Companies Still Vulnerable to Cyberattacks


Now that an entire year has passed since the darkest day in this nation's history, one might think that businesses and government agencies across the land have invested big bucks to provide better redundancy and information security. But the reality is while that has happened to some degree, many enterprises are just as vulnerable on this Sept. 11 as they were last.

While that was already apparent from the recent VARBusiness report "How Vulnerable?" through numerous interviews, there's a good amount of data to back this up--growth in backup and recovery services is growing only marginally, according to a recent IDC report, which also found spending in information security to be lagging as well. A new report released on Monday by the Internet Security Alliance, which was prepared jointly with the National Association of Manufacturers and RedSiren Technologies, found that an alarming number of organizations are still not prepared to weather a cyberattack.

According to the report, based on a survey of 227 information security specialists around the world, 30 percent, or a third say their firms do not have adequate plans to respond to cyberterrorism. And while 40 percent said that information security is more important now than before the attacks and 67 percent have articulated it as a priority, 39 percent said these plans are not regularly reviewed and communicated.

Perhaps most alarming, while 88 percent said information security was key to a business' ability to survive, 30 percent said their business-critical information is not adequately protected and 45 percent said they are not adequately prepared to handle cyberterrorism threats.

Several integrators say indeed customers are looking but they are not moving fast. But they argue it's not for lack of concern but it requires more than just picking a few products and throwing them in. For example Terry Weipert, a vice president at Unisys says more than 90 percent of all businesses and government have virus-protection software and firewalls. CIOs and CEOs are trying to assess what it is they need to keep their businesses running, she says. That doesn't happen overnight.

Indeed many had serious concerns about security before the attacks. In fact in the weeks preceding the attacks, Weipert recalls Code Red and the Nimda virus were fresh on every CIO's mind. But David Black, global security technologies expert at Accenture put it best. "Minds that contemplate using civil airlines as hollow bullets will not shrink from destroying a country's power supplies, hospitals or financial economy by bringing down the computer networks by which these things depend," Black said in an address last week before the United Nations at the InfoSec conference. "The prospect for cyber sabotage is all too real in part because it dovetails so nicely with the asymmetric warfare model of terrorism."

But prudence still reigns. And that makes sense. Throwing money at the problem doesn't assure a customer better protection. And it's incumbent on the vendor community to do their part. Black says that has to start with industry standards. He cites the wireless 802.11b standard as an example of one where security was skimmed over "because speed of deployment took precedence over security."

Indeed we are seeing some progress. Consider Microsoft's Trustworthy Computing initiative, aimed at making its software more secure. "If the system isn't designed to be secure from the beginning, it's extremely challenging to bolt it on after the fact," said Steve Lipner, director of security assurance, also speaking at the U.N. InfoSec conference.

All around, talk is cheap. It's important for vendors and integrators not to forget the world we live in with every new product or system deployed. That approach is best for your customers and makes good business sense.