News Column

Facing The Cyber Threat

Page 2 of 1

Before last year’s terrorist attacks, many companies dismissed computer system security as an afterthought, because they felt it didn’t provide a concrete return on investment. These days, more businesses view the payoff as simply the ability to survive a massive cyber-attack. Prudent executives no longer ignore information technology managers’ long-standing pleas for larger security budgets. Many companies are bolstering their defenses against hackers, viruses, and e-mail tampering, experts say. “Before September 11, people thought they would be OK with basic protection such as a firewall, or they didn’t care,” says Roberto Medrano, CEO of PoliVec Inc., a Colorado-based security management software firm. “Now more people are thinking about the best ways to ensure protection and continuity of the computer system if disaster strikes.” But government officials and security experts warn that too many companies still aren’t spending enough to strengthen their computer systems against attack. Richard Clarke, President Bush’s special adviser for cyber-security, warned businesses that if they don’t beef up security, it’s only a matter of time before they’re targeted for attacks that could shut down critical infrastructure and result in the loss of sensitive data. Attorney General John Ashcroft announced that the FBI has warned thousands of corporate technology executives and managers that their computer systems remain vulnerable to cyber-terrorism. Several members of Congress have issued similar warnings. Some security experts believe a cyber-terrorist attack is inevitable. “Sooner or later, a form of electronic terrorism is going to happen,” says Andres Gutierrez, co-founder of Newco Productions in Freemont, California, a developer of technology infrastructure for startups. “We need to prepare for the event and know how to react to it.” Preparations abound. New York has created a cyber-security task force charged with, among other things, appraising the vulnerability of the state’s industries. President Bush proposed a 64 percent hike in spending on computer and network security. Congress is considering legislation that would strengthen computer defenses within the federal government and the private sector, and train cyber-security specialists. Associations, government agencies, consultants, and corporations have sponsored a flood of conferences with titles such as “Defending Against Information Warfare.” The federal government and several corporations, including Microsoft and AOL Time Warner, created the National Cyber Security Alliance to educate Americans about computer security. Despite these efforts, however, statistics paint a picture of vulnerability: •Nearly half of U.S. companies have no written security policy and depend mainly on passwords and multiple logons for protection, according to a 2001 survey by InformationWeek and PricewaterhouseCoopers.
•Viruses have attacked 82 percent of businesses, and vandals have struck 11 percent of company Web sites, according to Massachusetts-based International Data Corp.(IDC). IDC also reports that 20 percent of U.S. firms have been hit by denial-of-service attacks, in which hackers attempt to prevent use of a computer network by flooding it with information, disrupting connections, or applying other electronic means.
•Eighty-five percent of corporations, financial firms, government agencies, and other institutions reported security breaches last year, according to the 2001 Computer Security Institute (CSI)/FBI Computer Crime and Security Survey. “The threat from computer crime and other information-security breaches continues unabated … the financial toll is mounting,” the report concludes.
•Cyber-attacks cost the economy more than $13.2 billion annually, according to Computer Economics, a California consulting firm. The actual cost could be much higher. Only 36 percent of technology officers report security breaks to law enforcement officials, and 27 percent don’t know if they’ve had any, according to the CSI survey. Companies fear that reporting all computer violations could hurt business, security experts say. Computer systems remain vulnerable despite a recent spike in security spending. Last year, a new round of computer viruses, worms, and denial-of-service attacks hit many U.S. businesses, including Microsoft. The attacks helped sales by computer security companies grow 15 to 20 percent in 2001, according to IDC. The increase continued after September 11, but security experts fear it will prove short-lived. Corporations still spend less than a quarter of a percent of their revenue on information technology security, Mr. Clarke said in a recent speech. To this day, companies remain more worried about disgruntled current and former employees than terrorists. Insiders commit 81 percent of computer hacks and account for 84 percent of confidential information loss, according to CSI. Security experts fear that terrorists will try to recruit employees to help launch an attack. “You could conceivably have an insider paid by a rogue nation to help attack a computer system,” says Frank Huerta, CEO of Recourse Technologies, a maker of anti-hacker software based in Redwood City, California. Then again, experts say, terrorists don’t