Sound Security Policies Combat CyberterrorismSound Security Policies Combat Cyberterrorism

The bad news: Since Sept. 11, many security pros are expecting terrorists to attack their companies and the nation's critical infrastructure. The good news: By taking security precautions, companies should survive, albeit not unscathed. "Terrorists will attack the same types of vulnerabilities and probably use the attack tools we're already aware of," says Michael Erbschloe, VP at Computer Economics and author of Information Warfare: How To Survive Cyberattacks (McGraw-Hill, 2001).

Still, 30% of companies say they don't have adequate security policies to address the cyberterrorist threat, according to a survey of 227 companies released this week by the Internet Security Alliance, National Association of Manufacturers, and security services firm RedSiren. But there's good news on that front, too: 39% say they didn't have adequate policies a year ago.

Because terrorists are likely to use the same methods as hackers, companies that already have solid security strategies don't need to implement additional measures to combat cyberterrorism. "The cyberterrorism threat is a red herring. What can terrorists do that hackers, organized crime, or competitors trying to commit espionage can't?" says the CIO at a financial-services firm in New York. "Their goal may be different, but we're already taking the steps we need to take to protect ourselves."

In fact, 61% of IT executives placed cyberterrorism high on their lists of concerns even before the September attacks, according to the same survey. Now, 48% say they're more concerned than they were a year ago about cyberterrorism. "Cyberterrorism is an up-and-coming issue, but I feel the basics we already do to properly secure our systems will help to minimize the effects," says John Hartmann, VP of corporate services at Cardinal Health Inc.

But Jim Williams, a former FBI special agent who investigated computer crimes and now director of security solutions for security services provider Solutionary Inc., takes little comfort in the fact that cyberterrorists use the same tools and exploit the same vulnerabilities as other hackers. "Companies aren't doing enough," he says--even though many say they have adequate plans for dealing with IT security and cyberterrorism.