Terror Attack Brings Renewed Emphasis On Security

The way many American companies view and handle security is about to change.

For many companies, especially those with international operations, a top priority is the physical safety of employees and data systems--especially in the aftermath of last week's attack. "The emphasis in our company has been on physical security," says the chief information security officer at a major international metals processing company who asked not to be identified. "Our company president has restricted all travel."

The next priority will be to beef up personal security, often with the help of IT. The metal company's security chief has been lobbying for months, without success, for an employee photo ID system based on smart cards to gain access to buildings and the network. "We could be a highly targeted company," he says. "What's to stop a terrorist from walking into the building with a satchel containing a bomb?"

Last week, attitudes toward his proposals quickly changed. "Many senior executives now say that management will strongly reconsider my proposals for increased physical security," he says.

Similar reviews are likely to take place throughout the country and the world. The FBI's Counterterrorism Division published a warning after the attacks against the World Trade Center and the Pentagon, urging businesses to stay at a heightened state of alert and implement appropriate security measures against physical and computer attacks, at least through Oct. 10.

There has been no evidence of coordinated cyberterrorism in the days following the attacks in New York and Washington. "But anything is possible, and companies need to be constantly vigilant," says Phyllis Schneck, co-chair of the National Executive Committee of the FBI's InfraGard, an IT security information-sharing partnership between the government and the private sector.

Some 80% of business-technology professionals surveyed last week by InformationWeek Research agreed with the statement that the Internet is "extremely vulnerable" to cyberterrorism. At greatest risk, say security experts, are highly visible multinational companies based in the United States, such as AT&T and Coca-Cola, as well as crucial public infrastructure systems such as power grids, telephone networks, and air-traffic-control systems.

Some companies have made protecting their physical and digital assets a top priority for a long time. Credit-card company Visa USA Inc. has many security systems in place, including redundant computer and networking operations spread around the world, says John Shaughnessy, senior VP of risk management of the San Francisco company. "We must be on constant guard because what's secure today might not be secure tomorrow," he says. "E-business offers great opportunity but also greater risk for attacks and stolen information. We live in a new world, made even newer on Sept. 11."

Any business connected to the Internet faces some risk of cyberterrorism, says Dennis Treece, director of special operations for security vendor Internet Security Systems Inc. "The way I look at vulnerability is to see how dependent companies are on Internet connectivity," he says. Companies whose entire business is based on the Internet are completely vulnerable; others that do little business on the Net, significantly less so. Carpet manufacturer Shaw Industries Inc. in Dalton, Ga., isn't worried about attacks from hackers and cyberterrorists, because only the company's salespeople regularly use the Internet, says IT project manager Ben Worshmam.

While only a handful of companies have the worldwide recognition to be direct targets of international terrorists, all businesses are dependent on telephone service, power, and other utilities. But Michael Erbschloe, author of Information Warfare, How to Survive Cyber Attacks (2001, Osborne/McGraw-Hill), says it's unlikely terrorists would have the ability to launch a sustained cyberattack that would bring down the Internet or major telecommunications systems. "That's a very expensive proposition, and there are only a handful of countries in the world that have those resources."

Still, he notes that hackers in recent years have successfully breached air-traffic-control and electric power information systems. "If these hackers have been able to breach these systems, it's just a matter of time until terrorist groups have that capability."

Indeed, the number of politically motivated cyberattacks has grown in recent years. Last spring, following the midair collision of a U.S. intelligence plane and a Chinese fighter jet, tensions rose between Chinese and American hackers, and more than 11,000 Web sites were defaced, including several U.S. government sites. And in November 2000, AT&T and Lucent Technologies Inc. were threatened by pro-Palestinian hackers.

Security experts agree that a terrorist organization in the next several years will probably try to launch a major cyberattack against Western interests. But Treece says he expects terrorists to focus on attacking the physical, not the digital, world: "That's where they've created the most terror so far, and that's where they're likely to focus, at least for now."