News >> Viewpoints

SA`s top 5 ICT risks

Thursday, 16 June 2005 00:00 Written by Pria Chetty

Warning: these issues result in the most court cases, workplace disputes and damages Following a slew of national virus attacks, the rise of local phishing syndicates and a general rise in successful hacks, we`ve put together a list of South Africa`s top five ICT risks. These are the issues that, in our experience, currently result in the majority of court cases, workplace disputes, and damages. A recent survey by the ePolicy Institute confirmed that the top five ICT risks are not uniquely South African but rather representative of an international pattern.

Top of the list

Topping the list and regarded as the most damaging ICT risk in South Africa is the risk resulting from employee abuse of electronic communication facilities such as the Internet, e-mail and instant messaging (IM). Examples of these risks include employees who download copyrighted music, video, software and books via P2P networks. Employees who harass other employees with text or graphics via e-mail or IM increased significantly since 2004. Watching pornography at work, generally viewed as the most prevalent workplace mischief, is slowly disappearing and being replaced by the sharing of defamatory gossip and racist jokes as the most common staff technology abuse.

Security breaches

In second position is the potential risk or harm that may result from an outside

breach such as a virus, hacker, Trojan horse, worm or spyware. Important corporate data may be destroyed, damaged and even disclosed because of these attacks.

In fact, hackers and virus writers are very opportunistic, in that they generally target indiscriminately and scan the Internet`s servers for vulnerabilities.

Also, while most software distributors frequently release security patches to correct product vulnerabilities, attackers focus on those businesses that do not update their software applications. In fact, according to the SANS Institute, the easy and destructive spread of worms, such as Blaster, Slammer, and Code Red, can be traced directly to exploitation of unpatched vulnerabilities.

The SANS Institute regularly releases a list of the Top 20 most critical Internet security vulnerabilities.

Failure to disclose

In position number three is the risk associated with failure by a company to publish its full name, address, registration number and names of directors on all outgoing e-mail messages. Sections 51 and 171 of the Companies Act require disclosure and failure to do so is a criminal offence.

E-mail: for the record

In fourth position is the risk resulting from the common practice of deleting e-mail messages after a while. More than 23 separate pieces of legislation require the retention of certain records. If these records are contained in e-mail messages, those messages should be securely archived for the period prescribed by the applicable law. This could be anything from three months to thirty years.

Finally, according to a recent CompTIA study, human ignorance remains the main reason for IT security breaches. Notwithstanding the fact that 80% of vulnerabilities flow from staff errors, employers do little to educate and train their employees.

Other risks worth a mention

The risks that just missed the top five list, that is positions six to ten, are:
1. Liability resulting from the use of open source software.
2. Liability, and harm resulting from a failure to properly address the protection of less common IP assets like experience, know-how, and trade secrets in employee agreements.
3. Risks resulting from a failure to secure critical third-party software use through active escrow agreements and a proper support and maintenance agreement.
4. Data damage, disclosure or loss of productivity resulting from spyware infections.
5. Risk and damages resulting from the actions of a disgruntled employee (inside the firewall).

Tags: Viewpoints