[Sussex] IM Server

Steve Dobson steve at dobson.org
Wed Apr 28 18:39:43 UTC 2004 

Mark

On Wed, Apr 28, 2004 at 06:17:17PM +0100, Mark Harrison wrote:
> From: "Steve Dobson" <steve at dobson.org>
> >
> http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=industrial+espionage+court+case&btnG=Google+Search
> >
> > Some where around 50,600 hits.  Is that enough evidence for you?
> 
> I wasn't querying whether espionage happens - I was querying whether using
> an external IM service ACTUALLY introduces any business risk.

Any unsafe communication channel is a POTENCAL business risk.  Waiting for
it to be a problem is *not* a good plan.  You have the cost of the occurances
plus the cost of the defenses to carry.  If you plan and implement before
the first occurance then you save money.
 
> I have spent many years asking IT Security people the same question. "How
> much money would we lose if XXX happened?" In 90% of cases, the answer is
> LESS than the cost of fitting the "more secure" system that the IT Security
> person is asking for...

This is a seperate argument.  A valid one yes, but seperate.  This should
be part of a Risk Analysis.  Because part of a good RA is defining how much
to spend to protect against the event.
 
> There are, in day to day life, a very very limited number of pieces of
> information whose disclosure would ctually harm the organisation.

Yes, I completly agree.  That is why it should be part of RA.  If few
docuement need security then these can use a more expensive (per event)
method (motocycle dispatch rider for example) when they do need to be
sent.

> The
> classic cases are best bids from competitors in a negotiation... and
> increasingly eAuctions are putting pay to that claim, with companies
> typically making better savings from their suppliers when those suppliers
> HAVE the information (in the form of the counter bid) from their
> competitors...
> 
> If a business tells you "if our competitors got hold of XXX, they would be
> able to do YYY" then the question is "if YOU got hold of the corresponding
> information about your competitor, would you be able to do the same to him?"
> Again, 90% of the answers to that are "well, now you mention it, no".

That may not always be the case.  I was witness to a real live example.
A well know company was add some more specilised computer equipment.  There
are two supplies of approprate systems and they do work together using
open standards - so either supplier would do.

When the XXX's sales person came in and was told that YYY's kit was 
already being used his responce was:

"As a YYY user you are entitled to a 50% discount."

If XXX was told the YYY's bid for the same amount of kit was only 5%
cheaper than his staring offer I don't think that the 50% discount
would have appeared.

Steve D

More information about the Sussex mailing list