Security-Wary Firms Steer Clear of Infobahn : Computers: Growing demand for Internet access increases incidence of cyber-theft, despite new systems to thwart hackers.
Internet addresses, with their weird mixes of letters, numbers and symbols, are becoming as common as phone numbers on business cards and company stationery.
But the lure of potential profits and the excitement of being on the cutting edge can pale compared to the dangers companies face by opening up their precious computer files to anyone in the world who has a modem and a telephone line.
As a result, many companies are tempering the rush to go online. Some are turning to computer security devices and systems, forking out up to $25,000 to keep away hackers, competitors and thieves.
“You don’t give people access any more than you open all the doors to your building,” said Robert Anselmo, vice president of Calabasas-based Veritec Inc., which makes codes used by companies to mark prices and track inventory. Veritec has decided to limit its exposure on the Internet by setting up two computer systems--only one of which is to be connected to the global network.
Other companies are eschewing the information superhighway altogether--at least for now.
“Our data is of paramount value to our strategic survival in the competitive marketplace,” said Michael Liddy, vice president of claims operations for Fremont Compensation Insurance Co. of Glendale, which does not plan to go online just yet. “We would not want that to be allowed to be compromised.”
To be sure, companies have always employed passwords and other basic means to keep hackers out of their security systems. But today’s methods are becoming more sophisticated. The most common of the new methods fall into two basic categories, known in industry jargon as “firewalls” and “encryption.” Firewalls, like their non-virtual counterparts, are simply barriers to admission by outsiders. Encryption involves cloaking proprietary material by using secret codes.
There’s plenty of reason to be worried about security, according to data from the Computer Security Institute in San Francisco. The association, which boasts a membership of 3,046 government and commercial security professionals, cited a study that said the number of sites on the Internet had grown by 2,000% between 1988 and 1993. The Computer Emergency Response Team at Carnegie Mellon University reported 1,172 hacking incidents during the first six months of last year, nearly three times the amount from a year earlier.
“The greatest threat to corporations is other corporations and . . . foreign governments trying to level the playing field of the global economy,” said Richard Power, an information security analyst for the Computer Security Institute. Hackers are “the ones that make it in the mass media, but the least of our problems.”
Part of the problem, analysts say, is the way the computer revolution has evolved. It was easier to protect a single mainframe computer, and control access to it with lock and key. But industry pioneers did not design computer and software systems with security in mind, said Power.
“Bill Gates is brilliant man,” Power said of the Microsoft founder. “But he was never paranoid enough.”
The more access a company wants to the Internet--whether to do research on global computer networks or communicate with customers--the greater the danger of security breaches. And the security required becomes more complicated and more expensive as a company’s exposure increases.
Power estimated that a firewall alone can cost from $2,500 to $25,000. Other estimates put the cost of implementing greater security at 15% or more of the price of the computer system.
The firewall is gaining popularity as a security precaution. It is a computer with software that acts as a filter between the Internet and a company’s internal system.
A firewall works like a drawbridge, letting information in depending on the wishes of the user. It can act as a barrier between its sensitive information and the outside world in the same way the architectural firebreaks of asbestos or concrete slow the progress of fire in a burning building.
*
Some firewalls can be configured to let in only e-mail, for example. Some will examine information being fed into the system and determine if the user has proper access.
But they are not foolproof, and are usually used in combination with other security measures.
One common measure, encryption, involves transforming data into secret codes that can be unlocked only by the sender and the receiver.
Encrypting a document is like placing a letter in an envelope before dropping it in the mailbox, said Jim Bidzos of RSA Security Inc. in Redwood City. His company makes encryption products that generate codes by using large prime numbers. Breaking them down takes so much super-computer calculation that it puts off thieves, Bidzos said.
Rockwell International Corp, a diversified high-technology company, has constructed security precautions, which Micki Krause, the program manager for information security, says blend encryption, firewalls and other techniques.
But technology is only part of the equation. Krause believes persuading personnel to be more careful when using computer systems is actually more impor tant. Rockwell trains people to use passwords that are not easily guessed, for example.
The human element gains value now, she says, because information cannot be as easily controlled as it was in the days of the single mainframe computer monitored by a handful of personnel.
Computer systems managers try to keep up on what holes hackers are exploiting. Robert Casanova, the director of information systems for Litton Industries Inc., the Woodland Hills defense contractor, says that until the punishment for computer fraud becomes more severe, hackers will be undeterred in cracking systems.
“The hackers spend most of their time trying to enter our networks,” he said. “We spend most of our time trying to run businesses.”
Even with the precautions, though, Power said hackers have hit companies more often than is reported. A survey reported this year by the Computer Security Institute revealed $66 million in losses by 30 companies that responded.
With that kind of risk in mind, a consortium of insurance companies has set up a computer network that bypasses the Internet altogether.
Fremont Insurance, for example, is considering joining the consortium network instead of the global web.
“The downside outweighs the opportunities that exist on the Internet,” said Fremont’s Liddy.
Some businesses aren’t moving quickly enough to meet the security threat, said Anthony Hearn, the resident scholar for information systems at Rand in Santa Monica.
“Very few [businesses] are taking appropriate precautions,” Hearn said. “Most of them consider whatever can go wrong as the cost of doing business.”
