Worried that terrorists might attack U.S. computer systems next? A few simple precautions will go a long way toward protecting your company.

Even before last September's terrorist attacks, the law firm of Lewis and Roca LLP was hypercautious about safeguarding its sensitive digital documents. In fact, compared with other small companies in the law firm's home city of Phoenix and other law firms nationwide, Lewis and Roca seemed not just security-conscious but, well, a tad security-paranoid. For instance, accessing the firm's sophisticated client extranet had always required using a tool that constantly generated new personal-access numbers. And the firm's network automatically logged off users whose keyboards were idle for more than 60 minutes.

But that was before September 11. Afterward, like their counterparts at other businesses nationwide, Lewis and Roca executives worried even more about the possibility of unseen intruders infiltrating their computer systems. So the 51-year-old firm, which also maintains branch offices in Tucson and Las Vegas, immediately had an in-house team focus more closely on reviewing the firm's entire data-protection arsenal. The law firm's biggest priority, of course, is protecting the physical safety of its 350 employees, says chief operating officer Robert S. McCormick. To that end, Lewis and Roca has increased surveillance and security in all its buildings. But shielding its confidential records from theft, damage, or deletion also remains what McCormick calls a top "ethical and legal responsibility."

Lewis and Roca is far from alone in reconsidering its whole spectrum of data security. And under the circumstances, the firm is hardly overreacting. "Right now I don't think it's possible to be too worried" about safeguarding records, says Weston Nicolls, a former National Security Agency executive who is chief information security officer at Telenisus Corp., a provider of managed Internet infrastructure services based in Chicago.

Nicolls's concerns are shared by Michael A. Vatis, director of the Institute for Security Technology Studies at Dartmouth College. In a report released just after September 11, Vatis warned that attacks on U.S. computers were "extremely likely" as part of larger, coordinated terrorist actions launched in retaliation for U.S. military strikes.

Federal officials apparently agree. Three days after the September terrorist attacks, the FBI's National Infrastructure Protection Center issued a formal advisory warning of possible vigilante activity online. A few weeks later, the Bush administration appointed longtime White House counterterrorism coordinator Richard Clarke to the newly created job of cyberspace security adviser. Clarke has repeatedly warned Congress and U.S. businesses about the potential for a "digital Pearl Harbor" in which distant assailants would invade and damage the country's computer networks and telecommunications systems.

The good news is that there were no reports of widespread cyberterrorism in the weeks immediately following the suicide hijackings. But as the Dartmouth report points out, previous political conflicts -- for instance, clashes between India and Pakistan -- have led to "cyberattacks" in those countries. So as U.S. military action continues overseas, Americans need to be highly alert for a possible new wave of virtual warfare, with both distant and domestic hackers trying to deface or crash Web sites, disseminate computer viruses, and break into vulnerable networks to steal, corrupt, or delete information.

Osama bin Laden's shadowy, computer-literate followers aren't the only potential assailants. "Even more likely are cyberattacks by sympathizers of the terrorists, hackers with general anti-U.S. or anti-allied sentiments, and thrill seekers lacking any political motivation," the Dartmouth report warns.

In other words, companies should consider cyberterrorism not just possible but probable. They should also prepare accordingly, just as a California company might plan its response to an earthquake or a power failure and an East Coast business might protect its systems and data against a likely blizzard or hurricane. That means taking stock now to determine what's sufficiently safeguarded and what's still vulnerable -- and having an IT staffer or outsourcer make corrections immediately. "Once you're attacked is not the time to think about how to respond," says Mark Schertler, vice-president of networking and security services at Primitive Logic Inc., a consulting firm in Sausalito, Calif. "You should have a recovery plan in place. You should have discrete and diverse service providers so that if one gets attacked, you can still operate. And if you're relying on the Internet for revenue, you should have redundant sources to connect to it."

What's the minimum computer protection for small businesses? For starters, virus-scanning programs. Self-installed software that detects and stops both viruses and worms can cost as little as $100. Once the software is installed, companies should assign someone to update the protection programs at least once a week -- but preferably daily -- to protect against the latest nasty attack. "It's like an arms race," says Schertler. "New viruses are coming out all the time."

