Citation-> Canadian Business, August 1989 v62 n8 p65(5) COPYRIGHT CB Media Inc. (Canada) 1989 ---------------------------------------------------------------------- Title-> Infotech: stand on guard. (computer security) (includes related articles on computer bugs, computer security, cellular phone security) Authors-> Misutka, Frances; Stieren, Carl ---------------------------------------------------------------------- Subjects-> Electronic data processing departments_Security measures Computer viruses_Prevention Cellular radio_security measures SIC Codes-> 3663; 3571 Article #-> 07845695 ---------------------------------------------------------------------- LAST NOVEMBER ROBERT MORRIS JR., AN indisputably brilliant Cornell University computer science graduate student, sent a program by remote control to a computer at the Massachusetts Institute Of Technology'S artificial intelligence laboratory. From there, the program quickly burrowed its way into the US Department of Defense's Arpanet network-Morris's target. Morris's program moved more rapidly than he thought possible, clogging and temporarily paralyzing thousands of military, corporate and university computers across the US within hours. The virus Morris had created was unlike many others, which sit in a computer's disk operat- ing system and infect other disks that come into contact. Morris's virus didn't have to sit and wait for help-it was smart enough to spread by itself and consequently moved much more rapidly. Fear spread rapidly too, as a result of Morris's experiment. Ken Grant, a partner specializing in information security with management consultants Stevenson Kellogg Ernst & Whinney in Toronto, says this fear accounts for the huge attendance at recent seminars on cOmPuter viruses held by his company. "These are senior management people coming to the seminars," says Grant, "and they're worried." But viruses are not the biggest concern. Rather, they are a symp- tom of living in a world where "integration ... .. networking" and "openness" are the operative buzzwords. Management's new computer security worries are simply a result of the new way computers operate-the basic security threats haven't changed. Data can be lost in a power failure or a fire-, a disgruntled employee can destroy or steal commercially sensitive files; hackers like Morris can break security codes, or open unlocked doors into a system, and wreak havoc; and telephone lines can be tapped. What is new is the vulnerability of computer systems in this increasingly integrated world. "It's getting so that we no longer know what is connected to what," says Grant. The multiplicity of interconnections means that managers have a harder time identifying the potential points of security breakdowns. In turn, these complex systems become increasingly vulnerable to security threats when they are linked to other systems in the outside world. Unfortunately, the only way to truly secure a computer is to lock it away in a glass room" and not give it a communication line. But this is where the catch-22 arises for business managers. Systems are given communication lines for one reason: so they can talk to other systems. Today it's possible for office systems to link with those of suppliers in the US, distributors on the other side of the country, and customers around the globe. But because a networked computer makes resources such as software programs and information more easily accessed and shared, the chance of those resources falling into unauthorized hands increases. As a result, managers are being forced to change their thinking about security. Many businesses still focus their attention on the glass room, says Ron Gilmore, a partner with Gellman Hayward and Partners Ltd. of Calgary, whose experience with data processing and systems planning spans more than 20 years. He explains that security during the days of the stand-alone computer meant locking the mainframe away in a glass room to which only the office technical expert had access. A few "dumb" terminals were used for clerical work. Since these terminals had little power and no intelligence of their own, there was less concern about what mischief the unsupervised employee or unauthorized intruder could perform. "But by the early 1990s," Gilmore says, the distribution of PCs in the workplace will mean there will typically be three times as much horsepower outside the glass room as inside. Security solutions, on the other hand, are still being focused inside the glass room." Those who are worried by all this talk of emerging security issues might find comfort in knowing that the security experts say the most effective solutions still rest with the way management handles technology, not just with the technology itself. Mike Oke is vice-president and general manager of Racal-Guardata Canada, a company that, among its services, sells computer security products that use encryption. But no technology is foolproof, Oke warns, and the easier it becomes for systems to talk to one another, the greater chance there is for unauthorized access to those systems. "It's up to management to put the right controls in," he says. You can't think of security just in terms of a product that you put on a local area network [LAN]. It's more complicated than that. Security is a set of policies and procedures, including regular audits to find out what activity has gone on in a LAN." Oke says security products are a subsequent step in the process of securing a computer