Before last year’s terrorist attacks, many companies dismissed computer system security as an afterthought, because they felt it didn’t provide a concrete return on investment.
These days, more businesses view the payoff as simply the ability to survive a massive cyber-attack. Prudent executives no longer ignore information technology managers’ long-standing pleas for larger security budgets. Many companies are bolstering their defenses against hackers, viruses, and e-mail tampering, experts say.
“Before September 11, people thought they would be OK with basic protection such as a firewall, or they didn’t care,” says Roberto Medrano, CEO of PoliVec Inc., a Colorado-based security management software firm. “Now more people are thinking about the best ways to ensure protection and continuity of the computer system if disaster strikes.”
But government officials and security experts warn that too many companies still aren’t spending enough to strengthen their computer systems against attack.
Richard Clarke, President Bush’s special adviser for cyber-security, warned businesses that if they don’t beef up security, it’s only a matter of time before they’re targeted for attacks that could shut down critical infrastructure and result in the loss of sensitive data. Attorney General John Ashcroft announced that the FBI has warned thousands of corporate technology executives and managers that their computer systems remain vulnerable to cyber-terrorism. Several members of Congress have issued similar warnings.
Some security experts believe a cyber-terrorist attack is inevitable. “Sooner or later, a form of electronic terrorism is going to happen,” says Andres Gutierrez, co-founder of Newco Productions in Freemont, California, a developer of technology infrastructure for startups. “We need to prepare for the event and know how to react to it.”
Preparations abound. New York has created a cyber-security task force charged with, among other things, appraising the vulnerability of the state’s industries. President Bush proposed a 64 percent hike in spending on computer and network security. Congress is considering legislation that would strengthen computer defenses within the federal government and the private sector, and train cyber-security specialists.
Associations, government agencies, consultants, and corporations have sponsored a flood of conferences with titles such as “Defending Against Information Warfare.” The federal government and several corporations, including Microsoft and AOL Time Warner, created the National Cyber Security Alliance to educate Americans about computer security.
Despite these efforts, however, statistics paint a picture of vulnerability:
•Nearly half of U.S. companies have no written security policy and depend mainly on passwords and multiple logons for protection, according to a 2001 survey by InformationWeek and PricewaterhouseCoopers.
•Viruses have attacked 82 percent of businesses, and vandals have struck 11 percent of company Web sites, according to Massachusetts-based International Data Corp.(IDC). IDC also reports that 20 percent of U.S. firms have been hit by denial-of-service attacks, in which hackers attempt to prevent use of a computer network by flooding it with information, disrupting connections, or applying other electronic means.
•Eighty-five percent of corporations, financial firms, government agencies, and other institutions reported security breaches last year, according to the 2001 Computer Security Institute (CSI)/FBI Computer Crime and Security Survey. “The threat from computer crime and other information-security breaches continues unabated … the financial toll is mounting,” the report concludes.
