cyberliability. introduction and overview overview –history –the problem: escalating risks from...
Post on 23-Dec-2015
218 Views
Preview:
TRANSCRIPT
Cyberliability
Introduction and Overview
Overview– History– The Problem: Escalating Risks from Internet
Connectivity– Cyberliability
• Discrimination• Harassment • Information Leaks• Offensive Content• Defamation and Libel• Spam
Overview
– Monitoring Internet Usage: Employer’s Rights and Responsibilities
– Internet Usage Policy Quiz
– Policies, Management Support
– E3 + E3
A quick update…
LANLAN
CustomersCustomers
IntranetIntranet
WANWAN
InternetInternet
BranchBranchOfficeOffice
SuppliersSuppliers
TelecommutersTelecommuters
The Internet is Changing Today’s Business Model
No More Business as Usual…
New Business Model
It is Not a Luxury, it’s a Competitive RealityIt is Not a Luxury, it’s a Competitive Reality
New Rules for a New Type of Business. . . Instant access to information Speed of execution is critical 24 hours per day (7X24) Global competition & access Provide information without barriers
End-to-end security
LANLAN
IntranetIntranet
WANWAN
InternetInternet
BranchBranchOfficeOffice
SuppliersSuppliers
TelecommutersTelecommutersCustomersCustomers
The Internet is Changing Today’s Business Model
There is one enterprise and it’s global.There is one network and it’s the Internet.
There is one enterprise and it’s global.There is one network and it’s the Internet.
In the near future…
By the year 2002, more than 88 million users in the United States will be connected to the Internet at work, using it as a tool for e-commerce, marketing, supply chain management, remote site connectivity and customer support. (Source: Estats, 1999
Once connected, these users will have the ability to:– Disseminate product and company
information at a faster rate– Communicate instantly across geographic
boundaries
Once connected, these users will have the ability to: (cont.)
– Lower the costs of providing information and services
– Share information with partners and vendors
– Leverage the power of e-commerce and multimedia applications
You’re not paranoid, they are out to get you…
Who are We Protecting Ourselves From?
Hackers/Crackers/Phreakers Interior or Exterior attack Corporate Raiders Competitive Intelligence gathers Legitimate or Illegitimate inquiries Contractors Hacktivist Information Warfare
More risk…
Sources of Internet & Intranet Risk:
Web surfing Email Downloads Spam Newsgroups
Cyberliability
Cyberliability
Cyberliability:
“legal proceedings and related costs due to unmanaged Internet & intranet use, including e-mail, web surfing, ftp, newsgroups and spam.”
For Example…
Cyberliabilty:– Legal liability: case preparation
fees– Legal liability: settlement or
damages– Damaged image or brand– Lower shareholder value
Other Risk– Decreased employee productivity– Productivity slowdown
Remember we are all connected…
Of all the Internet risks, cyberliability exposes organizations to new level of cyber-danger.
e-documents are as binding as those written on company letterhead.
There is a trail of “e-evidence”
Bottom Line…
E-mail or web surfing that contain offensive or company confidential information can quickly result in:– Legal fees (including costs to prepare,
litigate and settle cases)– Depressed stock price– Negative effect on brand, reputation and
organization confidence
Internet & Intranet Environment Combine the casual atmosphere of Internet
communications with this substantial electronic paper trail, and it’s easy to see why the use of “e-evidence” has become the new evidence within the following categories of litigation:– Discrimination– Harassment– Obscenity and pornography– Defamation and libel– Information leaks– Spam
Cyberliabilty Risks
Cyberliability Risk
– Discrimination– Harassment– Information Leaks– Offensive Content– Defamation and Libel– Spam
A complete listing of cyberliability cases and press coverage could fill several volumes.
Lets chat about a few recent examples
Discrimination
Discrimination A Federal court in New York has allowed a class
action discrimination suit based on racist e-mails. The defendant is a large Wall Street brokerage firm and the plaintiffs are seeking $60 million in damages. (Owens and Hutton v. Morgan Stanley & Co., Inc., Case No 96 Civ 9747)
Female warehouse employees alleged that a hostile work environment was created in part by inappropriate e-mail. Plaintiffs ask for $60 million in damages; case settles out of court.
(Harley v. McCoach, 928 F. Supp. 533, E.D. Pa. 1996)
Harassment
Harassment International Microcomputer Software pays a former
employee $105,000 after she received sexually harassing messages on the firm’s electronic bulletin board, even though the company reported the incident to authorities and launched an internal investigation. (Staff Writer, CNET News.com, April 14, 1999)
Chevron settles sexual harassment lawsuit for $2.2 million over e-mail postings such as: “25 reasons why beer is better than women.”