system. Policies and procedures come first. Security consultants stress policies and procedures because the biggest threats to company systems are human, not technical. Grant says human error is still the main source of security breakdown by far. This may be something as simple as keying in a wrong command at the terminal, but it also often means a lack of regard for proper procedures: swapping disks or software with unauthorized sources, writing passwords down in notebooks that are left out in the open, or sharing company information with friends outside the company. This is where security problems begin, says Grant. "Most users don't treat security as a major issue. They're far more concerned with getting utility out of the system." But an office where employees are unconscious of the risks involved in things such as swapping disks or making passwords public is more vulnerable to computer crime. Rod Stamler, former RCMP assistant commissioner and the force's senior commercial crime expert who joined the forensic accounting department of Peat Marwick of Toronto on Aug. 1, says computer crimes-stealing or tampering with data, fraud and even industrial espionage-are most often committed by company insiders, or with the help of insiders. Security practices start with managers teaching employees computer ethics-teaching them that they don't have the freedom to access, read, alter, or do what they will with computerized information. Employees need reminders that computers are aids to make their jobs easier, not aids to help them tamper with company information. Gilmore says managers can teach computer ethics with something as basic as the employment contract. He has investigated many cases of internal data theft that could have been avoided if management had spelled out, in the contract, what is meant by "company information." He suggests a contract clause that restricts employees from "copying, securing, transmitting, keeping, storing, gaining from, selling or using company information." Information can be defined as anything from programs and data to processes, techniques or formulae. Stamler says Gilmore's advice about contracts is crucial because theft can mean the end of business for companies that spend millions developing specialized software. Stamler remembers a case of an employee who learned a valuable secret about his firm's computer programs. The company never made him sign a contract saying the information belonged to it. "He left the firm, went to a competing company, and started selling the information as his own. We had no charge we could lay [because of the company's oversight]. The man was eventually charged with theft of paper. " But Gilmore says many managers don't want to hear advice about policies and procedures: "They'd rather spend money on security products, because, frankly, those things are more exciting." Stamler says the RCMP has "no hard, fast statistics" on computer crime because people are often reluctant to report such incidents. Businessmen either don't want to suffer the public embarrassment, which may result in a loss of confidence in the company, or they're afraid that the company information the thief was trying to steal will become public knowledge. In February Toronto-based software developer HCR Corp. found itself with a security problem when a man associated with the company used his personal computer to access files the company had termed "classified." Kok Weng Lee, a 31 -year-old North York, Ont., man, was charged with "unauthorized use of a computer"-the st ever charge under this section of the Criminal Code. Before Lee's court date, police would say little about the case, indicating only that because HCR had not hesitated to bring in the police, they would not release information about the case. HCR has a S 1 50,000 licence with the American Telephone and Telegraph Co. in the US to use its UNIX operating system's source code -a program that plays an important role in the rapidly growing world of open systems. The program is worth little on its own, but consultants say Lee theoretically could have used information gained from the program to start up his own consulting company. HCR President Michael Tilson played down the significance of the case, saying that "no customer's confidential information was accessed at any time. Lee appeared in a courtroom in Toronto's old city hall March 10, pleaded guilty to unauthorized access of a computer and was sentenced to 12 months' probation. Constable Craig Lewers of the Metro Toronto police force's Criminal Investigation Bureau (52 Division) later confirmed that Lee had copied the UNIX source code, which HCR had kept in a file labeled classified." Lewers says the case is proof positive that managers can never be too vigilant when it comes to protecting highly confidential information, You can have all the security products in the world," he says, "but they won't protect you from your own employees." This doesn't mean that managers have make the electronic environment so secure that employees can't do their jobs. t everything in a company's computer system will be termed "classified" and therefore have to be secure in the true sense of the word. Michael Harrop is senior project officer with the information technology management division of the Treasury Board of Canada, and a member of the newly formed Canadian Advisory Committee on Information Technology Security, a national group of representatives from concerned industries