• About
  • Writing

Kimberly Hatfield

  • About
  • Writing

Mar 11, 2002, 12:00am EST

Kimberly Nelson Hatfield

Special To The Journal

Like a prophet of doom, White House security czar Richard Clarke addressed the 2002 RSA security conference with this message: If businesses don't take computer security more seriously, they'll live to regret it.

The threat of compromised computer security is growing, says Daniel R. McCall, co-founder and general manager of managed security services at Guardent in Waltham.

"I would say everyone but the largest financial institutions are not prepared for the threat they face. Even the large financial institutions recognize that they need to stay diligent so they go out and they get help," he says.

Most companies -- 82 percent, according a survey by Framingham-based International Data Corp. -- have already been attacked by viruses, more than 20 percent have experienced "denial of service attacks," and 11 percent have experienced vandalism of their sites.

Still, more than half of the security lapses go unreported. "People don't want to read their name in the paper associated with security incidents," says McCall.

So, with only a few high-profile public incidents, many executives may be lulled into a false sense of, well, security. There are three reasons why every wired company needs to heed this wake-up call.

First, the threat is growing. Hacker code is readily available on the Internet, putting the basic knowledge into virtually anyone's hands. Today's sophisticated viruses are automated, spreading like a wave over the Internet. They target multiple weaknesses in software programs and are capable of doing damage in many ways, says senior research analyst Brian Burke of IDC.

"A lot of these programs open up doors for hackers. They look for vulnerabilities in the corporate systems and then relay those back to hackers," he says. And that is the second reason to worry about security.

Just being wired could make you a victim of opportunity, says Chris Wysopal, director of research and development for At Stake in Cambridge. "A lot of attackers are joy riding, and they are looking for any vulnerable site. You become a target of opportunity," he says.

If they penetrate your systems and you happen to have some juicy data, they'll surely see it. But hackers prey on vulnerable sites as a means to execute their own malicious activities. They may set up chat rooms, or worse.

A notorious example is the denial-of-service attack that plagued Microsoft Corp. last year. During these attacks, networks are intentionally overwhelmed with bogus traffic. Denial of service is often carried out using the resources of infected systems. Hackers plant malicious code that lies dormant for a time, and then signal it to wreak havoc. This is known as a "zombie attack" in cyberspeak.

A second reason to take security threats seriously is cost; companies pay a high price for these attacks. The Computer Security Institute's Computer Crime and Security Survey found that companies surveyed lost $377 million from security breaches.

The damage to the greater market from malicious code attacks is estimated at $13.2 billion in 2001 according to Computer Economics, a California consulting firm. But the price of lost confidence in e-business is a lot higher says Matt Barzowskas, vice president and research analyst at First Albany in Boston.

"Security is a major enabler of e-business. If security aspects cannot be addressed at least to a degree -- nothing is 100 percent secure -- it is going to derail e-business," he says.

The third reason you need to be vigilant? Your employees.

"The No. 1 threat to corporate security is internal problems," says Barzowskas. Anything from accidental penetration of the network to deliberate acts by disgruntled employees can compromise your systems he says.

To heed these warnings, companies must shed their complacency. "Computer security is a contact sport. You need to stay awake," McCall says.

Experts say companies need a plan that includes vulnerability assessment, intrusion detection, desktop antivirus, server antivirus and a firewall. The hypervigilant can monitor online chat rooms for rumors of attacks on their companies.

Even that might not even be enough says Wysopal.

"The best success is when the companies that write the software take security into account throughout the whole development process and test for security at design time. That's where we see the biggest bang for the buck," he says.

The increased call for security is finally getting attention in one of the nation's highest offices: that of Bill Gates. In a memo to employees, the head of Microsoft affirmed his commitment to secure networking or "trustworthy computing."

When faced with upgrading a product or increasing its security, " we need to choose security," he wrote.

Find me on Bluesky.