Enron: Security Woes, Too?

Protecting a company from external computer hackers is not a job for the faint of heart. Even when the attacks are routine, it’s tough, and it can be risky. Add a bunch of angry ex-employees and a slew of investigators who all want to get at your internal data and mess with it for their own varied reasons, and now you’re sitting on a powder keg.

Just ask Enron.

In early January, a would-be hacker figured he’d shine his own light on the internal workings at the giant—and failing—global energy trading company by getting hold of its top executives’ travel records. How best to find the details? Infiltrate the automated travel-and-entertainment software system used by Enron to keep track of executives’ travel, according to Concur Technologies, which developed the system and has hosted it for Enron at several co-location sites across the country for the past two years.

The good news is that Concur detected the attempt to intrude on the Houston company’s internal records within 60 seconds, according to Concur Chairman and CEO Steve Singh. The company thwarted the potential breach within three to four minutes. Enron’s data was not compromised.

At least not this time. But the incident begs the question: Should Enron be doing more to prevent this kind of security risk, particularly as the company’s image in the public eye darkens and the tales of its travails and questionable business deals angering former employees and investors drag on for weeks and months?

Although Enron executives declined to comment for this story, a former Enron information technology consultant says security at the energy-trading firm was lax. If, as computer security experts claim, Enron epitomizes the state of internal and external security at most Fortune 500-level companies, then it also offers lessons that others would do well to heed. What’s key to those lessons?

Concur is just one of many tens or even hundreds of applications running at a global company such as Enron. Enron had thousands of desktop PCs and servers running operating systems including Microsoft’s NT 4.0 and Windows 2000, Sun Microsystems’ Solaris, other flavors of Unix, and the Linux free variant of Unix, say parties with knowledge of the company’s systems.

On the application side, Enron also was a hodgepodge, using Microsoft Exchange Server as its primary mail system, Oracle and Microsoft SQL Server databases, and enterprise-application integration software from Tibco. Concur wasn’t the only hosted application run by Enron. At some point, the company employed, among others, sales force automation software from Salesforce.com. Executives with Salesforce.com, like those at most of the vendors on Enron’s IT list, declined to talk about one of their former favorite customers.