working to promote national and international security standards. Harrop says managers should think about security as meaning three things: confidentiality, integrity and availability. When governments talk about security, they mean confidentiality-information that is secret. Businessmen, with the exception of those in high finance, will generally have less concern for security in this sense. To protect confidential data: Fl Store the data on a separate computer that's kept in a sealed room. 11 Issue passwords. F-1 Make sure passwords are changed regularly and don't use those that are easily guessed. F-1 Don't link confidential data to the communication lines. F] If confidential data must travel over the communication lines, encryption (electronic scrambling) is essential. The next level of security involves integrity: making sure that if company information does fall into the wrong hands, it can't be altered or destroyed. To help ensure data integrity: * Ask security products companies about access control software. * Perform regular audit trails to help spot unauthorized access. * Don't use software from unknown sources. Security also means availability, making sure the system is accessible and usable on demand by those authorized to use it. Consultant Grant says this really means contingency planning-"planning for the fire, the bomb, the virus, whatever. " Ensuring availability requires careful planning ahead of time: * Make backup copies of all files. * Know what services are expendable so they can be shut off during a tornado or other crisis situations. F] Arrange for a "hot site": is there another backup system you can use in case your own crashes? Make arrangements for one -just in case. While terms such as confidentiality, integrity and availability are useful in determining levels of security, they don't cover everything. John Hopkinson, a computer security consultant with DMR Group Inc., says security is too complex to be broken down into these tidy units. Something confidentiality, integrity and availability don't cover is the issue of repudiation. "If I send you a document, how do I ensure the authenticity of that document if six months down the road you decide you don't like the terms of that document and deny its very existence?" Hopkinson asks. He says consultants are examining electronic forms of message authentication to ensure that a computer system can keep accurate records in case such legal issues ever arise. Hopkinson also says that neat terms such as integrity and availability don't work well when dealing with the single biggest security threat-people. "How do you ensure the availability or integrity of people, or guard against human error?" asks Hopkinson. Hopkinson's question will continue to keep security experts busy. Despite the ever-increasing sophistication of technology, the biggest threats to security are human, not technical. Grant recently heard an instructive story involving a systems programmer in the US who was fired. Little did the company know the programmer had set up several dummy computer accounts before he got canned. The president's office informed everyone in the company that the programmer had been fired-everyone except the night security guard. The programmer came back at 2 a.m., waved to the security guard, sat down at a computer, called up the dummy accounts and caused chaos in the system's files. "That's not a systems problem," says Grant, "that's a procedural problem." Simple human error, in all its forms, is the biggest threat to any company's computer system. "All the other threats, like viruses and hackers, are nothing compared to the impact of the user," says Grant. "We destroy ourselves long before anyone else can." 3 Why cellular phones make easy targets Those who discuss strategy on cellular phones might be surprised to learn how vulnerable those conversations are. Ian Angus, president of telecommunication consultants Angus TeleManagement Group in Pickering, Ont., recently attended a seminar on communications in Ottawa, where someone asked him why businessmen weren't encrypting their cellular calls. "I told him that I thought the assumption was that it was reasonably difficult to tap an entire cellular conversation because of the way cars move from cell to cell." After the seminar, the man approached Angus and told him that he had read an electronics magazine that told him, in detail, what equipment to buy (for less than $ 1,000) and how to set up his scanner so it could monitor cellular phone conversations. "This guy discovered that when people moved from cell to cell, their conversations moved either up one frequency or down one frequency, so that when he lost a call, it was always a minor adjustment to find it again. Now he's traveling around Ottawa listening to cabinet ministers, people talking to their mistresses and heaven knows what else." And cellular snoopers are not easy to prosecute. The interception of cellular phone conversations is governed by the Radio Act, which makes it illegal to use information gained from interceptions but doesn't make the interception itself illegal. The average business person probably doesn't have to worry about unauthorized snoopers, but eavesdropping on cellular conversations does happen. Nearly three years ago the Law Society of Upper Canada offered a brief warning in its newsletter to all member lawyers, advising them to be careful about conversations they have over cellular phones. The warning was sounded