Back in the 1950s, when Pitney Bowes was in the uncomplicated business of supplying postage meters to U.S. corporations, the company’s big security concern was relatively pedestrian: now and then, somebody’s relative would walk off with a meter machine.
Over the past 50 years, risk management at Pitney Bowes has undergone a slight bit of scope creep. Now a $4.6 billion (in revenues) mail-and-document-management specialist, the Stamford, Connecticut-based company provides, among other things, electronic billing, invoicing, and statement presentation for thousands of corporate customers. Last year alone, Pitney Bowes processed more than $14.5 billion in electronic postal payments.
While the move to E-document management has opened up whole new revenue streams for Pitney Bowes, it has also opened up a Pandora’s box of operational risks. And those risks strike at the very heart of the company’s 21st-century business model. “Unless we can give customers confidence about the security of our network,” says CFO Bruce Nolop, “we don’t have the ability to execute our business strategy. We might as well call it a day.”
Shareholders tend to take a dim view of calling it a day. Hence, Pitney Bowes deploys state-of-the-art firewalls, software, and encryption algorithms to fend off network invaders. But despite sizable investments in network security, managers at the company have come to a rather startling conclusion. Says Nolop: “We’ve learned that an employee culture about security is just as important as security software — if not more so.”
Surprising stuff, but spot on. The truth is, the recent string of damaging denial-of- service worms, Trojan-horse scripts, and E-mail viruses have amply demonstrated the limitations of network security systems. The numbers tell the tale. Investment in IT security was up 16 percent last year, says UBS security-software analyst Dan Cummins in a recent report, yet Herndon, Virginia-based consultancy TruSecure Corp. says companies spent 23 percent more fixing infected machines. TruSecure reckons that a record 108 of every 1,000 corporate computers were hit by a virus in 2003. This year, fast-spreading digital pathogens MyDoom, SoBig, and Klez have inflicted an estimated $75 billion in damage.
The trail of destruction left by malicious code has driven home a simple point: human error can undo almost any firewall or safeguard. Chris Byrnes, a research director at tech consultancy The Meta Group, believes using technology to combat technology is only 20 percent of the solution. “If you look at the most common [computer] security failure in Corporate America today,” says Byrnes, “it’s the employee who clicks on an attachment in an E-mail that infects his machine that then infects the entire corporate network.”
Patching that vulnerability has become a top priority of late for many companies. In some cases, the fixes are remarkably simple. For example, a few senior managers, spooked by “malware” that targets vulnerabilities in Microsoft’s Internet Explorer, now advise employees to use browsers that are less attractive to virus writers. Still others have formulated companywide policies for computer-security procedures, fining workers who fail to follow the rules. More effective yet, a few corporations have begun to enroll employees in security-awareness training programs — and then test those workers to see if the lessons have been absorbed. Says Richard Mogull, research director at technology research firm Gartner: “You want to turn your employees into security assets, not security liabilities.”