(Jerry Adler, Newsweek, “When E-mail Bites Back,” November 23, 1998)
Information Leaks
Information Leaks The Justice Department’s anti-trust lawsuit against
Microsoft Inc. is based in large part on internal e-mail messages about efforts to insert a bug into Microsoft products to disable competitor’s products. (Wall Street Journal, John R. Wilke, August 27, 1998)
The defense contractor Raytheon sued 21 “John Doe” employees for posting company confidential information on the Internet. Two workers have since been identified and have elected to resign. (Staff Writer, CNET News.com, April 6, 1999, 1:30 p.m. PT)
Information Leaks
The restaurant chain Shoney’s is demanding that Yahoo reveal the identity of 100 people who posted confidential information concerning restaurant closings and an alleged pending bankruptcy filing on message boards. (Staff Writer, CNET News.com, April 12, 1999, 5:00 a.m. PT)
Offensive Content
Offensive Content The New York Times dismissed 23 employees at an
administrative center for violating the company’s e-mail policy regarding “offensive or disruptive messages, including photographs, graphics and audio materials.” (Staff writer, NYTimes, December 1, 1999)
The Xerox Corp. fired approximately 40 people for viewing porno-graphic sites at work, most managers, directors, and exec-officers (Richard Mullins, Rochester Democrat and Chronicle, October 7, 1999)
Offensive Content
At least six employees of the US Navy Naval Supply Systems Command (NAVSUP) have been, or are expected to be suspended for circulating “inappropriate, adult humor material” in e-mails. Another 500 were reported disciplined. (Staff writer, The Sentinel, December 4, 1999)
Defamation and Libel
Defamation and Libel
Wade Cook Financial sues members of a bulletin board for libelous statements about the company. (Liz Enbysk, ZDNET Anchordesk, March 10, 1999)
An insurance company is sued for circulating an e-mail that accused an employee of using her corporate credit card to defraud the company. (Meloff v. New York Life Insurance Co., 51 F.3d 372, 2nd Cir. 1992)
Spam
Spam
GTE blamed spam for the shutdown of one of its mail servers. Several individuals also complained over the year that they were personally shut down after spammers used the individual’s e-mail addresses as forged return addresses. (John C. Dvorak, PC Magazine, March 24, 1998)
Monitoring Internet Usage: Employer Rights and Responsibilities
Monitoring Internet Usage: Employer Rights and Responsibilities
Employer’s Right to Monitor– Most experts agree that an employer has
both the right and the responsibility to manage employee Internet use, but…
– There are no laws on the books that can be interpreted as prohibiting an employer from watching what its employees do on the Internet.
EPCA
The Electronic Communications Privacy Act (ECPA) generally prevents employers from monitoring personal communications, such as private phone calls, unless there is reason to believe that a crime has occurred or certain other exceptions. However, the ECPA does support an employer’s right to monitor stored electronic communications, such as voicemail and e-mail messages in order to protect its business, rights or property.
What can and cannot be done… What’s an employer to
do? Where do we start? What are our rights as
employers? What does the law
say? Can I really be
charged with any of this?
Policies/Procedures/Practices
Written Policy– There is no legislation that requires employers
to require a written policy before monitoring e-mail and web usage. However, having each employee read and sign your Internet Usage Policy is an extra step that the courts have found to reinforce the employer’s rights:
• After being terminated for inappropriate e-mails, two employees later filed a lawsuit for violation of privacy, which was then dismissed by the California Court of Appeals.
Written Policy (cont.)• The court concluded that the employees have
no reasonable expectation of privacy in their e-mail messages. The employees had acknowledged and agreed to the employer’s policies that stated that the use of company computers was for business purposes only. (Bourke v. Nissan Motor Corp., No YC-003979, Cal. Ct. App., June 1993)
S.A.T.E.
S.A.T.E.
Security Awareness, Training, and Education– Learning Continuum
• Awareness = what
• Training = how
• Education = why
– Continuous– Upgrade & Update– Test and Measure
Management Support
Management Support
Ask for the policies and read them! Talk & Listen to your InfoSec Officers! Participate in meetings/discussions. Write memos on InfoSec matters. Test & Measure all employees. Financially support the InfoSec efforts… SPA-Security Posture Assessment (see
me…)
Oh, think about this…
Things that make you go hmmm… While you were here listening to me, one of
your employees may be sending an email that could eventually cost your company/organization several millions dollars.
Another may be surfing the Web for personal information, or exploring the latest offerings in cyberpornraphy.
Still others are spending valuable time wading through – or following up on – volumes of junk email.
Things that make you go hmmm… And while you’re wondering is all of this
is going on, who is protecting you corporations/organizations secrets (sensitive material)? In the past year alone, according to the International Computer Security Association (ICSA), employee security breaches increased by 35% and the leak of proprietary information increased by 58%.
E-Commerce, E-Business, E-Mail, EEEEEEEEE…
Doesn’t sound possible? Think again. The “E” in email originally stood for “electronic.” Now it could mean “expensive.”
Does your Internet Usage Policy give specific guidelines for the following corporate communications:
Web surfing, E-mail, FTP, Newsgroups, Chat rooms, Spam? Do you periodically generate usage reports to get feedback on
compliance?
Weekly, Monthly, Bimonthly, Not at all Have you posted your policy and given each employee a copy?
Yes or No Have you vigorously enforced and promoted your policy?
Yes or No Have you been consistent in your treatment of policy offenders?
Yes or No
Have you periodically updated your policy to reflect current technology and business trends?
Annually, Semi-annually, Not at all
If you answered “no” to any of the questions above, your policy is in need of an update.
And Finally...
E3 + E3
E3 + E3
Educate Enlighten Empower
Establish a good policy & program
Educate based on the policy
Enforce the policies
Q&A
USC - Center for Information Assurance Studies The security of networked systems of
computers is essential for information security. USC – Center for Information Assurance Studies is the home to what many security professionals in the computer and network security community consider the “Top Gun” institution for IA. Combining research and studies in Information Assurance (IA) and Information Security (InfoSec) since its inception. The USC - Center for Information Assurance Studies encourages an open-environment in which students, faculty, staff, and other agencies work together to understand the information assurance requirements of a university setting as well as national infrastructure protection. Addressing the challenges presented by those requirements through education and research
top related