Security You Can Live With?
By Lisa Meyer

As the U.S. fights terrorism and recession, the need for businesses to thwart hackers and disgruntled employees takes on fresh urgency.
By Lisa Meyer

The vast majority of the people who work at the Cleveland Clinic Health Systems are dedicated to helping customers get healthy-but a very few are doing more harm than good. In August and September alone, the Cleveland Clinic detected eight network-security breaches by employees.

Six of the ruptures were innocent enough, originating from careless workers who infected servers by spreading worms via e-mail. The remaining two came from employees using office equipment to scan portals of U.S. government sites. Such scanning is the typical way hackers prepare an attack like denial of service. Before the events of September 11, such activity might not have stirred alarm, but it does now.

Fortunately, the Cleveland Clinic detected the scans with its security system before employees or outsiders trying to co-opt company computers could launch any attacks. The Federal Bureau of Investigation is currently looking into the case. Such incidents are troubling because they reveal that employees aren't always working on their employer's behalf. And in an era when practically every enterprise is connected to the Internet, the danger doesn't stop at the office door.

"Corporate security is national security," says Alan Paller, director of research at SANS Institute, a computing think tank in Bethesda, Md. "Every one of us is a user of the Internet. If you abuse the Internet, you're interfering with an enormous amount of American commerce." Computer security is also a critical issue for companies struggling with the economic downturn. A growing number of disgruntled workers are seeking revenge for layoffs or pay cuts by engaging in technological sabotage-and these insiders are well-positioned to cause harm. According to a survey of companies and government agencies commissioned in 2001 by the FBI and The Computer Security Institute, 70% of computer attacks came from outside via the Internet, but attacks from within accounted for most of the financial losses. "Most companies think they just need to protect the outside," says Bill Stevenson, network security officer at New Century Mortgage, a mortgage loan services firm. But Stevenson says security must be "hard all the way to the core."

As the United States confronts both terrorism and recession, corporations are struggling to make their computer systems more secure. Threats can come from inside or outside. In times of recession and layoffs, companies are more likely to face discontented employees who might sabotage computer systems, give away confidential information or passwords, or engage in other mischief. So security becomes more important-yet at the same time, budget pressure makes it harder to afford. And while there's no evidence that Osama bin Laden and his cohorts practice cyber-terrorism, that's now a worry, too. Every company connected to the Internet must consider that terrorists might hack its machines to conceal nefarious traffic, or co-opt them as launching pads for hacks of government computers, systems that control power grids, financial systems, and more. The threat may seem remote, but that's the way network security and national security overlap.

Hackers cause more damage than companies report. According to the FBI Computer Security Institute survey, 85% of large companies and government agencies have detected computer breaches in the past 12 months, and 64% of these acknowledged financial losses. Only 35% would quantify the losses, but even that fraction totaled more than $375 million.

Page 2

Copyright © 1995-2001 CNET Networks, Inc. All rights reserved.
Copyright © 2001 Fortune Magazine. All rights reserved.