It wasn't so long ago that IT directors such as David Johnson at Kyanite Mining Corp. believed they were losing the battle against viruses, worms, and other malicious data destroyers. Soon after computer systems were cleared of one bug, another with a nickname such as Code Red or I Love You swept through their networks, clogging E-mail servers, infecting partners' and customers' networks, and sometimes wiping out information.

But the efforts of Johnson and his comrades may be paying off. "We decided enough was enough," Johnson says. "I'd spent too many nights undoing the damage." Kyanite, a Dillwyn, Va., miner of ceramic material, shored up its defenses in the past year by adding antivirus software and toughening related update policies. Other companies apparently did the same, as evidenced by a sharp drop in the past year of successful virus attacks against businesses, according to InformationWeek Research's fifth annual Global Information Security Survey, fielded by PricewaterhouseCoopers. The survey, which 8,100 technology and security professionals completed, shows that 44% of companies admit they were successfully struck by a virus, worm, or Trojan horse in the past year, a dramatic decline from the 66% in the 2001 survey who said they fell victim.

Kyanite Mining deployed Symantec Corp.'s antivirus software on all of its desktops, internal servers, and Microsoft Exchange E-mail gateways. The company also started updating software daily instead of weekly, a policy change after several successful virus attacks that led to considerable tension around the company aimed at the IT shop. "Everyone was walking around with frowny faces," Johnson recalls.

Unfortunately, the frowns aren't gone for good, despite the glimmer of progress. Though companies are fending off viruses more effectively, the attacks that succeed appear to inflict more pain than in the past, requiring longer downtime and more money to fix. Businesses are getting better at weeding out routine hits, but the danger of more sophisticated and targeted attacks continues to grow from cyberterrorism, corporate spying, and insider attacks, especially at larger companies. And security analysts still worry that companies claiming zero attacks might not even know they've been hit.

The Sept. 11 terrorist attacks, along with a few high-profile IT-security slipups this year, have raised the perceived importance of security at most companies. Almost three-fourths of companies say they've raised employee awareness of security policies, procedures, and technology standards since Sept. 11, and a third are spending more specifically on tools to protect intellectual property. At one provider of online travel technology, every employee--from director to secretary--now watches a movie on security awareness each quarter. "Because any organization is only as secure as the weakest link, it's critical employees know how weak passwords or even visiting suspicious Web sites can put systems at risk," says one of the company's security administrators. But the company's executives still feel vulnerable: They asked not to be identified for fear that the company's systems couldn't withstand an attack.

While their number has fallen, virus and worm attacks remain the most prevalent security breach, followed by denial-of-service attacks, which also trended down slightly, to 12% this year from 15% in last year's report. Many businesses felt the sting, with Code Red and Nimda worms infecting thousands of companies' Internet servers. The number of companies claiming less than $10,000 in damages is slightly lower, but those saying such breaches cost them between $10,001 and $100,000 rose to 13% this year from 9% last year. In North America, about 6% of companies say they lost more than $100,000, though more than a third say they don't know the financial damage. Companies that could boast no breach-related expenses fell to 21% from 26%.

The amount of downtime edged up, with more companies facing outages and for longer periods. Last year, 28% of U.S. companies suffered no downtime from attacks, while this year only 16% avoided downtime. About 45% of companies were back up within eight hours, a number similar to last year's. But 39% had downtime of eight hours or more--a 13% increase from a year ago.

Much of the improvement in combating attacks came from smaller companies, such as Kyanite, getting their IT security in order with relatively quick fixes such as adding firewalls and antivirus tools. Larger companies, the preferred targets for hackers, fared worse than smaller companies. Only a fourth of businesses with more than $500 million in annual sales escaped without security breaches in the past year, and 43% say they suffered downtime that lasted more than eight hours.

Brian Amirian is convinced that many companies still don't know they're victims of ongoing denial-of-service attacks that steal bandwidth, choke network performance, and block Web-site access. A denial-of-service attack uses infected computers to make a flood of bogus information requests to overload a Web site. Amirian, director of hosting and development at a major media and entertainment company that he asked not be identified, recently installed denial-of-service defense software that showed the company was suffering far more attacks than IT managers thought. "What we were seeing before were only attacks that would potentially bring us down," he says.

