THE VIRTUAL OFFICE CAN BE RISKY BUSINESS

By MARK ESTEP
Arthur Andersen

Technology such as laptop computers, remote access to corporate data and systems, cellular communications and groupware has created a "virtual office" environment in many of today's businesses. These technologies empower people to perform beyond the walls of the office as we know it today and to interact more intimately with their customer.

But for all of the positive changes wrought by information technology, it's vital to also consider the risks they pose and how to manage them. As the media recounts stories of scam artists stealing laptops at airports and thieves cloning cellular telephone numbers, companies of all sizes are increasingly concerned about the security of their technological systems and access to organizations' information and knowledge.

Arthur Andersen recently interviewed dozens of corporate executives to compile a survey on "The Virtual Office At Risk." Among the most striking findings:

• 50 percent of individuals responsible for managing business risk don't believe they have adequate security systems in place to manage Internet access;

• 39 percent have similar concerns about their cellular communications; and

• 29 percent are taking no actions to control risks related to groupware and workflow systems, the fastest-growing area of technology.

One explanation for this disparity between perceived risk and action is that many companies have a narrow view of business risk --defining it in terms of daily financial dealings. Risk must be redefined more generally, as any event or action that stops an organization from achieving its stated goals or business objectives. Managing business technology risk requires a holistic view that combines a knowledge of technology with a deep understanding of the business of business.

While no person or organization is immune to the risks presented by technology, there are tools that help companies identify and control risks. One of the most potent tools for identifying risks is the Arthur Andersen Information Security Framework, a process that allows Andersen business advisers to identify, source and size all relevant technology-related risks. This Security Framework links directly to the Arthur Andersen Business Risk Model, another of Arthur Andersen's holistic risk control tools.

Once the Information Security Risk Assessment has identified the business risks related to technology, the next step is to ensure that there are appropriate security risk management capabilities to handle these risks. The objective is to develop a cost-effective strategy that balances risk management efforts with your specific business risks.

The Information Security Framework helps to achieve this objective by focusing on the four broad, interrelated risk management control elements (the right side of the scale):

• determine strategies and policies (Clearly define security procedures.);

• manage deployment (Determine how they will be implemented.);

• monitor events (Proactively look for threats to security.); and

• provide technology solutions and architecture (Determine what safeguards should be in place to manage those threats.).

It's also important to balance these four control elements against the information technology risks depicted on the left side of the scale:

• access;
  
• process integrity;
  
• relevance; and
  
• availability.

This framework links business risk to the information security solution and focuses on specific layers in the information technology. However, it is not linked to specific technologies, nor to organizational structures.

Another important part of examining technology risks is to redefine the notion of risk controls as inherently negative. Although they are typically perceived as constraints and boundaries that limit us as managers, there is more to it. Attempting to proactively assess and control all relevant business risk not only can help to stop bad things from happening, but can also allow good things to happen.

Granted, when looking at where your organization's risks lie, you will need to allocate some resources to the vital few risks that pose the largest threat to function or process. However, in this search you are more than likely to find that some risks are being over-controlled. When these overprotected areas are identified, changes can be made to reallocate those scarce resources to more goal-oriented objectives.

Companies are learning that technology can be both a friend and a foe. The more technology empowers and liberates the user, the more it generates inherent business risks for an organization. The challenge is to help control those risks without placing cumbersome security controls and limits on user access.

Mark Estep is Pacific Northwest senior manager of Arthur Andersen's Computer Risk Management practice.