By Pat Curry. Ed Andrews, the vice president of information technology at Crosswinds Communities, in Novi, Mich., keeps a log of the virus-infected e-mails that are sent to the company's mail server. The average is between 200 and 300 -- every day.

Fortunately, they rarely do any damage because the company has an extensive security system in place. It uses MacAfee's GroupShield Exchange anti-virus software and firewalls, plus it has established user policies to help protect the company's data. But the barrage of outside electronic assaults is a daily reminder of the need for constant vigilance to protect the company's systems, and more importantly, the data on them.

Crosswinds considers the investment in data protection to be critical because of the company's dependence on technology, says Keith Kallen, vice president of finance, national division.

"We have such shortened cycle times for transaction processing," Kallen says. "We work with a lender with which all the funding is electronic. If we were ever down on a Friday or Monday, how paralyzing would that be? When ou're working with vendors who expect their money at a certain time, there's a dependency on this I'm not sure everyone understands."

Without question, production builders are the big users of technology. The use of network-based systems to link project participants from remote locations is increasing. Laptop computers with Internet access are standard issue for employees who travel. Divisions separated by thousands of miles communicate constantly with headquarters via networks. Electronic systems are used for everything from bidding and invoicing to employee evaluations and sensitive land purchase negotiations.

Weak Links

While builders might not be overly concerned with corporate espionage, they absolutely need to address system attacks that affect their ability to do business.

"It's wonderful to have information exchange at a high rate of speed," says Dain Gary, chief security officer and senior vice president of RedSiren, a managed security services provider working with more than 800 client companies. "It lets us be efficient. But if there's ever a glitch, it puts the business at risk. You start hooking the surveyors, the architects, the lawyers, and the suppliers together, and the protection is at risk because all the systems are hooked together. If one partner isn't doing their part with protecting access to the computer, then everyone in that little community is at risk."

Management at Coral Gables, Fla.-based Avatar Holdings learned that the hard way. A virus had hit its system and was using to send out tens of millions of spam messages. They didn't even know about it until employees realized their e-mail messages to people outside the company weren't getting through because they were turned back by spam filters.

"You think you've got it all," says John Jordan, Avatar's vice president of business information systems. "So much is going on, you can't know it all."

Now, Avatar regularly brings in third-party inspectors to check the system for security glitches.

A second reason builders need to address data security is the protection of information that could be used to commit identity theft. In February, a hacker accessed 8 million credit card numbers held by a company that processes credit card transactions. That pales in comparison to the level of detailed, personal information held by a builder's mortgage department on its applicants, or in any company's personnel records.

Having a security system in place encourages thieves to go somewhere else. Just as car theft and burglary are crimes of opportunity, so are virus attacks. If your technological doors and windows are locked, they'll look for ones that are open at someone else's company, says Vincent Weafer, senior director of Symantec Security Response, the company that makes Norton Anti-Virus.

"There's no point putting alarms on windows, though, and leaving the front door open," he says. "That's the equivalent of anti-virus software but no firewalls."

Where to Start

The foundation of data protection is a policy on the appropriate use of e-mail and access to the company's systems. That's followed by training to educate employees and vendors about the policies (and the reasons for them), training for system administrators on how to read system logs, and training for executives on the extent of the problem and the business case for the investment.

"People are always the weakest link in any system," RedSiren's Gary says. "Have an awareness program to get them to appreciate how much sensitive information is being moved about in a very reckless manner if there's no security in place."

10 Steps to Improved Data Protection

1. Educate and train staff ? and any vendors who have access to your system ? on data protection policies and procedures. Compliance is critical.

2. Don't use default passwords when launching new software.

3. Turn off unnecessary software features, such as Web servers and email programs you won't use.

4. Establish role-based security. People should only have access to the information they need to do their jobs. The human resources department staff doesn't need access to trade contractor bids.