If a hacker launches a mild attack, companies may not realize they've been hit. Amirian uses a denial-of-service detection system called Enforcer from Mazu Networks Inc. to find those smaller attacks, which can stop traffic for as little as 30 seconds. Why sweat the small stuff? "In many cases, little attacks are dress rehearsals," Amirian says. "They're tuning their attacks for the grand finale."

Denial-of-service attacks and viruses cause the most downtime to business applications, E-mail systems, and networks. The denial-of-service approach even killed off one fledgling business this year. In January, CloudNine Communications, a U.K. Internet service provider, said it had to close its doors after a series of denial-of-service attacks prevented its 2,500 customers from connecting to the Internet and cut access to the Web sites of its hosting customers.

Even more worrisome than network downtime is the fear that someone could access confidential information. This happened to 15% of U.S. companies surveyed. The past year also had a few highly publicized cases in which insiders or external intruders managed to break in and swipe confidential information.

A Prudential Insurance Co. employee allegedly stole electronic personal information on 60,000 co-workers. And customer records, including credit worthiness and Social Security numbers, were lifted when someone downloaded the personal information of 13,000 consumers from the credit-reporting agency Experian Information Solutions Inc.'s systems. In late June, Near North National Group, a Chicago insurance brokerage and risk-management and financial-services provider, filed a civil lawsuit under the federal Computer Fraud and Abuse Act against three former employees who had worked on securing the company's network. The company claims they used insider knowledge of its systems to unlawfully enter Near North's network, read company E-mail, and glean proprietary information that they provided to competitors, potential business partners, and organizations involved in litigation against Near North. Although an internal investigation revealed no customer-record tampering, Near North is seeking $645,000 in damages to cover its expenses to detect, investigate, and resecure company systems.

One hacker, Adrian Lamo, claims to have accessed the internal networks of both WorldCom and The New York Times' Web site and viewed confidential information. In December, Lamo says, he gained access to the confidential network diagrams at WorldCom, as well as the Social Security numbers of the telecommunications carrier's employees. In February, Lamo managed to obtain personal information about New York Times contributors, as well as intimate details about the newspaper's news-gathering process. Lamo claims he does no damage and breaks in only to reveal the systems' insecurities.

One weak spot in corporate security, Lamo says, is that so many security managers come from similar backgrounds--the military, intelligence agencies, or law enforcement--so they have a similar walls-and-fences mentality. "Their view on security is system centric. They scan their systems and think the systems are secure, the applications are secure, and hence there are no vulnerabilities," he says. Lamo says he gains access to many networks through misconfigured gateways between the Internet and intranets. Once in, he maneuvers around by "bending applications beyond their original intent," using them in ways that don't raise alarm bells but compromise security. It amounts to the hacker using the complexity of today's networks to cover his tracks.

Although only 5% of companies reported intellectual-property theft, FBI special agent Dave Drab, who investigates economic espionage and threats to national security, has a warning for U.S. businesses: Don't drop your guard. Corporate espionage is worse than most companies think, or will admit, and it's only going to accelerate. Virtually any company could be a target, particularly those with valuable intellectual property such as the aerospace, automotive, chemical, entertainment, food, and pharmaceutical industries. "Pharmaceuticals may be targeted for their R&D, which represents billions of dollars worth of income for various illnesses," Drab says. "They're targeting customer lists, sales forecasts, and trade secrets." Private businesses and foreign governments are behind the corporate espionage, he says.

Such cases rarely come to public attention, because companies and governments are eager to keep breaches quiet. But two weeks ago, the Taipei Times reported that police arrested a Taiwanese hacker suspected of being hired by a Chinese company to break into the systems of Taipei online game maker M-etal Multimedia Co. and steal its latest games. Copies of the games were posted online, potentially costing M-etal Multimedia sales during the six-month period when the thefts were taking place.

