How well do you know the contractor who went through your system line by line looking for Y2K? Do you know which coders worked on your system in particular?
Mathew Bevan is a 24-year-old Welshman who hacked into NASA, NATO and USAF systems before he turned 20 and was described as "more dangerous than the KGB" by one US official. Now he advises companies on the best ways to avoid industrial espionage and he has a sobering message for companies that have recently had Y2K work done.
"Do you know these guys or were you just pleased to get someone to do the work?" asks Bevan. "Is it going to be an entrapment situation - at midnight will you have some guys siphoning off some information from your system, or worse?" Bevan says the first line of defence for any company that is concerned about security is to draw up a security policy and enforce it. "This isn't going to be a single-page document. This has to cover everything from hiring staff or contractors through to system security to physical or environmental security and you have to follow it through."
Bevan points to recent FBI figures on theft of proprietary information, which is on the rise and amounted to over $US42 million spread out over 61 companies. "That comes to nearly $US700,000 each. How much can you afford to lose?"
The most accessible part of any system, says Bevan, is the information stored on notebooks or in physical form. It is sometimes easier to steal a disk or print out than it is to steal the information from a system.
"Do you have any information on your laptop you would rather others didn't see? Have you ever left it alone in a hotel room when you're travelling?" Bevan says companies should have a strict policy that limits the information carried on portable devices because even if the device isn't stolen, users can't be sure it hasn't been imaged and the information itself copied.
That raises another problem for companies that may have been hacked into or have had data stolen - how do you protect the chain of evidence. "If your site has been hacked into and changed you should have a policy in place that outlines how you deal with it. Do you call the management first, then police, then IT staff, or what?" Bevan says firms often don't preserve the evidence when a site is hacked and that makes it hard to prosecute, even when there are laws that cover computer crimes. As for claims that ex-hackers are still criminals and shouldn't be classified as "security consultants", Bevan says it's better the enemy you know than the one you don't. "I'm up front about my past, about my history and if you don't want to hire me that's fine. But what do you know about the people working on your system?"