after one Toronto defence lawyer had his cellular calls intercepted by another. Says Keith Ward, a federal Crown prosecutor with the Department of justice, Arguably [people] have no reasonable expectation of privacy in the case of cellular phones, so we can tap away." Fax security: curse of the wrong number Nobody would think of sending a private letter through the mail without an envelope, but thousands of Canadians send confidential electronic facsimilies every day via public phone lines. "People don't seem to realize that just as you can dial a wrong telephone number, you can dial a wrong fax number," says Norm Watt, president of Privatel Inc., an Ottawa-based telecommunications security company. Merrill Lynch Canada Inc. learned that lesson the hard way early this year when the company was seeking federal approval to open a banking subsidiary. The firm had meant the news about the bank to be confidential-until a memo dealing with the bank application was sent by fax, intended for the company's Toronto office. Because of a misdialed number, a copy of the memo turned up on the fax machine in the Toronto newsroom of the Globe and Mail. When contacted by the newspaper, Michael Sanderson, chairman and CEO of Merrill Lynch, had to confirm that the jig was up. Sanderson offered little comment on the incident, other than saying he planned to change a few fax numbers. Michael Parent, spokesman for Ottawa-based Ricoh Corp. (Canada) Ltd., a leader in the fax market, says business people concerned with security sometimes devise closed networks" using fax machines that have been programmed with secret access codes and are only compatible with machines with similar codes. Other machines offer memories that indicate when a facsimile has been received but won't allow the machine to print the document until a password is entered. Here are a few tips for fax users: * Don't fax confidential documents. * Confidential information that must be sent by fax should be encrypted (electronically scrambled). * Facsimilies meant for the president's eyes only should be sent to a special machine in the president's office. * If you use passwords, change them regularly. * Always verify reception to guard against misdials. Beating the bugs: viruses, Trojan Horses and other vermin When little bouncing balls started skipping across the screens of his students' computers one morning last March, Frank Skill wasn't immediately concerned. He watched as each ball ricocheted off the bottom of the screen and then started wiping out characters on the lines above. "We thought at first we just had some scrambled start-up files from computer games that night school students had brought in," says the software applications instructor at Seneca College in Toronto. But the bouncing balls didn't go away after they had restarted the computers. The Seneca computers had been invaded by a computer virus called the "Ping-Pong" or "Italian" virus. It had infected several machines in the classroom and had penetrated the college's microcomputer centre. Skill finally contained the virus by taking an uninfected copy of the disk operating system (DOS) and reinstalling it on the infected hard disks. The term "computer virus" was first used by Fred Cohen, an American programmer, at a US Department of Defense computer security conference in September, 1984, although few were reported until Scientific American magazine ran several articles on the subject in 1984 and 1985. A computer virus consists of a bit of computer code-sometimes as short as I 00 bytes or as long as 2,000 bytes or more. A virus will copy itself onto an existing program, causing it to blank out the screen, erase data or program files, or even format the hard disk, wiping out all data and programs. There are three main species of virus: those that infect operating systems, those that infect commercial programs, and a trickster known as the Trojan Horse. System viruses lodge themselves in the system or "bootstrap" sector of a hard or floppy disk. Whenever another disk with the operating system (DOS for IBM Corp.-style personal computers) is inserted in a drive, the virus spreads to that disk. Commercial program parasites lodge in unused spaces in a program such as a word processor and then spread to other programs. Trojan Horse programs pose as free computer games or utilities such as freeware programs found on elec- tronic bulletin boards, but do their dirty work behind the scenes when you run the programs. Unlike i true virus, a Trojan Horse can be stopped simply by deleting it from memory and from the disk. Early computer viruses, which simply flashed messages such as "Ha, ha! You're dead" or "Gotcha!" across the computer screen, were easy to detect and root out. But computer viruses today are far more sophisticated and difficult to eradicate. One virus, called the "Israeli" virus by many American authors and the "PLO" virus by others, infected personal computers at the Hebrew University in jerusalem and even some units of the Israeli Defence Forces. it was a "logic bomb," set to go off on Friday, May 13, 1988 (40 years after Palestine ceased to exist as an independent entity), when it was set to destroy files in host computers. israeli programmers spotted the virus and cleared it out of most of the infected computers before that date. However, according to Maariv, an Israeli daily newspaper, the Israeli Ministry of Education lost 7,000 hours worth of work when one version of the virus attacked computer