A second must-have: a firewall, or shield, between the company's internal systems and the Internet, to prevent unauthorized intrusions. The cost for that ranges from less than $50 for a home-based business to thousands of dollars for large companies with many remote users and massive amounts of confidential or valuable information.

Next, companies of all sizes should regularly back up all systems. Small companies may be able to get by with weekly backups; businesses of, say, $10 million or more in annual revenues should invest in technology that will take a data snapshot daily. Both should stash the stored data off-site. (Nicolls of Telenisus suggests using a bank vault.) Every company should also make plans to run its networks from another location if necessary.

Growing companies may also want to invest in a virtual private network (VPN), which provides far-flung employees, business partners, customers, and vendors with a secure tunnel into a business's internal computer system. They should also add security software to their road warriors' portable equipment, such as laptops and personal digital assistants. (See " Laptop Insecurity," Inc, March 15, 2001.) Users of Microsoft's Windows operating system may want to consider upgrading to the new Windows XP operating system for its built-in firewall, enhanced virus protection, and capability for encrypting files both on the desktop and in transit over the Internet.

For businesses of all sizes, Primitive Logic's Schertler, who like Nicolls is a former NSA official, recommends two other security precautions that together cost precisely nothing. First, require employees to use "strong passwords," made-up phrases that would-be intruders can't guess or decipher, by running programs that automatically test passwords with common words or names. "Mix up letters and symbols to create something you wouldn't find in a dictionary," says Schertler, something like "drB613Jzx." Second, assign someone on staff to act as your in-house point person for software-vendor updates. That way, your company will get regular reminders about such things as upgrades and patches, which crop up over time. Some security breaches, particularly those on Web sites, happen simply because nobody has the responsibility for retrieving the remedy for a security hole.

Lewis and Roca already had many of those precautions in place. But after the terrorist attacks, the firm looked even harder for potential weak spots. Its in-house security team renewed its interest in how the firm controlled access to its systems, including its public Web site and client extranet. Team members also reviewed the firm's virus-scanning capability, as well as its plans for preserving digital records during a natural -- or terrorist-caused -- disaster. In direct response to the World Trade Center attack, they even researched ways to salvage paper records. "The pictures of legal documents floating through the streets of lower Manhattan made us aware that recovery of electronic data alone may not be sufficient," says chief operating officer McCormick. "We may want to consider technologies that will provide us with electronic images of our paper documents and files."

At the same time, the law firm, like many other small businesses, realizes its security-improvement process will never be finished. "It's fluid, it's evolving," McCormick says. "We're learning new things day by day as the situation changes." In fact, on the day McCormick made those comments, his firm had just launched a new security initiative to investigate ways to monitor incoming mail for evidence of explosives, anthrax spores, or other potentially deadly materials. The firm also advised employees about ways to protect and preserve data on their own home computers, as well as ways to secure office E-mail and voice mail.

Yet despite widespread concern about cyberterrorism, the FBI's data indicate that most security problems originate within a company's walls, either by accident or by design. For that reason, experts also recommend that companies monitor their networks for unauthorized remote access, set alarms to indicate large deletions of files, and remove ex-employees' access to computer, E-mail, and even voice-mail systems as soon as they're out the door. As security expert Nicolls puts it, "Unfortunately, people can still screw up the very best technology you can buy."

Anne Stuart is a senior writer at Inc.

Computer and Internet Security Resources


  • FBI's National Infrastructure Protection Center
  • CERT Coordination Center, Carnegie Mellon University
    (Funded by U.S. Department of Defense)
  • The System Administration, Networking, and Security Institute




Hands On

48 Hours: How do you eliminate bureaucratic bottlenecks? Siamak Farah, CEO of InfoStreet, a $1.8-million developer of corporate intranets in Tarzana, Calif., wants his 15 staffers to take initiatives and run with them -- as opposed to waiting for a manager's approval. So in early 2000 he inaugurated "the 48-hour rule." "If an employee comes up with an idea or proposal and submits it to his or her superior, the superior has two working days to respond," he explains. If a manager doesn't respond within 48 hours, then the employee can proceed under the assumption that the manager has granted approval. Farah says the rule has "done wonders" for decision making and initiative taking. And what if, perchance, a manager is away for two days? Nothing changes. Absentees must delegate the decision making to a second-in-command. --Ilan Mochari

The Whole New Business Catalog

Please e-mail your comments to editors@inc.com.