By Alex Salkever When the Twin Towers fell last September, share prices in a host of cyber-security companies soared. The logic seemed pat -- all forms of security would benefit from enhanced spending, as businesses and the government retooled defenses for a post-September 11 world, right?
Well, not really. Looking back on what should have been 12 months of big changes, computer-security experts report quite the opposite. To a shocking degree, top executives at most companies remain largely uninvolved with issues of computer security. And a surprising percentage of businesses are woefully unprepared for an attack on their data centers. (A notable exception is the financial-services industry, which is perhaps the most security-conscious industry in the country.)
That's the finding of a recent survey of 227 information-security pros conducted by the National Association of Manufacturers, the nonprofit Internet Security Alliance, and computer-security services outfit Red Siren. In that survey, 33% of respondents agreed with the statement "...information security is not a visible priority at the executive or board level of their organizations." And 39% said they have no information-security plans in place for review by top corporate executives.
CHIEFS NEEDED. "We were a bit surprised at the results. It shows we still have to educate companies on the need for information security," says Thomas Orlowski, vice-president for information systems at the NAM.
Orlowski has that right. Small and midsize companies should give their security systems a thorough going-over to make sure they have plans in place to deal with any cyberattack. And any outfit with more than $1 billion in annual revenues should have a chief security officer or a vice-president-level job in charge of looking after information security, says David Nolan, a veep for information-technology security at consultancy Forsythe Technology, based in Chicago.
Unfortunately, most big companies still seem unwilling to face the risk of inaction. "It's almost like they don't want to know," says Nolan, whose own business has $700 million in annual revenues.
NO DRILLS. So whose job is it? Too often, the IT-security buck doesn't clearly stop anywhere. Sometimes, the job falls under the aegis of "risk managers" (translation: the guys who buy company insurance). In other cases, cyber-security becomes the province of the IT department -- swamped that it already is.
In either case, IT security remains a step-child of the organization, according to Nolan. "They figure they have written a disaster-recovery plan and bought some hardware, so they're set," he says. But few outfits run exercises acting out these disaster plans, meaning the schemes are largely untested. And fewer still run response drills to simulated cyberattacks to get systems administrators used to responding to the inevitable.
The lack of leadership on cyber-security at most companies probably has something to do with their ongoing struggles to get even basic security right. While it's easy enough to buy security software, it's far harder to push cultural changes that reinforce the issue's priority. "We still see people struggling to get employees to use secure passwords and to patch their systems," says Ed Skoudis, a vice-president for security strategy at Predictive Systems.
PUBLIC DISCLOSURE? Education efforts by organizations such as NAM and the ISA will certainly help raise awareness. "We really want people to think about it in a way that's more integrated with their business," he says.
But will this be enough? Nolan has a more radical suggestion: Publicly traded companies should be required to disclose in their quarterly statements the steps they've taken to keep their systems secure, as well as a disaster-recovery plan in the event of a cyberattack. If they have no plan, disclose that, too. "For many companies, they may decide to take that risk and buy insurance. That's not the wrong thing to do. But there should be a conscious choice," says Nolan.
To be fair, the NAM survey found that vast majority of businesses have some sort of computer-security system in place, at the very least a basic firewall and antivirus system. The survey had other positive findings as well. Thirty-one percent of respondents said their outfits had purchased cyber-insurance for the first time. Nearly half said their businesses had increased their budget for cyber-security after the attacks.
Still, Skoudis claims that he has tracked a new wave of sophisticated attack tools in cyberspace that could wreak havoc if deployed by hacker terrorists. Tomorrow, next month, next year, a next round of assaults may cause significantly greater disruptions to critical computer systems at big companies. Businesses that have plans in place to deal with these attacks will likely find themselves at a distinct advantage. Salkever is Technology editor for BusinessWeek Online and covers computer security issues weekly in his Security Net column