really need inside help. They have the same training and access to technology that corporations and hackers do, and they can launch attacks from anywhere, notes Mr. Medrano. Even the most expensive security measures offer no guarantee against hackers, who continually work to improve their tools for launching attacks. Increasingly sophisticated hacker codes are available free to anyone on the Internet. Security experts fear that terrorists can use a variety of codes to create “blended” attacks that are difficult to identify and defend against. Hackers are so good at what they do, says Mr. Gutierrez, that a friend recently changed the focus of his security business from stopping hackers to solving problems caused by their intrusions. If it’s impossible to stop hackers who aren’t terrorists, then it’s impossible to stop hackers who are terrorists, reasons Mr. Gutierrez. A cyber-terrorist attack can cripple a company, especially one that depends on the Internet for sales, marketing, inventory management, distribution, and other functions. A widely orchestrated attack could disrupt financial and healthcare systems, utilities, telecommunications, and deliveries of supplies and food products. Such an attack, if successful, could seriously undermine confidence in the nation’s economic system. That’s why many businesses are no longer taking a piecemeal approach to computer security, according to industry experts. Instead, says Mr. Medrano, they are forming comprehensive plans that include risk assessment, intrusion detection, security audits, antivirus and e-mail security software, firewalls, and written cyber-security policies. Increasingly, corporations are looking at ways to implement off-site, near-real-time backup systems, redundant telecommunications systems, and network system recovery plans. At least some measures recommended by security audits taken after September 11 are now being put into place, Mr. Huerta observes. “Our business has probably doubled over the last six months,” he says, mostly from state and federal government agencies and corporations that have done audits. Recent customers include three utilities, technology firms looking to protect chip designs, entertainment companies seeking to guard scripts, and a law firm concerned about hackers stealing information about mergers and acquisitions. Some businesses are turning to software that tracks e-mail communications about sensitive company data and visits to competitors’ Web sites. “We’ve had a surge in interest from companies seeking to guard corporate confidentiality,” says Aaron Shepherd, co-chairman of I Caught You (ICY), an Internet and message monitoring software provider in Bonita Springs, Florida. A company that went public recently asked ICY to implement a system that alerted management to outgoing e-mails containing certain key words included in the IPO, says Mr. Shepherd. And more companies are employing security consultants to test computer system defenses by hacking into them. Such experts offer a seemingly endless supply of horror stories about their success. “We were able to gain dial-up access to a publishing company, a newspaper, a financial firm, and a regional airline,” says Mr. Medrano. Says Mr. Gutierrez: “We accessed the mainframe of a regional bank’s computer in two hours, only months after they installed new network security measures. We could have stolen and moved money and changed customer identities. The bank’s chief information officer was fired a few weeks after the test.” Mr. Gutierrez also cites a startup that, after September 11, introduced a new networking product containing only the most basic data security measures. Companies complained that the product wasn’t secure enough – and that might not have happened before last fall’s attacks, Mr. Gutierrez says. More businesses are protecting physical access to computer systems as well. The number of inquiries about electronic locks, burglar alarms, and other access control devices grew fivefold after September 11, says Richard Soloway, chairman of New York–based NAPCO Security Systems. Some companies are also investigating cutting-edge security tools such as biometric devices, which use fingerprints, handprints, and retinal and voice patterns to identify people. Sales have risen substantially, according to Mr. Soloway, but he declined to be specific. “This is just the tip of the iceberg. We’ll see more interest as companies continue to assess their needs and scrutinize what’s available,” he says. Non-technical security measures also are on the rise, security experts say. Companies are cutting back on the number of people with full access to sensitive data and are requiring approval by at least two employees for some important technology functions. They are also tightening background checks on IT applicants and employees, as well as searching the computer-use records of technology workers upon their departure to find out whether employees copied files or sent e-mail to questionable places. Businesses are even cracking down to make sure employees follow the simplest of security procedures: Don’t leave computers logged on or leave sensitive data lying around. “Computer security is a team effort,” says Mr. Gutierrez.

Story Tools Facebook Linkedin Twitter RSS Feed Email Alerts & Newsletters