files before the May 1 3 detonation date. Philip Fites, an Edmonton-based information systems security consultant, has cowritten a book called The Computer Virus Crisis, which analyses the viral risk to today's computer systems. "I believe all computers in the future will spend part of their operating time coping with viruses," he says. Martin Kratz, an Edmonton lawyer and co-author of the book, notes that one of the most common vectors of virus transmission is computer piracy. But computer databases and computer bulletin boards, set up to share data or programs over phone lines, can also be the source of viruses. Anyone receiving a compute r program from a bulletin board might unwittingly be taking in a virus hidden in the program. Such a program could infect the user's hard disk, and from there infect any other disks put into the machine. A virus on an IBM or compatible microcomputer might hide in an infected copy of a DOS file, the operating system for most personal computers compatible with IBM PCs, PC-XTs, and PC-ATS. A favorite target of viruses is the DOS file called Command.Com. The virus will copy itself into an unused section of the file and then change the file creation date of Command.Com back to its pre-virus date to cover its tracks. In Apple Computer Inc.'s Macintosh computers, a virus can easily hide in an extra "resource file" as a part of any Macintosh program. Some viruses hide in the bootstrap sector of a disk, which is not visible to the average user, while others might hide in the battery-powered backup section of the memory on the computer's mother board or on the clock/ calendar card. Still others store themselves in parts of hard or floppy disks marked off as "bad sectors." Since most hard disks have some bad sectors, there is really no easy way of detecting such viruses. How does one protect against the virus? The best method is to take a few general precautions. Take computer programs directly out of their shrinkwrap-never use pirated copies. Put write-protect tabs on all original program disks before you load them onto your hard disk. And finally, never run a free compute program until your friends have run it for more than a year without problems. There are vaccine programs available every make of personal computer, but, unfortunately, some viruses are able to dodge them. A virus called "Killer" was written by programmers at PC Labs, the testing laboratory of PC Magazine in New York City, to test various vaccine programs. That virus dodged all I I vaccines tested; three of them did report that virus activity was going on, but failed to stop it. The magazine's reviewers recommended FluShot Plus and Certus above the other vaccines. FluShot Plus is available for US$14 through Software Concepts Design of New York (212/889-643 1). Certus is available for US$189 from FoundationWare Inc. of Cleveland (216/752-8181). An antiviral program called The Antidote is available for $72 from Quaid Software Ltd. of Toronto (416/961-8243). Code green: the cost of perfect security The safest way of protecting information traveling over ordinary telephone lines from eavesdroppers is by encrypting, or scrambling, it. Encryption takes electronic signals, slices them up into pieces and scrambles them according to a randomly determined code, or algorithm. Encrypted data can then only be deciphered by using a pattern of the same code, called a key. But encryption doesn't come cheap. It costs about $ 1,000 for the equipment to encrypt data files, while protecting communications links (telephone switching equipment) can run anywhere from 2,000 to $ 10,000. Patrick Bird is president of isolation Systems Ltd. of Etobicoke, Ont., a company that sells secure microcomputer systems. He says, for companies that believe their competitors will go to any lengths to penetrate their computer systems, encryption is a necessity. And Isolation Systems' products don't end with offering encryption. The company sells a product for the extremely paranoid: the ISAC 2400, a plug-in module that turns a standard IBM PC into a secure workstation by protecting it against the unlikely event of being dropped in liquid nitrogen. According to Bird, dropping a computer into liquid nitrogen slows down its memory, making the key values that unlock access to the files easier to read. Isolation Systems does much of its business with governments and high-finance companies- the ISAC 2400 is not for everyone. But research may soon offer more affordable encryption. Bell Northern Research Ltd. (BNR), the research and development group jointly owned by BCE Inc. and Northern Telecom Ltd., has developed a version of the Rivest Shamir Adleman (RSA) encrypting algorithm. Brian O'Higgins, manager of custom applications and development for digital telephone switches at BNR, says BNR's version of RSA (still part of an exploratory program) is contained on a single microchip. This means the technology will no longer require separate computers to perform the complex mathematics of encryption, thereby cutting the cost. @@@078456991 1487HHa073C4DF JACK FISHER'S INTUITION TOLD HIM IT was time to expand, and his intuition had never failed him in the 12 years he'd been running his own business. New Interiors Ltd., his Toronto-based painting and home decorating company, was a great success, with revenues for 1988 topping $1 million. But most of his sales came from nearby neighborhoods. With the renovation market in Toronto booming, he wanted to tap into other