After suicide hijackers and anthrax letters, the next big worry is virtual terrorists.
E-Strategies
Worried that terrorists might attack U.S. computer systems next? A few simple precautions will go a long way toward protecting your company.
Even before last September's terrorist attacks, the law firm of Lewis and Roca LLP was hypercautious about safeguarding its sensitive digital documents. In fact, compared with other small companies in the law firm's home city of Phoenix and other law firms nationwide, Lewis and Roca seemed not just security-conscious but, well, a tad security-paranoid. For instance, accessing the firm's sophisticated client extranet had always required using a tool that constantly generated new personal-access numbers. And the firm's network automatically logged off users whose keyboards were idle for more than 60 minutes.
But that was before September 11. Afterward, like their counterparts at other businesses nationwide, Lewis and Roca executives worried even more about the possibility of unseen intruders infiltrating their computer systems. So the 51-year-old firm, which also maintains branch offices in Tucson and Las Vegas, immediately had an in-house team focus more closely on reviewing the firm's entire data-protection arsenal. The law firm's biggest priority, of course, is protecting the physical safety of its 350 employees, says chief operating officer Robert S. McCormick. To that end, Lewis and Roca has increased surveillance and security in all its buildings. But shielding its confidential records from theft, damage, or deletion also remains what McCormick calls a top "ethical and legal responsibility."
Lewis and Roca is far from alone in reconsidering its whole spectrum of data security. And under the circumstances, the firm is hardly overreacting. "Right now I don't think it's possible to be too worried" about safeguarding records, says Weston Nicolls, a former National Security Agency executive who is chief information security officer at Telenisus Corp., a provider of managed Internet infrastructure services based in Chicago.
Nicolls's concerns are shared by Michael A. Vatis, director of the Institute for Security Technology Studies at Dartmouth College. In a report released just after September 11, Vatis warned that attacks on U.S. computers were "extremely likely" as part of larger, coordinated terrorist actions launched in retaliation for U.S. military strikes.
Federal officials apparently agree. Three days after the September terrorist attacks, the FBI's National Infrastructure Protection Center issued a formal advisory warning of possible vigilante activity online. A few weeks later, the Bush administration appointed longtime White House counterterrorism coordinator Richard Clarke to the newly created job of cyberspace security adviser. Clarke has repeatedly warned Congress and U.S. businesses about the potential for a "digital Pearl Harbor" in which distant assailants would invade and damage the country's computer networks and telecommunications systems.
The good news is that there were no reports of widespread cyberterrorism in the weeks immediately following the suicide hijackings. But as the Dartmouth report points out, previous political conflicts -- for instance, clashes between India and Pakistan -- have led to "cyberattacks" in those countries. So as U.S. military action continues overseas, Americans need to be highly alert for a possible new wave of virtual warfare, with both distant and domestic hackers trying to deface or crash Web sites, disseminate computer viruses, and break into vulnerable networks to steal, corrupt, or delete information.
Osama bin Laden's shadowy, computer-literate followers aren't the only potential assailants. "Even more likely are cyberattacks by sympathizers of the terrorists, hackers with general anti-U.S. or anti-allied sentiments, and thrill seekers lacking any political motivation," the Dartmouth report warns.
In other words, companies should consider cyberterrorism not just possible but probable. They should also prepare accordingly, just as a California company might plan its response to an earthquake or a power failure and an East Coast business might protect its systems and data against a likely blizzard or hurricane. That means taking stock now to determine what's sufficiently safeguarded and what's still vulnerable -- and having an IT staffer or outsourcer make corrections immediately. "Once you're attacked is not the time to think about how to respond," says Mark Schertler, vice-president of networking and security services at Primitive Logic Inc., a consulting firm in Sausalito, Calif. "You should have a recovery plan in place. You should have discrete and diverse service providers so that if one gets attacked, you can still operate. And if you're relying on the Internet for revenue, you should have redundant sources to connect to it."
What's the minimum computer protection for small businesses? For starters, virus-scanning programs. Self-installed software that detects and stops both viruses and worms can cost as little as $100. Once the software is installed, companies should assign someone to update the protection programs at least once a week -- but preferably daily -- to protect against the latest nasty attack. "It's like an arms race," says Schertler. "New viruses are coming out all the time."
A second must-have: a firewall, or shield, between the company's internal systems and the Internet, to prevent unauthorized intrusions. The cost for that ranges from less than $50 for a home-based business to thousands of dollars for large companies with many remote users and massive amounts of confidential or valuable information.
Next, companies of all sizes should regularly back up all systems. Small companies may be able to get by with weekly backups; businesses of, say, $10 million or more in annual revenues should invest in technology that will take a data snapshot daily. Both should stash the stored data off-site. (Nicolls of Telenisus suggests using a bank vault.) Every company should also make plans to run its networks from another location if necessary.
Growing companies may also want to invest in a virtual private network (VPN), which provides far-flung employees, business partners, customers, and vendors with a secure tunnel into a business's internal computer system. They should also add security software to their road warriors' portable equipment, such as laptops and personal digital assistants. (See " Laptop Insecurity," Inc, March 15, 2001.) Users of Microsoft's Windows operating system may want to consider upgrading to the new Windows XP operating system for its built-in firewall, enhanced virus protection, and capability for encrypting files both on the desktop and in transit over the Internet.
