The revelation that an Internet-obsessed "Jihad Jane" this week was charged with involvement in a terrorist murder plot reminds me of an IT vendor I encountered last month.

This vendor, who sells IT security software, informed me that online terrorism is a major threat to enterprise security. While malware is a nuisance, the vendor said, the real focus for IT should be on preventing terrorist threats to organizational networks and data stores.

At first, I wasn't sure what this meant. Surely your average enterprise isn't a focal point for organized takedowns in the same way that a government agency would be. After all, its trade secrets and customer data that are most at risk reside in corporate data centers, not the systems themselves -- right?

At least one security expert agrees with this assessment. When I wrote to security author Robert J. Hansen, inquiring about whether terrorism is really an enterprise threat, he wrote back: "Bunkum, mostly... I can imagine some tech-savvy extremist activist outfits trying to penetrate enterprise systems in order to discover dirty laundry and embarrass the company, but these seem to be cases better handled by criminal courts than by anti-terror statutes."

Indeed, Hansen thinks it's not constructive to lump together terrorism and private enterprise: "There is no possible good that can come out of bringing your business to the attention of federal law enforcement. Talking about 'we're vulnerable to terrorism!' is tantamount to giving the FBI an engraved invitation to come in and look around."

Gideon Lenkey of Ra Security Systems says: "I really don't see how it translates to the corporate environment beyond high-profile companies being targeted by traditional terrorists or violent activists using traditional terror tactics. I especially have never seen it map directly to IT."

At the same time, Lenkey cautions: "I've seen plenty of extortion, 'pay us or else' kind of plays that are IT centric. I've also seen cases of people who are members of or have strong ties to terrorist organizations seeking jobs in IT departments of critical infrastructure (yikes)."

The intersection of private sector IT and critical infrastructure seems like a logical -- and chilling -- focal point for terrorism. "If you are a large business, you should know every vertical you are involved in and where your factories are... An example is, your company may make screws, but if your company provides screws to the government and these screws are used on predator drones, you may be a terrorist target," states Tom Stamulis, manager of the governance, risk, and compliance group for a major U.S. service provider.

Stamulis recommends that security personnel who fear terrorist threats create an incident response team or add a terrorism section to an existing incident response plan; develop and implement a terrorism security awareness program that includes information about cyber-terrorism and kidnapping prevention; and add possible terrorism attack scenarios to the business continuity testing conducted regularly by the organization.

All this may be easy to justify if you work for an aerospace firm or other enterprise with a large government clientele, or if you work for a critical infrastructure company, such as a regulated utility. But what about other kinds of firms? How can IT -- already living on a slashed budget -- ask for the resources needed to protect against a threat that may be hypothetical?

"Guarding against possible terrorism is not economically feasible unless the threat level is very high," states Kevin D. Murray of security consultancy Murray Associates in an email. "Enterprises need to evaluate their realistic risk of terrorism. Most will find the risk is very small at this point in time."

Still, there are threats other than malware, such as business espionage, Murray maintains, that merit proactive strategy. "A calculated loss from only one espionage incident makes a compelling argument for funding counterespionage in any security program," he states. "Not having a strategy is indefensible from a stockholder's point-of-view."

Murray says corporate espionage can result in unrealized profits and wasted investments across multiple lines of business. "Successful business espionage pops up as 'interesting coincidences,' look-a-like products, and mysterious lost profits," he notes, which ultimately can devastate a corporate bottom line.

Does your IT department need to be concerned with terrorism? It's a question worth asking.

— Mary Jander, ThinkerNet Editor, Internet Evolution

This blog is part of Internet Evolution's IT Clan, which addresses the continuing impact of the Internet on enterprise networks, applications, and management. Register here to join the IT Clan's conversation, and you just might win something unspeakably cool.