About 12 percent of the respondents were in banking/financial services, while 3 percent were in legal/insurance/real estate.

Lets put these results in a different context–say, the bridge of the Starship Enterprise:

SULU: Captain, Klingon bird of prey de-cloaking off the port bow!

CAPTAIN KIRK: Red Alert! Battle stations! Mr. Chekov, raise shields!

SULU: The Klingons are powering up their weapons.

CHEKOV: Shields at 5 percent.

KIRK: 5 percent! Push those shields to full strength!

CHEKOV: Aye, aye, kyepten. Shields at 10 percent.

SULU: Klingon weapons are locked onto us.

KIRK: 10 percent! I said full strength!

CHEKOV: Dat is full strength, sir.

KIRK: Scotty, we need more power to the shields!

SCOTTY: Sorry capnour dilithium crystals are low. Were waitin for new ones, but theyre hung up wi those lads in Purchasing at Star Fleet.

SULU: Klingons firing weapons, sir!

KIRK: Scotty, do something! I need more power, now!

SCOTTY: I canna change the laws of physics!

ENTERPRISE: (explodes in a massive thermonuclear fireball).

This is the situation we find ourselves in with regard to systems protection in an age of massive hacking and cyber-crime. Enemies are lining up to make war on our systems, but our defenses are hardly adequate to rebuff even the weakest attacks.

Certainly, the current economic climate has caused many businesses to be more cautious in their spending. The fact remains, however, that being penny-wise and pound-foolish with regard to systems security could indeed bring about the collapse of businesses–particularly those with a strong Internet presence.

Why would risk managers in general, and those at insurance companies in particular, bury their figurative heads in the sand when it comes to security? Two thoughts come to mind.

First, at least as far as the insurance industry goes, theres the traditional reluctance to embrace technology of any kind. While many in this industry resent that characterization, few would dispute it. In fact, when I first entered the insurance industry from the technology sector and told a group of agents that insurance was two years behind the curve on technology, I was interrupted by an audience member who insisted: “No, were five years behind!”

Second, theres a definite feeling among non-IT folks in the insurance industry that cyber-crime “cant happen to us.” Indeed, the high-profile hacking incidents have not, for the most part, been in the insurance and financial services industries. Privately, however, insurers have admitted being the targets of such attacks. We might not be talking about it, but we are hardly immune from the dangers of hacking and cyber-espionage.

And the attacks that affect us need not be aimed directly at our own systems. There was a report last year that a group had hacked into the World Economic Forums Web site and stolen the credit card numbers of Bill Clinton, Bill Gates and Yasser Arafat, among others. As systems become increasingly interconnected across industries, the dangers grow exponentially.

So, apart from the obvious solution of spending more on security initiatives and products, what can we do to raise our shields against attack?

Virus protection, while sometimes effective, is obviously far from adequate when it comes to protecting systems. Such software requires frequent updating, and even then, it is a nearly hopeless task to keep up with the hundreds of new viruses being created every year.

We still recommend the diligent use of virus protection applications, but dont stop there. Firewalls and intrusion detection systems also offer an effective line of defense, with such applications improving in effectiveness over time.

The key, however, lies not with technology, but with better human resources practices. The majority of systems attacks still come from within companies, rather than from external hackers. Disgruntled employees, in particular, represent a significant threat, especially if those employees have access to your system passwords.

Human resources professionals need to be much more careful in checking references and employment histories. Businesses also need to take advantage of software solutions that enable them to track the activities of all authorized users.

Finally, businesses would be well advised to establish solid Internet usage guidelines that, among other things, restrict personal use of functions such as e-mail and instant messaging. Many of the viruses that enter computer systems gain entry via online communications.

Is this kind of attention to security an overreaction? No more so than Star Fleet getting those crystals quickly delivered to the Enterprise. Theres nothing quite as reassuring as hearing: “Shields at 100 percent.”

Senior Editor Ara Trembly is NU's tech guru. He can be reached at [email protected].

Reproduced from National Underwriter Property & Casualty/Risk & Benefits Management Edition, April 15, 2002. Copyright 2002 by The National Underwriter Company in the serial publication. All rights reserved.Copyright in this article as an independent work may be held by the author.