Steps Companies Can Take Now To Improve IT SecuritySteps Companies Can Take Now To Improve IT Security

Increased concern about cyberattacks since Sept. 11 isn't limited to the United States. While almost three-fourths of companies in North America say they've raised employee awareness of security procedures and standards, more than half of companies in Asia, Europe, and South America also did so, according to the information Research Global Information Security Survey.

So what can a single company do? Top executives can get a lot of mileage out of making sure their IT teams follow some broad, basic strategies: Stay on alert, regularly review security policies and procedures, work out an incident-response plan, and leverage IT tools that scan networks and systems for vulnerabilities and assaults. "Absolutely assume cyberattackers are coming," says Michael Erbschloe, VP of research at research firm Computer Economics and author of Information Warfare: How To Survive Cyberattacks.

Vigilance about security can plug some of the easiest routes into companies' IT systems. Some examples: enforcing tougher password rules and regularly reviewing and updating access rights. Companies appear to be making progress. Last year, 23% of U.S. companies said their systems were broken into through a guessed password. This year, the number is down to 9%. Other basic policies that offer a first line of defense include regular software and operating-system updates to patch new vulnerabilities and ongoing antivirus software updates.

But IT managers also need to work closely with other managers within the company. Since Sept. 11, 20% of managers say they've stepped up background screening of employees, and almost 30% say they've increased ties between IT and physical security. "The IT manager has to work with the physical security managers, with human resources, and with the legal department," says Winn Schwartau, president of Interpact Inc., a security training company, and author of several information-security books, including a novel, Pearl Harbor Dot Com, about a Hiroshima survivor who seeks revenge by launching a massive cyberterrorism attack against the United States.

Businesses have also stepped up their incident-response planning, detailing what needs to be done in the event of an IT security failure. Such a plan typically includes the immediate steps that would need to be taken during an attack, who would need to be notified, and how employees would communicate with one anther. The plan may also spell out when a company needs to take down a system or sever a communications line. "You need to make a decision--pull the plug or not," says Bill Wall, chief computer security engineer at communications equipment maker Harris Corp.

It's rarely an easy call. Shutting down a critical E-commerce system not only brings business to a halt, but also compromises a company's ability to trace the attack. "You can watch what the attacker is doing while he's doing it," Wall says. "Is he opening up certain files, directories, or even E-mail to get at certain information?"

Finally, businesses need to leverage security tools and services that help detect gaps in their defenses. Says Erbschloe, "You need to find your vulnerabilities before the bad guy does and then tighten down the hatches as best you can."