For businesses of all sizes, Primitive Logic's Schertler, who like Nicolls is a former NSA official, recommends two other security precautions that together cost precisely nothing. First, require employees to use "strong passwords," made-up phrases that would-be intruders can't guess or decipher, by running programs that automatically test passwords with common words or names. "Mix up letters and symbols to create something you wouldn't find in a dictionary," says Schertler, something like "drB613Jzx." Second, assign someone on staff to act as your in-house point person for software-vendor updates. That way, your company will get regular reminders about such things as upgrades and patches, which crop up over time. Some security breaches, particularly those on Web sites, happen simply because nobody has the responsibility for retrieving the remedy for a security hole.
Lewis and Roca already had many of those precautions in place. But after the terrorist attacks, the firm looked even harder for potential weak spots. Its in-house security team renewed its interest in how the firm controlled access to its systems, including its public Web site and client extranet. Team members also reviewed the firm's virus-scanning capability, as well as its plans for preserving digital records during a natural -- or terrorist-caused -- disaster. In direct response to the World Trade Center attack, they even researched ways to salvage paper records. "The pictures of legal documents floating through the streets of lower Manhattan made us aware that recovery of electronic data alone may not be sufficient," says chief operating officer McCormick. "We may want to consider technologies that will provide us with electronic images of our paper documents and files."
At the same time, the law firm, like many other small businesses, realizes its security-improvement process will never be finished. "It's fluid, it's evolving," McCormick says. "We're learning new things day by day as the situation changes." In fact, on the day McCormick made those comments, his firm had just launched a new security initiative to investigate ways to monitor incoming mail for evidence of explosives, anthrax spores, or other potentially deadly materials. The firm also advised employees about ways to protect and preserve data on their own home computers, as well as ways to secure office E-mail and voice mail.
Yet despite widespread concern about cyberterrorism, the FBI's data indicate that most security problems originate within a company's walls, either by accident or by design. For that reason, experts also recommend that companies monitor their networks for unauthorized remote access, set alarms to indicate large deletions of files, and remove ex-employees' access to computer, E-mail, and even voice-mail systems as soon as they're out the door. As security expert Nicolls puts it, "Unfortunately, people can still screw up the very best technology you can buy."
Anne Stuart is a senior writer at Inc.
Computer and Internet Security Resources
COMPUTER SECURITY WARNINGS AND ADVISORIES
- FBI's National Infrastructure Protection Center
www.nipc.gov
- CERT Coordination Center, Carnegie Mellon University
(Funded by U.S. Department of Defense)
www.cert.org
- The System Administration, Networking, and Security Institute
www.sans.org
COMPUTER SECURITY INFORMATION AND TRAINING
FREE TIPS ON PREVENTING SECURITY PROBLEMS AND CYBERTERRORISM ATTACKS
REPORT PREDICTING CYBERATTACKS DURING THE U.S. WAR ON TERRORISM
Hands On
48 Hours: How do you eliminate bureaucratic bottlenecks? Siamak Farah, CEO of InfoStreet, a $1.8-million developer of corporate intranets in Tarzana, Calif., wants his 15 staffers to take initiatives and run with them -- as opposed to waiting for a manager's approval. So in early 2000 he inaugurated "the 48-hour rule." "If an employee comes up with an idea or proposal and submits it to his or her superior, the superior has two working days to respond," he explains. If a manager doesn't respond within 48 hours, then the employee can proceed under the assumption that the manager has granted approval. Farah says the rule has "done wonders" for decision making and initiative taking. And what if, perchance, a manager is away for two days? Nothing changes. Absentees must delegate the decision making to a second-in-command. --Ilan Mochari
The Whole New Business Catalog
Inc Query: How Do I Get to the Next Level?
Best of the Net: B-School Brains
Creating a Cyberdefense
Stop the Net, I Want to Get Off
Let's Make A Deal
The Unkindest Cut of All
Please e-mail your comments to editors@inc.com.