Hackers have proved they can find their way into many large companies, but insiders remain the biggest threat to the protection of trade secrets and intellectual property, Drab says. "There will always be those who are inclined to turn on their own," he says. "These individuals are targeted systematically by foreign entities." Drab also worries that businesses will face a threat from increasingly skilled hackers who have worked in foreign-intelligence agencies and now do illegal, for-profit work. "They've retooled themselves into 'entrepreneurs,'" Drab says.

In this environment, companies need to think differently about their most valuable information resources. In addition to maintaining technically solid security practices--using encryption, firewalls, intrusion-detection systems, and user authentication--they need to put a dollar value on information assets. "Most companies haven't yet classified what their trade secrets even are," Drab says. He recalls a recent investigation he began for a company that had reasonable evidence of an IT break-in from an internal investigation, but it couldn't say what information assets were at risk. A company's case in court suffers greatly from a lack of that kind of information. "If you can't describe your trade secrets or what the documents were worth that were stolen, it makes your argument somewhat inefficient," he says.

Not that companies are terribly interested in bringing security cases to court. If anything, they're getting more skittish about revealing IT-security flaws, in large part to avoid becoming a more visible target for hackers. About one in five companies say they would report a security breach to government authorities. Almost half--47%--say they wouldn't tell anyone outside the company. That figure is up from 40% a year ago. Only 19%, down from 26% last year, would tell the CERT Coordination Center, a nonprofit group designed to track computer threats through anonymous reporting.

Companies may be having somewhat better luck fending off security threats because the obstacles to improving IT security have fallen for many security managers. The biggest obstacle, cost, remains high in this year's survey, cited by almost 60% of managers. But every other category--from time constraints to well-trained staff to product complexity to management support--was cited by fewer managers as an obstacle this year. Even in these days of tight IT budgets, nearly half of companies worldwide plan to increase spending on security, and less than 10% plan to cut it. The top spending priorities include beefing up operating-system and application security, installing firewalls and access controls, and containing virus threats.

Those map closely to the security priorities of the Santa Barbara Police Department, which recently built a firewall to separate its systems from the larger city network. The California city of 90,000 has two large WANs that support many public services, including the City Hall, fire department, library, public-works department, and water treatment facilities. The police department wasn't convinced other departments would put enough value on security. "If Joe in public works places an easy-to-crack password on his system, our security just became as good as Joe's," says David Straede, systems analyst with the Santa Barbara Police Department.

Straede tried to limit complexity while increasing security by standardizing on a single firewall appliance, SonicWall Inc.'s Internet security products for firewalls and virtual private networks. He strictly limits what areas of the police network other city agencies can access, a policy that's caused friction with other city IT administrators. He's even had to fight City Hall when some applications didn't run as well across the firewall. "City Hall's approach to the problem was 'Why don't you just take that firewall down?'" he says. The police department kept it up: "Nothing personal, we just don't trust you," Straede says about the city government's IT-security levels. Straede gets frequent calls from other police departments that have become more concerned about IT security and are spending money to improve it.

The efforts of small and midsize organizations such as Kyanite Mining and the Santa Barbara Police Department appear to have made some headway this year in increasing IT security. But will companies be able to continue making progress against security threats? While many companies implement technical solutions such as firewalls, far fewer are tackling the more complicated security changes needed to thwart sophisticated attacks. Only a third are doing risk assessment and security testing, and even fewer--23%--will implement penetration testing, such as hiring people to try to break into their systems and find vulnerabilities. Cost may be partly to blame: Such tests start at roughly $30,000.

While it's a small victory that virus and denial-of-service attacks are down this year, business-technology managers can't afford to celebrate for long. They must contend with forces on two fronts that increase their risks. Externally, they face relentless villains, ranging from possible cyberterrorists to corporate spies and hackers. "The threats we face now are vastly different from the threats we faced in the past," FBI special agent Drab says. Internally, companies need to increase online collaboration and share more digital information to cut costs, improve design processes, and tighten customer ties. That complexity creates opportunity for hackers like Lamo.

"As systems get increasingly complex--and that point is lower than most people think--they can't be effectively secured against all possibilities or even most possibilities," Lamo says. That's one of the few views of reality that both hackers and cops can agree on--and one that business managers need to figure out how to live with.

Illustration by Otto Steininger
Photo of Johnson by David Deal