The Concours Group: Corporate America and IT Security in War Time; Understanding Information Technology Resources Key for Securing Company Data.

-- Vigilance. Companies should continue to be vigilant in their approach to security for their IT systems. For those companies who have not thought about what might happen in the chance of a terrorist attack, they should really begin to assess their needs and develop a clear business continuity plan. For the companies who have already identified their security issues, they need to establish communication between the executives and the employees to ensure that all systems are protected -- physically or technologically -- in case of an attempted attack. It is also a good idea to perform IT contingency testing to make sure that your disaster recovery plans are effective and efficient.

-- Actions. Tactics can range depending on the organizational structure and the vulnerability assessment of your systems. Some basic recommendations would be to educate employees on the value of securing their individual passwords for computers and business-related files, performing an IT audit to identify what systems the company uses and where potential for breaches exist, and to place an appropriate amount of interest in information systems security. Understanding the types of information that your company uses, developing clear classification strategies and expending resources on safeguarding only the data that needs protecting will deliver the most security and privacy for the least cost.

-- Importance of Contingency Plans. Executive reactions to security issues vary. Some respond with the "chicken little" syndrome where they react with knee-jerk actions without considering the consequences or impact to the business. Others regard information technology compliance as a hassle and believe that they are secure. In both cases, these executives don't understand the importance of securing their company's infrastructure. The overarching challenge is that information systems have really only been recognized as essential to businesses in the past 10 years. Executives need to balance assets and liabilities and understand that security is not a revenue generator, but in the long run -- given our current environment -- might be crucial for saving the company money (or even saving the company!) The understanding of what systems make your company run, their value, and how the company would be impacted if they were no longer viable, is crucial. Whether you call it a contingency plan or not, companies need to be able to manage in times when the IT system might not be 100 percent functioning.

-- Business As Usual...or Not. There are several things companies can and should do to keep their organizations running in our current environment. Below are five recommended actions for corporate executives:

-- Though a heightened awareness is essential, it is important to continue conducting business in the usual manner.

-- Consider the physical security of the office and the emotional state of your employees.

-- Assign a senior executive to be responsible for understanding the business impact of security, reporting to the CIO or CEO. This person would be responsible for working with other senior executives to make sure that business practices are aligned with government requirements. Currently, there are too many people concerned with security and involved in determining the best solutions for protection, and nothing is getting done. With one person working from the top who understands your business -- not necessarily security -- you can begin to protect your company and plan effectively for the future.

-- Keep in mind what systems are being used within the corporation, the risk management evaluation for each system, and how to effectively manage the data within the system.

-- Involve employees with security through educating them on the value of keeping security tools such as passwords in secure places -- not taped to the desk or the keyboard.

-- Data Storage. The decision to make an offsite recovery center is a tough one. The decision to keep a set of backups of company data at another location far removed from your main area of operations is an easy one. Recent events have showed the value of taking the simple step of backing up corporate IT systems in an area removed from your facility. It is the law of probability. The odds say that the chance of a catastrophic event that would destroy all valuable corporate information is low, but given our recent history, that might be just the information that some executives need to support the decision to move systems outside of the headquarters or high-threat areas. Again, the location of corporate systems is connected with the industry you are in. For example, healthcare or financial companies should be backing up systems offsite, but the investment might not be worth the cost for manufacturing companies with a large plant infrastructure that could not easily be recreated offsite.

-- Social Engineering. Ninety percent of all security attacks on corporations are the result of social engineering -- security breaches. These security breaches can be the result of terrorists hacking into your system or, as more often the case, the result of an employee being careless with passwords or disgruntled for some reason. The best strategy for dealing with social engineering is to refocus the culture within the corporation. There needs to be an understanding of the value of protecting the information that is critical to how the company does business. For example, the only two people who should know computer passwords are the individual employee and the systems administrator. Also, all employees should be careful when using laptops or wireless devices since others might be reading over your shoulder.

-- Communication With Employees. There needs to be an open line of communication regarding security within the corporation. This does not mean that employees should receive hourly e-mails with a detailed account of the "state of the company's security system." Rather, executives should explain to their employees that they have taken the necessary steps to align their business practices with the overall security requirements of the country. Executives may choose to explain the business contingency plan, but it is often not essential. The key is to have an understanding about the internal culture with regard to passwords. Employees need to know that they can help protect against information technology attacks.

Munich (my`nĭk), Ger. München (mün`khən), city (1994 pop. 1,255,623), capital of Bavaria, S Germany, on the Isar River near the Bavarian Alps.