areas of the city, and he knew from experience that the way to do this was through advertising. Fisher, 48, attributed his company's success to two factors: his dedication to providing quality workmanship at competitive prices; and to an aggressive mar- keting campaign. "What good is it to be the best painter around if nobody knows who you are?" he repeatedly asked his son Bryan, 24, who had recently joined the family business as the general manager. "You gotta spend the dough so they know where to go. " True to his philosophy, Fisher sent out flyers four times a year to the suburban neighborhoods near his office and regularly purchased ads in community newspapers. In addition, he worked actively in several community organizations to maintain a high local profile. Call me a traditionalist," he would tell Bryan, "but I believe that if I shake a man's hand, there's a greater chance that hand will dial my num- ber when there's work to be done." When Fisher informed his son-whom he was grooming to take over the business -about his plans for expansion, Bryan responded with enthusiasm. But when he outlined his marketing strategy, Bryan was less receptive. "I'm going to blitz most of the city with flyers and take out ads in the major newspapers," Fisher said. " I'm also thinking about radio commercials." "Newspaper ads are too expensive for the one shot they give you," Bryan replied, "and flyers have an extremely low response rate. You're not going to get nearly as high a response in areas where you're not known, compared to what you're getting right now. However, I have another suggestion. There's a new sales method called automatic call dialing." Bryan explained that the system he was proposing consisted of a computer that calls numbers out of the telephone book and presents them with a recorded message describing New Interiors' services. At the end of the message, listeners are asked to leave their name if they want more information. "I have a friend in an advertising company who told me about this," Bryan said. "He was very persuasive about the way it could reach a lot of people at a relatively low cost." Fisher did not like the idea. "Look, I had one of those machines call me awhile ago. Something to do with life insurance. And you know what I did as soon as I realized it was a computer?" "You hung up." "I hung up. You know your father, which is good. What is not good is that you think you can get new customers by using some impersonal machine. People hate these things. They'll get mad at us and we'll get a bad reputation." Bryan countered by saying that flyers weren't any more personal than a recorded message. "Lots of people hate junk mail," he said. "You should be open to new ways of doing things. You can't shake hands with two-and-a-half million people. But this is a way that you can send them a message, and your voice if you want, directly into their home." Fisher wasn't convinced, but he also didn't want to arbitrarily crush his son's initiative. Their conversation ended with Fisher asking Bryan to research the auto- matic call dialing services available. He doubted that he would change his mind, but he wanted to give his son another chance to make his case. Should Fisher have a more open attitude toward automatic call dialing? What are the benefits compared to sending out flyers? Before you read what the experts have to say, ask yourself- what would I have done? WHAT THE EXPERTS SAY TONY ROTHSCHILD President Phonetix Corp. Coincidentally, our company recently completed a test of an automatic call dialing system using a Toronto paint company as the prospective client. Among other information, we wanted to determine the kinds of responses the system generated. Almost 50% of the people that we called listened to the complete message. When you consider that people could slam the phone down on a machine without feeling that they're upsetting someone-unlike a direct personal call-that was a very healthy response. About 40% just hung up, while the rest consisted of fax machine numbers, no answers, OPerator intercepts and so forth. The format we used consisted of a message followed by a tone like an answering machine so that people could leave their name if they wanted more information. About 40% did leave a short message. Some were abusive and quite a few asked not to be called again. Under Canadian Radio-television and Telecommunications Commission guidelines, you must comply with their request by taking them off the database. The percentage of positive responses was about 4%-that's quite encouraging compared to the response usuall y elicited by flyers, which usually ranges from.05% to 2%. Now, those aren't all going to end up as customers, but it's a good number of leads. For various reasons, our company usually doesn't offer this kind of service, although we will sell a company a complete turnkey system so that they can do it themselves, which costs about $25,000 for a four-line system. I would advise Fisher to consider using automatic call dialing because I think it is well suited for busi- nesses such as painting and home decorating. However, I think he should go to a company that will do it for him on a fee-for-service basis. In other words, he should test it out before risking the considerable expense of buying a system. This type of advertising is becoming more accepted, just as the answering machine is now quite commonplace. It's effective for situations such as the police issuing emergency information