Last October, a Reuters reporter noticed that Swedish software company Intentia used nearly identical URLs, or Web-page addresses, when posting its first- and second-quarter financial results to the Web. Following the pattern, the reporter typed in the likely URL for the third quarter. Lo and behold, the results, which Intentia had not yet officially released, popped up on the screen. Within minutes, Reuters ran a story about the disappointing numbers.
The company promptly filed criminal hacking charges against Reuters. But in the end, it was only Intentia that was punished — censured by the Stockholm Stock Exchange for failing to protect its financial information by posting it to a publicly accessible site.
Internet technologies can be a huge boon when it comes to quickly and widely disclosing information to investors and the public. But as Intentia’s faux pas illustrates, these technologies — including the Web, E-mail, and instant messaging — can be as dangerous as they are useful. These days, all sorts of financial information can move casually, and at the speed of light, around an organization. It is just as easy for employees — innocently, accidentally, or maliciously — to send that information outside.
In fact, according to responses to the 2003 CSI/FBI Computer Crime and Security Survey, as many security incidents originate from inside the organization as from outside. Theft of proprietary information, which insiders typically know best how to find, costs companies far more than common external security problems such as viruses. While firewalls and other security devices may be able to keep hackers out, companies are increasingly challenged to keep financial information in. “CFOs who don’t aggressively protect their companies’ information pose a far greater threat to shareholder equity and the health of their companies than anything we saw at Enron, Tyco, or WorldCom,” says Thomas J. Parenty, author of Digital Defense: What You Should Know About Protecting Your Company’s Assets, released this month by Harvard Business School Press.
I’ve Got Your Mail
Government regulation is only exacerbating the security problem. Both Reg FD and the relatively new Reg G, which restricts the release of non-GAAP financial measurements, make financial data leaks a potentially serious compliance problem for U.S. companies.
Then there is Section 404 of the Sarbanes-Oxley Act of 2002, which, according to the Securities and Exchange Commission’s proposed final rule, requires CFOs to attest that their companies’ internal financial controls “provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or disposition of the registrant’s assets.” Section 404 is an “IT regulation by inference,” says Marne Gordon, director of regulatory affairs for Herndon, Virginia-based security intelligence and services provider TruSecure Corp. “It doesn’t say specifically what companies need to do with those systems, but it is telling them to protect those systems [responsible for internal controls].”
The biggest threat to data in those systems may be E-mail and attachments. “The sensitive stuff is all there in E-mail, and it can go anywhere,” says Greg Olson, chairman and co-founder of Emery, California-based Sendmail Inc., whose offerings include E-mail-monitoring software. “Companies may be protecting data [from outsiders] with network controls like firewalls,” agrees Jim Schoonmaker, CEO of Lexington, Massachusetts-based Liquid Machines Inc., but employees can E-mail data outside the network, print it, or carry it out on laptops, disks, or PDAs.