastness opened before me.  A black hole into which another seven to ten working days of my life would disappear.  Still not quite beaten, I dug out a couple of modem leads.  Dusting off the faded memory of how dial-up used to work, I finally got a laptop and desktop up and running.  The original email settings worked just fine.  Which shows you how much help tech help can be.

Once more online, I first punched a triumphant fist in the air, then shook it at an uncomprehending ceiling.

‘Curse you, BT !’ I cried. ‘And you, ISP !’

Sad.  But it made me feel slightly better.

If the pathway to Hell is paved with good intentions, a large number of slabs must be engraved with the names of information age technologies. For so many innovative ideas, so obviously life and business enhancing, quickly become factors to fear in our everyday dealings as, one by one, they fall foul of human nature’s wonderful ability to subvert. Like Preston, the robodog, in Wallace and Gromit’s ‘Close Shave’, they are good things which have turned out evil. Alas, unlike him, they will not be returned to their former innocuous selves. Read more

The perils of the office Christmas party, currently striking home in star soccer circles, will come as a nasty surprise for many of more modest social status this year. For them, the shock will not come in screaming headlines but the shrieks of outraged spouses or the ominous thud of solicitor’s letter on mat.

Turns out that the unwary are being watched by enterprising snoops who are cashing in on the season’s sexual excesses. Funded by worried partners keen to confirm their worst fears, the ever-game gumshoes have been turning up at restaurants and bars and joining in the festivities. Read more

A new telephone phishing scam targeting Britain’s 8 million Sky subscribers seems to be doing the rounds.  No surprise there, you might think.  The way this one was played, though, suggests a security leak that either tracks back to the company itself or HM Revenue and Customs’ much-publicised data loss. 

How do I know?  Read more

The Devil’s in the detail, so the saying goes. Wise words which apply with especial force to data security, not that you’d notice in many large institutions (and not just the ones currently in the corner in a dunce’s cap).

Time and again, when sensitive information goes AWOL, you find the focus has been on fixing the big stuff. Staff up an IT department, invest thousands in a sophisticated firewall, buy the right software and you’re home free. At least that’s the apparent misconception. Read more

Porn in the workplace. Who’s worried about it? Not enough large corporations with expensive, big-city offices, in my experience. And no, I’m not a prude, before you ask. Neither am I a kill joy. I spend most working days dumpster diving on other people’s hard drives, for heaven’s sake. Believe me, you need a sense of humour. A strong stomach also helps. 

Not that I mind porn per se, you understand. So long as it’s adult, legal and on someone else’s computer. If that someone happens to be my client, though, I’m obviously obliged to tell them. In the first place, I assume they’re paying their employees to work at work and not spend hours surfing for extra-curricular entertainment. In the second, I assume they don’t want those kinds of pictures on their machines.

The initial horrified reaction to my glad tidings usually confirms these assumptions, particularly the second - an astonishing number of people remain unaware that content viewed in web browsers helpfully stores itself away on the computer itself. But the shock softens all too quickly. Usually within 48 hours in a predominantly male work environment. Now, I’m not entirely blaming the chaps, here, but once the HR department scrapes itself off the ceiling and informs management, the waters have a noticeable habit of stilling themselves. Since, statistically, most high-powered departmental heads are men, I can only surmise that a laddish blind eye is being turned. The culprit will get a nasty wrist slapping and that’s about it.

So what’s wrong with that? Sadly, a great deal. The biggest of which is the Protection of Children Act, 1978, as amended. What people fail to take on board is that, under this Act, a child is anyone under 18. Furthermore, taking, making, possessing, distributing or publishing any indecent photograph of a child is illegal.

And an image of a 17-year-old in a compromising situation on your computer potentially constitutes both the ‘making’ and ‘possession’ of such a photograph.

If you’re not scared yet, you should be. Especially if your employees are surfing so-called ‘Teen’ porn sites. Who, hand on heart, can really tell the difference between a well developed 13-year-old and a normal 18-year-old girl? I’m a woman and the mother of a daughter and I’m damned if I can. I don’t fancy most men’s chances.

Mentioning the ‘P’ word has the tendency to turn clients into quivery wrecks but I will, do and actually must report images I believe to be illegal. Where there’s doubt, I issue this warning: Come the day the corporate shenanigans you called me in to investigate becomes a federal case, expect big trouble. If the police find something they don’t like on a suspect hard drive, you’re looking at anything from one computer being seized to all of them. The whole office. Gone.

Think about it. Then update and implement your Acceptable Use Policy. Please.