Security, Privacy, Fraud, and Profits – A Common Sense Guide to Computer Technology Security

Security, Privacy, Fraud, and Profits – A Common Sense Guide to Computer Technology Security

December 2006

Larry Wendt

Dependency on computers in the construction business is rapidly increasing. Along with this increased dependency is an increased risk to data security, invasion of privacy, fraud, and – as a result of all this – a direct risk to profits.

Before you think that this situation does not apply to you, consider the situation we actually encountered earlier this year:

A contractor is running a small office with 5 computers and a server. They run Quickbooks for their accounting and a variety of other software such as Microsoft Word and Excel. There was an unexpected power surge during what the electric company called “a power event.” The result was that the hard drive on the server was physically damaged and the server could no longer boot up from the damaged drive. The installed tape backup system had not been operating for the past six months.

The Fix: An emergency replacement of the damaged server hard drive was required. Because there was no backup, a special data recovery service had to be used to recover the data from the original damaged drive.

The (Unnecessary) Cost: $1,600 for two days of a network technician and a $5,000 fee to the data recovery service.

The Impact: At a 6% net profit, the company will need to do an additional $110,000 worth of profitable work to cover the costs incurred; the users were down for two days; some files were not recovered.

This event was expensive for this contractor. The potential risk to profits increases with greater reliance on computer technology. Take a moment to do a quick evaluation of the risks to your company based on how you use computers. You don’t need to know anything about computers, just how your business operates. Ask yourself:

• How dependent am I on day-to-day collections of accounts receivable? If I was to lose all or part of the records of what people owe me, how long would I take to collect that money? Could I collect it?

• If I suddenly could not get an estimate out for a week because the computer system was down – would I lose any opportunities?

• If I had to re-create all of my computerized document templates such as contracts, change orders, waivers, letters, etc. – what would be the cost in terms of time lost?

• If someone logged into my accounting system under a false name – could they cut a check to themselves without me knowing it?

• If I lost my entire customer list – what would it take to rebuild it? Could I rebuild it?

• If I lost all of my payroll records – even if I have paper back up – how long would it take to compile a union report, a 401K contribution, or a tax report?

• If one of my employees was hired by a competitor, how easy would it be for them to take critical information from my office to their new employer?

Short of keeping a paper copy of everything done on in your computer system – and I admit that a few of our clients try to do this, but it doesn’t work very well – some of these questions should make you feel very uncomfortable if you don’t know exactly how you would prevent or recover from these types of events.

There are five basic threats that can compromise your company data – “malware,” hardware failure, data corruption, fraud, and loss from theft or disaster.

Malware is software that is designed to infiltrate your computer system without your approval or consent and damage or violate the computer system in some way. This is a general term that includes computer viruses, spyware, worms, Trojan horses, adware, and other undesirable and unwanted software.

Computers are remarkably reliable, however hardware failures still occur. In particular, hard drives are one of the few parts of a computer that has moving parts and the hard drives is where all computer data is permanently stored. The moving parts of a hard drive eventually fail – it is just a matter of when – and when the drive fails, the data on the drive is lost.

A general description of data corruption is when you think you are saving one bit of data in your computer system and what is being saved is something different. For example, you intend to write the sentence “I made money this year” in your word processor and what is actually stored in the computer is “qfrhwaf; hjf;e a;wkghe.” Does this really happen? Yes. This situation can be caused from everything such as bugs in a software program to a bookkeeper accidentally posting an invoice to the wrong accounting period.

Fraud can be committed by any person that is determined, reasonably resourceful and has access to your computer system. The most common form of fraud we see is falsified checks using accounts payable or payroll in the computerized accounting system. There are a multitude of other fraudulent activities that can be done in any accounting system by someone with a modest amount of creativity.

And, if the above is not enough to worry about, there is always the possibility your computer equipment will be stolen or destroyed in a disaster.

Despite the grim list of threats of things that go wrong, you can protect yourself easily. While you may not completely prevent a loss of data, you can be in a position where it is merely an inconvenience and not an expensive loss. Have whoever is responsible for your computer system go through the following checklist and address each of these issues to your satisfaction.

• Back up your data regularly (daily)

Simple backups are not enough. Run periodic tests to ensure that you actually restore the data from your backups. Periodically – at least monthly – store a complete backup in a remote location. Backup to tape is still the most cost effective, reliable, and efficient method available.

• Use passwords

Use passwords that are at least 8 characters in length and have both numbers and letters. Do not share your passwords – no matter how convenient.

• Maintain basic security protection on your computer and server

Install a firewall on your office network and a run a personal firewall on each computer. Have anti-virus and anti-spyware software installed on every computer and update it weekly. Update internet browsers and any Microsoft Windows operating systems with the latest security patches. This can be done easily through the internet. And, finally, limit user access to sensitive files with basic network security (user access to specific files).

• Follow common sense precautions when using e-mail and the internet

Never open an e-mail file or attachment that was sent to you by someone that you do not know. Do not ever respond to unsolicited requests for personal information over e-mail or the internet. When using the internet for financial transactions, always use a secure connection. You can tell that you are using a secure connection when the address of the site starts with “https://” or “ftps://”.

In the world of computers, the old cliché is true – “it is not a matter of if, but when…” Protect yourself.