Lynn Greiner was on an airplane preparing to land at New York's LaGuardia Airport the morning of Sept. 11. As the plane banked into the landing pattern, the World Trade Center towers came into view through the left windows. Just then, she saw the explosion.
When the plane landed, phone lines were clogged, but Greiner, vice president of technical services at Ipsos-NPD Canada Inc., a marketing research firm in Toronto, was able to get a message to her office by wireless e-mail: "Be wary. The nuts are going to come out of the woodwork."
What actually happened was anthrax, she says, not the cyber-maliciousness she had envisioned. Still, Sept. 11 brought the matter of IT security more clearly into focus in most organizationsevident in a comparison of our survey results with those from our first security survey six months ago.
"Once you ask yourself whether you're prepared for cyberterrorism, the answer will tell you how prepared you are for disgruntled employees, competitive espionage or disasters," says Giga Information Group Inc. Vice President Steve Hunt. "That's why security is on so many people's minds. Asking the question is enough."
Ed Ruppel agrees. He's assistant vice president for application architecture in the Fort Wayne, Ind.-based annuities group of Lincoln National Corp. "September 11 was more about disaster recovery and business continuity," he says. "But it has made us take every possibility as a serious threat. It just raised our awareness. Employees are more tolerant of security measures, such as those meant to stop e-mail-borne viruses. Before, it was, 'Why do we need this?' Now, it's, 'Well, we understand.' It's a mind shift in the right direction."
Most CIOs we spoke with, however, said Sept. 11 changed little in their security operationsexcept for a few more meetings. "I get in a lot of meetings just to quiet things down," says Dick Price, CTO at Crane, a printer and publisher in Harwich, Mass. "September 11 scared some of our executives half to death. Once they realized that we have our disaster recovery plans, off-site backup [of working and archival data], and that we have been backing up, and have been taking care of business, they said, 'Oh, not a big deal, okay.' Everything worth saving here gets backed up in real time. Then just to be really safe, we make another backup. Now we have three complete, real-time images of secure data."
All this should be second nature, Price says. "Part of every deployment should be preparing for redeployment. At the time you deploy an application you should ask, 'What if the building melts?'"
Most companies have not changed their security budgets because of Sept. 11, says Huntmost had already planned a 4 percent to 5 percent increase in 2002. A subset of companies, however, immediately pushed their total IT budgets up by one percent to three percent for added security. "These are companies that consider themselves part of the national infrastructuredefense contractors, telecomsand thus at greater risk to cyberterrorism," he says. "Their immediate need is people who can help make sure systems are patched with updates. They are reviewing architectures, and composing and promoting security policies. To quite a large extent, they are hiring senior managers of security, even at the executive level."
The impetus for these efforts often comes from the top. At several very large corporations he works with, Hunt says, "the CEO called in the head of IT security and the head of physical security after Sept. 11 and asked, 'Are we prepared?' The two guys had never met each other before! That is panicking CEOs, who are thinking, 'What in the world are we spending our money on? What's our policy? Do we even know what we're doing?'"
While some companies in the financial services, insurance and defense industries are dramatically increasing their information security and disaster recovery budgets, it's not surprising that others haven't yet done so, says Don Ulsch, cofounder of ObServitus Inc., a network security and disaster recovery company in Boston. "It's too soon," he says. "They're trying to identify solutions. You just don't go out and invest helter-skelter. You don't just pick a solution off the shelf. It has to be part of your overall business strategy. You've got to look at all the considerations, all the business processes and how they will be impacted by security, what the disaster recovery plan looks like, what the worst-case scenarios look like."
Indeed, the number of cyber break-ins and vulnerabilities continues its inexorable rise, doubling in 2001 over the year before, says Richard Pethia, director of the Pittsburgh-based CERT Coordination Center, a government-funded organization dedicated to network security. "This puts a tremendous strain on system administrators, who have to get upgrades and patches and just stay on top of the flow of information," he says.
Viruses are the biggest headache for our survey participants90 percent have suffered a virus attack, up from 77 percent six months ago. "There are more of them, and they're nastier," says Greiner at Ipsos-NPD Canada. She and other IT executives say that educating users is paramount. "There's only so much nailing down of things you can do," Greiner says. "Without locking yourself in a steel cage and passing food through a little window, there's not much you can do." Half of our respondents have beefed up employee security training since Sept. 11.
Robert Wilson, CTO at Tessco Technologies Inc., a value-added distributor of wireless products in Hunt Valley, Md., says viruses are his chief worry as well, and in response, he's moved to thin clients. Since these desktop machines are essentially terminals that run programs residing on the server, it allows Wilson to centrally manage software revisions and patches. "We've also begun to standardize our laptops," he says. His old IT environment "had become a nightmaredifferent computers, different software versions, all kinds of compatibility issues."
The real need, Pethia says, is for organizations to fully understand what information is critical, where it resides and how it's at risk. "Organizations that call us for help often have never really set priorities on what is most important to protect," he says.
While our survey found that only 14 percent of respondents place responsibility for data security in the hands of a chief security officer, Giga's Hunt says, "Suddenly a chief security officer is the most fashionable thing in the world. My phone is ringing off the hook asking for advice on this." That's because the chief security officer's job "is not to secure the parking lot or the network; the job is to secure the business," says Hunt. "So many of these threats, even cyberterrorism, originate inside the corporation. Get a tainted employee on the payroll, and it's all overa firewall won't amount to diddly-squat."Terry A. Kirkpatrick