to an area (the calls can be targeted with any parameters you want); school boards informing parents of closings due to bad weather; and airlines notifying passengers of cancellations. The Canadian Red Cross Society doesn't use the system to advise people of blood donor clinics because it prefers to rely on volunteers and finds automatic call dialing dehumanizing. However, they may use it in the future if they don't have enough volunteers to make the calls. Although there will be people who will get upset at being called, and who will feel that their privacy is being invaded, I don't think that should deter Fisher. There are people who get angry at flyers coming in the mail, too. MARVIN FINE President D.F.D. Telebroadcasting Inc. We provide an automatic call dialing service to clients such as fitness clubs, home renovators, stop smoking clinics, life insurance companies, headhunters and so forth. We make about three million calls a week. I think it's a method of advertising and promotion that's suited to certain types of businesses; from my experience, I believe it would work for Fisher's company, especially because he wants to reach a large number of people across a city. We charge a minimum of $2,520 a month plus Bell charges of about $600 a month. That gets you 12 lines a day (a line is like an operator) with any additional lines costing $7 a day. For a two-month period, which is our minimum rental, the cost for 12 lines will be about $6,500. In two months, 12 lines will place about 800,000 calls. A script will be written and prepared for about $60. In addition to the basic system that asks people to leave a message after they've listened to the ad, we can produce interactive ads that ask the listeners to indicate certain responses by pushing numbers on their touch tone phones. We would offer Fisher a four-day free trial after which we would guarantee him in writing a certain number of leads a day, which is an obvious difference from using a flyer. We've found the response rate to be in the 4% to 8% range. The key for Fisher is that he must follow up on the leads quickly. He must have people in place to do that before the leads get cold, or else he's just wasting his money. We do get some resistance and a few "scoldings" from people who don't like being called by a machine, but it's not that many. Out of the three million calls we make each week, there are only about 2,500 complaints. A lot of people really seem to enjoy it. I had an evangelical organization that ran a 13-minute message for a year and a half. People expressed happiness at getting the call. The reason for the effectiveness of this kind of advertising is because of the importance of the telephone in our society. If the phone rings, people answer it, no matter what else they're doing. A flyer, on the other hand, often gets thrown into the garbage without even being looked at. The bottom line is that the phone gets results that no other form of communication can offer. DAVID SCHEIB Member Services Representative Scarborough Chamber of Commerce I became interested in telemarketing 18 years ago, long before it became as popular as it is today. Over the years, I've sold just about everything over the phone, such as real estate, contracts for construc- tion jobs, investments, even chimney sweeping. I'm a great believer in selling anything over the phone if you know what you're doing. I definitely think personal telemarketing is more effective than a flyer, but when it gets down to an automatic call dialing machine, I have some reservations. I would tell Fisher that in theory automatic call dialing is a good system for his type of business. However, it requires a sophisticated, well-produced message in order for it to be effective. Most of the messages that I've heard are not well designed. If it wasn't for my professional interest in hearing them, I'd hang up on almost all of them right away. One exception was a travel agency that knew what it was doing. I was pushing numbers on my dial phone to answer certain questions and it pulled me in the whole way with its five-minute call. Fisher should spend the money to have a professional produce the message he wants to send out, someone who understands the psychology involved in getting people to listen to a machine. This is vital because a poor message can really turn people off. I know many people who've told me they find the calls a great annoyance. It also doesn't help that there are a lot of scam-type people involved in marketing products over the phone, so it's crucial that the right impression is created immediately off the top. There's only a few seconds to capture people's interest before they hang up. Because of the volume of calls a system like this can make, Fisher could get good value for his money from it. But he has to follow up those calls within three days or risk losing the leads. WHAT ACTUALLY HAPPENED Fisher's son arranged for his father to visit a company offering automatic call dialing. Fisher was impressed by the demonstration but was still reluctant to go ahead with it. He had talked to many of his friends who almost exclusively expressed their dislike of receiving calls from a computer. Fisher decided to go ahead with his original marketing plan of using flyers and some radio ads, but said that if the results weren't satisfactory after a few months, he would reconsider the automatic call dialing system. ----------------------------------------------------------------------