Big businesses do, even if they don’t admit it. The numbers on overall business loss due to network security breaches are stunning. The Code Red virus alone infected more than 300,000 workplace computers in 14 hours and cost more than $2.6 billion worldwide. InformationWeek Research estimates the cost of security-related downtime to U.S. businesses in the past 12 months at $273 billion. Worldwide, the tally was $1.39 trillion.
How much of this affected small businesses? Nobody knows–and that’s the point. Independent firms can suffer at-tacks and not know it until later. They have networks, but lack the support that corporations get from information-technology groups. Says Lance Spitzner, a senior security architect for Sun Microsystems: “The big problem with small businesses is not technology, but just [making them] realize they are a target.”
No one with an Internet connection is immune. Alan Paller, director of research at the SANS (System Administration, Networking and Security) Institute, a research and education organization, says, “I think of small-business security issues as much harder problems. The challenge is, they have the same vulnerabilities to deal with as large corporations, because the vendors sell them the same systems, but they don’t have anyone on staff who knows how to harden their systems against attack.”
Often, small-business owners think that the expense of protection–such as buying software shields–is not worth the risk. Beauty Fashion’s Levy, who doubles as the in-house computer man, had argued with his boss for months to install protective software. But the boss wasn’t sure it was worth it. Until the company got hit. Now there’s a firewall, with automatic antivirus updates from Symantec. But Levy wants even more–an intrusion-detection system called BlackIce. The boss won’t spring for the software for all the computers, so Levy has installed it on his own.
How many ways can your system be damaged? The SANS Institute has published a white paper on the 20 most common security vulnerabilities: it runs 27 single-spaced pages and offers suggestions from the obvious though often ignored–don’t tape your password near your keyboard–to the highly technical.
A good firewall, installed properly, and good basic corporate policies will prevent many intrusions. A firewall isolates a computer from the Net using a “wall of code” that inspects each piece of data as it arrives to either side of the firewall–inbound or out–to determine whether it should be allowed to pass. Antivirus software prevents recognized bugs from infecting the computer. But it must be updated regularly to account for new intruders.
The Houston law firm of Cokinos, Bosien & Young implemented a regularly updating virus-protection system from McAfee after the firm’s computers were hit by a virus that, luckily, was limited to one PC. Gregory Cokinos says he’s seen other firms shut down for weeks because of viruses. “Most of our employees have no idea when they are hit or that the McAfee system neutralized whatever it was,” he says. “We’re hit all the time, but we don’t have to do anything–it’s seamless, just humming in the background.”
Trevor Morgan owns a financing company in Naperville, Ill., called Prairie Business Credit. His moment of truth about the necessity of computer security came during one of his regular meetings with local businessmen. A supplier told the group that an infected e-mail had come into his company and shut it down for two weeks. The firm, which orders and installs heating and air-conditioning equipment for homes, depends on its computers for everything from ordering to scheduling. The company lost $20,000 in business, but that turned out to be the least of it. The company suffered personnel problems after the shutdown. Morale fell, the bookkeeper left. “Disaster keeps falling on the guy now,” says Morgan, who returned to his office “in a panic” to talk to his partner. He ran out immediately and purchased a few extra computers and decided to isolate his company’s system from the outside–one set of computers could be used for e-mail, the other for company business. “To my mind, spending $800 for a computer was nothing compared with what could happen to my business if the computers were destroyed,” he says.
Prairie Business Credit has nine employees and lends about $1 million a week, and it keeps pages and pages of records on its computers. Morgan kept two PCs on each desk for four months until a computer consultant persuaded him to build a network, install a firewall and run antivirus software. And get rid of the duplicate PCs.
Morgan remains wary: “I’m very vigilant about throwing out e-mail from people I don’t know, but I don’t know if my employees are equally careful. I’ve got protection, but even antivirus software can’t inoculate you if you’re the first guy to get hit with a new bug.” Prudent office policy dictates discarding e-mail with attachments from anyone you don’t know. A virus can take over your address book to propagate itself, as anyone familiar with the Love Bug virus knows.
Leaving your company computers open for attack is not just a private negligence. It could lead to your becoming the Typhoid Mary of your industry. Cleo Pirpiris, managing principal for Engle Consulting Group, which offers consulting services for telecommunications companies, recalls the moment her firm was putting together a central database and one of the computers got infected by a virus attached to a resume. The company has offices all over the country and assembles teams of workers for specific jobs, so lots of resumes are sent in and out of the firm. Resumes, which are often written in Microsoft Word, are perfect hosts for viruses because they can conceal invisible programming scripts. “We rely on Web-based communication to make our virtually linked offices work,” Pirpiris says. “We figured out real quickly that if we’re wiping out people’s hard drives, we’re not doing so well.” The firm caught the problem before it left the company computers, and has installed McAfee virus-protection software on all its machines.
Computer security is a problem at all levels of the business food chain, from individual users to multinational corporations, assuming they have access to the Internet. Steve Chanen, president of Chanen Construction, the second largest construction-management firm in Phoenix, keeps himself informed about computer-security issues, even though he has on-site IT personnel. One of his first decisions was to make sure all the company data remained isolated from Web and Internet access. He also keeps his internal computer systems isolated from each other. “We run separate networks for each department. That’s primarily for safety, so employees don’t have access to other departments.” His decision to keep all internal systems unconnected to the Web is prudent: 75 percent of hacks occur through a Net browser.
Damage is not limited to destroying PCs and spreading destruction to others. You could also open yourself up to liability claims or threats of prosecution. If your computer is vulnerable, hackers can use it to launch attacks on other computers, or use it to store things–like pornography or stolen credit-card numbers. Allan Paller of SANS says, “When you get a call from the local FBI asking, ‘Why is your company computer being used to attack the Department of Defense?’ then you take notice.”
Hackers are smart, driven and relentless. Just the names of the schemes they have come up with for intrusion are worthy of fiction: “cookie poisoning,” “buffer overflow,” “parameter tampering.” Auditors at Web security firm Sanctum, using these schemes to test the vulnerability of systems in various industries, were able to do all kinds of mischief. At a bank, they signed up two senior VPs for credit cards at -129 percent interest. At a mutual fund, the auditors viewed other people’s portfolios, impersonated the chief technical officer and made unauthorized trades. At an airline, they got access to all employee schedules. (The airline did not buy a software solution but decided it could solve the problem manually.) In health care, they opened all patient files and altered information in them.
All signs indicate that the problem is getting worse. The good news is that there are adequate defenses for all but the most determined and skillful intruder. Yet to work, they must be utilized. Levy sums up: “It’s like backing up your files. You tell them and tell them. And it isn’t until they get hit and lose everything that they get religious.” For small businesses, it’s time for church.
