•Cyber-attacks cost the economy more than $13.2 billion annually, according to Computer Economics, a California consulting firm. The actual cost could be much higher. Only 36 percent of technology officers report security breaks to law enforcement officials, and 27 percent don’t know if they’ve had any, according to the CSI survey. Companies fear that reporting all computer violations could hurt business, security experts say.
Computer systems remain vulnerable despite a recent spike in security spending. Last year, a new round of computer viruses, worms, and denial-of-service attacks hit many U.S. businesses, including Microsoft. The attacks helped sales by computer security companies grow 15 to 20 percent in 2001, according to IDC. The increase continued after September 11, but security experts fear it will prove short-lived. Corporations still spend less than a quarter of a percent of their revenue on information technology security, Mr. Clarke said in a recent speech.
To this day, companies remain more worried about disgruntled current and former employees than terrorists. Insiders commit 81 percent of computer hacks and account for 84 percent of confidential information loss, according to CSI. Security experts fear that terrorists will try to recruit employees to help launch an attack.
“You could conceivably have an insider paid by a rogue nation to help attack a computer system,” says Frank Huerta, CEO of Recourse Technologies, a maker of anti-hacker software based in Redwood City, California.
Then again, experts say, terrorists don’t really need inside help. They have the same training and access to technology that corporations and hackers do, and they can launch attacks from anywhere, notes Mr. Medrano. Even the most expensive security measures offer no guarantee against hackers, who continually work to improve their tools for launching attacks.
Increasingly sophisticated hacker codes are available free to anyone on the Internet. Security experts fear that terrorists can use a variety of codes to create “blended” attacks that are difficult to identify and defend against.
Hackers are so good at what they do, says Mr. Gutierrez, that a friend recently changed the focus of his security business from stopping hackers to solving problems caused by their intrusions. If it’s impossible to stop hackers who aren’t terrorists, then it’s impossible to stop hackers who are terrorists, reasons Mr. Gutierrez.
A cyber-terrorist attack can cripple a company, especially one that depends on the Internet for sales, marketing, inventory management, distribution, and other functions. A widely orchestrated attack could disrupt financial and healthcare systems, utilities, telecommunications, and deliveries of supplies and food products. Such an attack, if successful, could seriously undermine confidence in the nation’s economic system.
That’s why many businesses are no longer taking a piecemeal approach to computer security, according to industry experts. Instead, says Mr. Medrano, they are forming comprehensive plans that include risk assessment, intrusion detection, security audits, antivirus and e-mail security software, firewalls, and written cyber-security policies. Increasingly, corporations are looking at ways to implement off-site, near-real-time backup systems, redundant telecommunications systems, and network system recovery plans.
At least some measures recommended by security audits taken after September 11 are now being put into place, Mr. Huerta observes. “Our business has probably doubled over the last six months,” he says, mostly from state and federal government agencies and corporations that have done audits. Recent customers include three utilities, technology firms looking to protect chip designs, entertainment companies seeking to guard scripts, and a law firm concerned about hackers stealing information about mergers and acquisitions.
Some businesses are turning to software that tracks e-mail communications about sensitive company data and visits to competitors’ Web sites. “We’ve had a surge in interest from companies seeking to guard corporate confidentiality,” says Aaron Shepherd, co-chairman of I Caught You (ICY), an Internet and message monitoring software provider in Bonita Springs, Florida. A company that went public recently asked ICY to implement a system that alerted management to outgoing e-mails containing certain key words included in the IPO, says Mr. Shepherd.
And more companies are employing security consultants to test computer system defenses by hacking into them. Such experts offer a seemingly endless supply of horror stories about their success.
“We were able to gain dial-up access to a publishing company, a newspaper, a financial firm, and a regional airline,” says Mr. Medrano.
Says Mr. Gutierrez: “We accessed the mainframe of a regional bank’s computer in two hours, only months after they installed new network security measures. We could have stolen and moved money and changed customer identities. The bank’s chief information officer was fired a few weeks after the test.”
Mr. Gutierrez also cites a startup that, after September 11, introduced a new networking product containing only the most basic data security measures. Companies complained that the product wasn’t secure enough – and that might not have happened before last fall’s attacks, Mr. Gutierrez says.
More businesses are protecting physical access to computer systems as well. The number of inquiries about electronic locks, burglar alarms, and other access control devices grew fivefold after September 11, says Richard Soloway, chairman of New York–based NAPCO Security Systems. Some companies are also investigating cutting-edge security tools such as biometric devices, which use fingerprints, handprints, and retinal and voice patterns to identify people.
Sales have risen substantially, according to Mr. Soloway, but he declined to be specific. “This is just the tip of the iceberg. We’ll see more interest as companies continue to assess their needs and scrutinize what’s available,” he says.
Non-technical security measures also are on the rise, security experts say. Companies are cutting back on the number of people with full access to sensitive data and are requiring approval by at least two employees for some important technology functions. They are also tightening background checks on IT applicants and employees, as well as searching the computer-use records of technology workers upon their departure to find out whether employees copied files or sent e-mail to questionable places.
Businesses are even cracking down to make sure employees follow the simplest of security procedures: Don’t leave computers logged on or leave sensitive data lying around. “Computer security is a team effort,” says Mr. Gutierrez.
Most Popular Stories
- NSA Defends Global Cellphone Tracking Legality
- Ad Counts Rise in 2013 for Hispanic Magazines
- Top Websites for U.S. Hispanics
- Networks Vie for U.S. Hispanic TV Viewers
- Saab Gets Back into the Game; U.S. Auto Sales Soar
- Apple Activates Customer-Tracking iBeacon
- Dell Offers Undisclosed Number of Employee Buyouts
- 2013 Tech Gift Guide: iPad Mini Still Hot; Chromecast a Great Low-Cost Option
- Authorities Close to Deal with JPMorgan Chase over Madoff Response
- A Biography of Jonathan Ive, Apple's Creative Chief