continued
from page 4
The risks were highlighted by two
major incidents in 2005. In February,
data collection company ChoicePoint
Inc. said that it was hit by an identity
theft scam in which hackers passed
themselves off as legitimate customers
in order to gain access to the personal
information of about 145,000 people.(21)
In April, information database company
LexisNexis said that hackers broke
into its system and gained access
to the personal profiles of about
310,000 people. The incidents drew
complaints in Congress, where both
parties pledged to introduce new laws
to regulate the use of sensitive personal
information.(22)
The threat to computer networks is
no longer chiefly from bored teenaged
hackers, as is the popular image.
Criminal gangs, many from Eastern
Europe, have become very active in
launching viruses and network attacks.
The criminal threat is heightened
by the hackers’ possible ties
to terrorists seeking information
to launch attacks on landmark buildings
or key infrastructure facilities.
Terrorism
The same tools used by organized crime
for network break-ins and identity
theft could be used by terrorists
seeking to launch attacks against
the United States, a Federal Bureau
of Investigation (FBI) official warned
in late 2004.(23)
Terrorists could seek to strike several
targets simultaneously and anonymously
through the Internet, hitting out
at the nation’s “technological
soft underbelly,” FBI Deputy
Assistant Director Steve Martinez
said at a Miami conference. Vulnerable
sites include infrastructure such
as water, power, and transportations
systems. In March 2005, the U.S. Department
of Homeland Security announced $91.3
million in grants to protect and secure
critical areas around key infrastructure
sites such as chemical plants, dams,
and nuclear power plants.(24)
Given the threat of terrorism, those
who design public infrastructure projects
could put many lives at risk if they
fail to adequately safeguard plans
for such structures. Terrorists scouting
targets to attack may break into unguarded
computer systems and download plans
for water treatment plants, nuclear power stations, or even schools.
For instance, in 2004, just a few
months after Chechnyan terrorists
massacred students and teachers at
a school in Beslan in southern Russia,
the U.S. military found two computer
disks that held photographs, evacuation
plans, and academic information from
eight school districts around the
United States.(25)
In his State of the Union address
in January 2002, President George
W. Bush said that U.S. forces had
discovered diagrams of U.S. nuclear
facilities and water treatment plants
in Al Qaeda hideouts.(26)
Awareness of the dangers of failing
to adequately protect corporate computer
systems from terrorists, criminals,
and hackers has been growing, but
not all firms recognize the risks.
A survey released in February 2005
by the Business Software Alliance
of members of the Information Systems
Security Association found that 76
percent of companies surveyed recognized
that raising security as a priority
makes companies more efficient and
less likely to suffer downtime and
gives them a competitive advantage
in their market.(27)
While 78 percent said their organizations
were ready to defend against an attack,
only 19 percent said employees were
adequately trained in their security
duties and responsibilities.
Managing New Risks
From headline-grabbing threats to
computer networks to day-to-day liabilities
raised by the use of design software,
e-mail, and the Internet, A&E
firms face a risk landscape that has
changed dramatically in the last decade.
While technology businesses such
as software developers, networking
companies, and Internet publishers
may be familiar with the liabilities
brought on by the technology they have created,
architectural and engineering firms
that rely on the new technology in
their day-to-day business may not
recognize the dangers. Given the new exposures
inherent in the information age, firms
need to make sure they update their
risk management strategies as they
adopt new technology. When it comes to their
insurance programs, firms should take
an active role in making sure they
have adequate coverage for the new
risks and in communicating their loss prevention
efforts to their underwriters.
In general, firms need to identify
areas of vulnerability, establish
policies and procedures to address
those exposures, and then conduct
periodic performance audits to ensure
that those policies are working. Those
policies should include taking inventory
of software licenses, instituting
a document retention policy, establishing
procedures for delivery of sealed
designs, monitoring design changes,
and protecting confidential information.
Digital Information Exposures
While paper files and plans take up
large amounts of space, they offer
the advantage of being relatively
permanent and inalterable. Digital
information adds another layer of
complexity, as managing electronic
files is not as easy as just finding
the right filing cabinet.
Like paper files, digital information
is at risk not only from fires, floods,
and theft, but also in other ways:
complex designs can be easily copied
and carried out the door in a pocket; hackers
can break into insecure networks and
steal confidential information; and
computer crashes can destroy weeks
of valuable work.
continued
on next page>>
1|2|3|4|5|6|7|8
|
