It's not good enough, however.
Corporate IT managers will have to pick up the pace and implement far better security to combat cyber criminals who are far more organized, well-funded and sophisticated than ever before, say industry observers. The threat to corporate networks is escalating at a dramatic rate and IT professionals have a daunting job in front of them to beat it back.
''In the last few years, there were some fairly easy things to do to improve security -- keep patches up-to-date, system monitoring, install firewalls and anti-virus software,'' says James Lewis, a senior fellow at the Center for Strategic and International Studies, a non-partisan research center based in Washington, D.C. ''Now, we have much more sophisticated threats and cyber criminals. Just doing the basic stuff won't do it anymore. You have some sophisticated opponents out there who just won't be deterred by a firewall.''
The most dangerous threat today, by far, is cyber crime.
''We haven't had an electronic Pearl Harbor and I don't think we will,'' says Lewis, who adds that terrorists want an attack that will look terrifying on TV, and knocking out networks, however costly, doesn't provide that visual. ''People are changing their perspective. It may not be cyber terrorism that bothers them anymore. They're more worried about cyber crime. And they should be.''
IT professionals and corporate executives should be concerned because cyber criminals simply are far more capable of causing damage than ever before. And the type of damage they're causing is changing, as well. Long gone are the days when a teenager would hack into a site to crash it or leave digital graffiti. Viruses are generally no longer aimed at crashing computers or taking down servers.
Today, it's all about making money. Criminals are using stealthy and highly targeted Trojans at a greater rate to steal personal, financial and sensitive company information. They're purposefully not crashing the computers. They want the machines up and running, enabling them to steal greater amounts of information.
Hackers, spammers and virus writers have turned professional, and they're teaming up, selling or sharing botnets and lists of stolen email addresses. And organized crime now is in on the game, putting more financial backing behind it and expanding the criminal network.
''Just a few years ago, it was some teenager in a garage,'' says Lewis. ''Now, it's professionals. They have their own websites, tools and their own industry. There are people who sit around and dream up new hacking tools and they offer them up for sale or rent on these hacking websites... You can rent botnets. You can rent email addresses. There's freeware hacking tools. There's been a great growth in this criminal sub-culture.''
IT Earns a C+ Average
Howard Schmidt, former White House security advisor and now president and CEO of R&H Security Consulting LLC., says companies have really stepped up to the plate and dug in behind greater security efforts. And it's made a difference.
''We are making progress,'' he told Datamation in a one-on-one interview. ''It's like a really good football game. We may not be scoring a touch down every quarter but we are moving the ball forward. There's been a national movement on cyber security that is making this better.''
Schmidt, who gave corporate IT a C+ grade, says there have been several incidents that shook corporate executives up enough to loosen the purse strings and dole out cash and IT staff to upgrade their security. While Y2K didn't shut down anyone's bank account or send people scurrying to their well-stocked bunkers, it did make CEOs start thinking about all the information sitting on their networks. Add to that fear factor the distributed denial-of-service attack that hit well-known websites like CNN back in 2000, and then the arrival of malware like Code Red and Nimda that hit networks around the world. It all added up to what amounted to a wake-up call for information security.
''We've been better about making security part of our operations,'' says Schmidt. ''Many companies have moved the security function to an executive level position. It's a highly visible and valuable position now. And the more visibility you get, the more attention will be paid to it.''
During a panel discussion on national cyber security at the conference, Schmidt told the audience that it has been a year since he's had a phishing email in his inbox. And he also noted that it has been two years since the industry has had to deal with a major cyber incident. ''We're not just dumb lucky,'' he says. ''We've worked hard for this.''
But Paul Kurtz, executive director of the Cyber Security Industry Alliance, a security advocacy group based in Arlington, Va., isn't quite as upbeat about the industry's position.
''Businesses are starting to understand that information is an asset and they need to protect it,'' says Kurtz, who also gave corporate IT a C+ grade. ''In many cases, they're coming to it a little late and a little grudgingly. They've really learned the hard way... Giving them an A or a B would be a huge mistake.''
Read on to find out which sectors stand out in IT security, and how the government's performance was graded.
But Kurtz says that C+ grade doesn't apply across the board. The financial sector is way ahead of the rest of the pack, he says, garnering them a B+ grade. Strict regulations in the financial sector have helped to make the difference, he notes.
Lewis agrees, adding that regulations like Sarbanes-Oxley and the Health Insurance Portability and Accountability Act (HIPAA) have made a big difference for many companies, forcing their hands to spend the money and time to upgrade their information security. At first Lewis gave corporate America a C+ grade for security and then bumped it up to a B or a B-.
The problem, says Lewis, is that good security is too hit-and-miss. One sector is strong. Others are not. One company is doing a good job. Others are not. ''When people talk about damages from worms or viruses... some companies have experienced losses while competitors have had little problems. That's maybe not so good,'' he says. ''The question is how do we level it off so it's not that some companies are good and some are not, some agencies are good and some are not?''
And Lewis, who spoke on the same RSA panel as Schmidt last week, was quick to counter his colleague and say he's not so sure that there hasn't been a 'very damaging cyber incident' in the last few years. ''They may just not be well known,'' he added.
What is Government's Role?
Should government be leading the charge for tougher security or should it stick to making suggestions and organizing research committees? Is government helping or not? These questions got mixed answers at the conference.
The National Strategy to Secure Cyber Space, which was released several years ago now, was designed to act as a roadmap to implementing better security and to encourage companies to improve their performance. It's had a positive influence on the industry, says Schmidt. ''The idea was not to mandate but to engage and create awareness that things need to be done, he adds. ''It was to lay out a high-level concept of what needs to happen.''
Lewis disagrees, saying the government itself has been slow to engage.
''The government has been pretty irrelevant,'' he says. ''The National Strategy to Secure Cyberspace has been useful as a paper weight. It can hold your door open. It didn't ask anyone to do anything... If there wasn't a federal effort, how much worse off would we be? I think the answer is mixed.''
Andy Purdy, acting director of the National Cyber Security Division at the Department of Homeland Security, told the RSA panel audience that the government's role is 'not being in charge' but opening up paths of communication between law enforcement, the government, the private sector and academia.
''We want to move beyond information sharing and move into true collaboration,'' he said. ''We have to have the ability to detect and recognize malicious activity, the ability to respond to malicious activity, the ability to put out shared information and the ability to recover from significant cyber disruptions.''
Kurtz, who did not sit on the panel but spoke at the conference separately, said there's no time for corporate IT managers to wait around for government agencies or committees to push them in any one direction. Cyber criminals are becoming an increasingly dangerous foe, and IT needs to be strengthening its defenses.
''The industry has a decision to make,'' he said. ''They can wait for government to mandate or they can take steps themselves... A year ago, a lot of people said security problems were hype. It was just the tech guys making noise and looking for attention. Well, it's not hype. This is serious.''