5. Require users to regularly change passwords, preferably with number-letter combinations.

6. Use identity authentication when sharing documents.

7. Protect all areas of connectivity, including e-mail, instant messaging, DSL lines, and wireless networks. Firewalls are essential for machines that connect to the Internet.

8. Keep up to date with software vendors on security patches.

9. Have a response plan. You will probably be infected by a virus at some point. It's good to know how you'll handle that.

10. Back up data on a daily basis. If possible, establish redundant sites.

One of the policies recommended by RedSiren is a statement that the company reserves the right to review all e-mail and to monitor employee use of the Internet. They also recommend controlling system access for temps, consultants, and contractors -- and careful pre-employment screening. "Those on the inside are the ones that are so dangerous to us," Gary says. "That's where we suffer large financial losses."

If you're sharing data with business partners over networks, make sure they know what information you consider sensitive, Gary says.

"Your firm might think your customer list or pricing is sensitive," he says. "Unless that's known by your partners, they might be accessing it freely at various access points."

Policies and procedures need to be backed up by systems -- firewalls, anti-virus software, and network intrusion detection tools to identify and monitor suspicious behavior, such as repeated attempts to log on with the wrong password. Regular monitoring of firewall logs and Internet activity is crucial.

"It doesn't help to find out you were robbed a week ago," Gary says.

The first step at Avatar was installing passwords at various levels and segmenting data access according to job function. "Customer information, pricing, options, and payroll are very important to protect from different levels of employees," Jordan says. "We don't want clerks looking at payroll."

Crosswinds established the same kind of system, dividing the company into functional work groups that can only access their group's data.

If there's one issue that seems to drive everyone nuts, however, it's passwords. Employees at Avatar have to change their passwords every 30 days; they get two weeks' notice before they're locked out of their account.

And Crosswinds requires its employees to change their passwords every 90 days. Plus, various internal systems have their own passwords, so it's conceivable that someone logging in from the field faces several layers of security.

"Users get tired of maintaining all these passwords," Andrews says. "They want them all to be the same. It's more of a training issue than anything else, training people that this is the way it has to be."

Taking Security Seriously

Like most companies, Crosswinds and Avatar have firewalls and anti-virus protection to safeguard their systems from Net-based attacks. Crosswinds issues laptops to employees who travel or work from home. That eliminates a common source of viruses -- people bringing in disks or sending e-mail from their home computers to the office.

Avatar's AS 400 server is backed up nightly and the data is stored in a secure location off-site. Only three people can call to retrieve the tapes, and identification is needed to get into the site and take the tapes out. They also perform an annual internal security audit.

"We take security pretty seriously," Jordan says. "You don't have a choice."

William Robinson, COO of Palmetto Traditional Homes, in Columbia, S.C., goes beyond serious on data security.

"We're kind of paranoid about it, but I think you have to be," he says.

He doesn't mind anyone looking at information that's not proprietary. With a user name and password, they can do that at a Web-based read-only database that is updated once an hour.

"I won't take extraordinary efforts to keep scheduling secure," he says. But anyone who wants to change data has a lot more hoops to go through. "We lock it down," Robinson says. "It's pretty damn tight."

For backing up data, he uses a Maxtor system as well as a tape drive that's stored in a safe deposit box at a bank. Plus, all the information in the primary databases in the Columbia and Charleston offices is backed up in both places.

"If anything happened at either building, we could still go to work the next morning," he says.

The current challenge that Kallen and Andrews see is the rising use of outside contractors. Their Florida sales force is a third-party group, and existing policy has made it difficult for Crosswinds to share information with them.

"It's an area that we're working through," Kallen says. "It's a growing challenge to face because the traditional organization where everyone works under the same umbrella is changing. We have to figure out the best ways to handle that."

The Internet has helped with the situation, Andrews says, because it doesn't require installing proprietary software on a vendor's computer. The next generation, he says, is extending data so trade contractors can view their account history without having to call their account representative and home buyers can get online and monitor the progress of their house.

"That's the next generation of challenge," he says, "and the functional thing we'll want to move on."