special report: technology
By Elizabeth Geldermann, of SBT

When several computer viruses took over the computer systems of a local tax consulting firm, the employees were unable to use their computers, and they were concerned that vital information about their clients would be compromised.  The business owner had not implemented a security infrastructure into the companys computer system because employees had been told not to surf the Internet or open e-mail attachments from unknown recipients.

However, an attack still occurred.Several days, and several dollars later, the company was back up and running, this time with security."We took a layered approach to security," said Raj Chandra, a wireless optimization engineer for Milwaukee-based NetSolutions Corp., which set up the new security system for the company. "We protected their perimeter, we ensured their local resources were secure and we enforced security policies, including changing vital information on a regular basis and quarterly checks on their network security. For obvious reasons, we cannot give out the company name."

Business computer systems are becoming increasingly vulnerable to such attacks, according to information technology industry experts, and many business owners have misconceptions about their chances of becoming targets for hackers, viruses and security breaches. "People used to say that if a new company survived after two years, they were fortunate, but now with viruses and a lack of protection, companies are going down a lot sooner," said Laverne Ihm, chief executive officer of NetSolutions. "A lot more companies are going belly up because they dont have protection."

Some clients that NetSolutions has worked with made every employee an administrator in their system, which makes internal security an issue, Chandra said. "Company information needs to be on a right-to-know and need-to-know basis to eliminate liabilities for a business," said Jeremy LaSage, president and principal consultant for NetSolutions.

Small Business Information Security Readiness, a study conducted this year by the Small Business Technology Institute, revealed that most owners of small businesses are not protecting themselves from possible internal or external security threats. The study was sponsored by Symantec Corp. a Cupertino, Calif.-based security partner for businesses. The study found that small businesses are becoming more vulnerable to information security threats or breaches as the businesses continue to invest in upgrading technology and mobilizing employees.

"Small businesses are largely unaware and uneducated about information security risks and their economic repercussions, and they have a complacent and passive attitude towards information security protection," the studys key findings said.  At least 40 percent of the small businesses surveyed use networks and mobile devices, but less than one third of small businesses increased their security spending in the last year, according to the study, which surveyed more than 1,000 small businesses that employed 1 to 10 employees.

"We see trends where bad guys are looking more at small businesses as targets," said Kraig Lane, group product manager for Symantec. "Small businesses have the same type of customer data as big companies, but appear to be less protected. It is the same mentality of a criminal that would rob a convenience store or liquor store instead of a bank." Chandra said some business owners think that if they are farther away from a big city, they are less vulnerable, or if they are a small company, no hacker would go after them.

"It is a common misconception that virus protection is enough, but (companies need) much more than that, and ignorance is bliss," said Gregg Tushaus, president and chief executive officer of Wauwatosa-based Tushaus Computer Services Inc.  Businesses need to adopt multiple layers of security to protect themselves from both the casual and experienced hacker, IT industry experts say. Small businesses tend to purchase wireless routers to connect employee laptops in the office or enable employees to work off-site, without purchasing additional security measures. Some businesses believe a router that comes with a firewall will suffice, Lane said.

A firewall is a helpful tool, but it acts more like a fence that hackers can try to gain access through by sending multiple worms and viruses toward it, Lane said. "What has happened with big companies is that the firewall acts as a perimeter," Lane said. "There have been a lot of attacks over time developed by bad guys that realize (the perimeters) are like big castle walls in the company. so they shoot huge flaming arrows at (the perimeter). They may shoot 100 arrows that are blocked, but if one gets inside the castle wall and the building roofs are made of straw, the whole place will burn down."

Multiple layers of security, including intrusion detection and spam and spyware filtering systems, provide more protection than just the firewall. That way, the flaming arrows might cause a small loss in productivity, but the contents inside the castle, or computer system and server, will not burn, IT industry experts say. At a minimum, business owners who have a limited budget for security measures should at least implement virus protection, software firewalls and a content filtering system, Lane said.

Firewalls cannot protect against fraudulent e-mails and advertisements, so employees should be trained to recognize and avoid responding to them. By not implementing security measures, companies take a calculated risk that can cost more to be reactive than to be proactive, Tushaus said. Unfortunately, a business owner will not see or appreciate a return on investment for a security infrastructure until something happens, Chandra said.

"We are finding now that in the past, the bad guys were a lot like electronic graffiti writers and would confuse computer systems and owners. We wondered why they were writing these viruses and not getting money for it because it looks like it takes a lot of time and they cant get any credit for it," Lane said. "Now we are finding that people have moved to be more like electronic pickpockets where they are trying to get credit card numbers or rip off small businesses."

Part of the reason that hackers may have turned into electronic pickpockets is because the information is available, Lane said. More people are using the Internet as an automated teller machine or giving companies credit card numbers to keep on file for convenience, he said. Companies that keep credit card numbers in a computer system are not necessarily safeguarded against attacks by viruses and hackers, Lane said. Although security and computer system companies are trying to educate small and medium-sized business owners about proper security measures that need to be in place for both the sake of the business and its clients, many business owners pass up opportunities to educate themselves because they believe someone is trying to sell them an unnecessary product or they do not have the time to learn, IT industry experts say.

Both Symantec and NetSolutions, among many other companies, offer free education to consumers and businesses, Lane and Chandra said. "Companies say they cant afford to do it, but really, they cant afford not to do it," said Keith Gagnon, business technology consultant for NetSolutions. NetSolutions provides companies with business consulting, vulnerability scans of computer systems and intrusion detection and offers clients a variety of security solutions, said Allen Waters, corporate marketing director for the company.

When software programs are created and continuously updated, holes in the programs are inevitable, Chandra said. Each hole in a program causes users to be vulnerable to problems with the software and susceptible to hackers. Software providers create "patches" to fix those holes. NetSolutions currently has a list of 1,500 and 2,000 vulnerabilities and patches, Chandra said.

"It is part of our philosophy to manage security," Chandra said. "For example, Microsoft releases patches for security, and hackers hope people dont use them. Hackers write programs for those vulnerabilities." Chandra likened the process of securing a complex computer system to taking care of a large house.  "When a house starts with four walls, (individuals) know where there are flaws because they can see them. But for a house that constantly grows, after 15 years it is a mansion and how can one monitor all of the walls?" Chandra said. "Essentially it becomes bigger than you and it is the same for security. There are so many leaks, back doors and alleys that no one has considered."

Microsoft, for example, announces vulnerabilities it has found on a security Web site (www.microsoft.com/security) and provides patches for those vulnerabilities, Waters said.  "Education could be a good service for people. If they receive it and understand it, for little or almost no effort they can avoid disaster, because it can cost 10 to 100 times more to fix a problem then to buy security software," Lane said. "Like most things in life, an ounce of prevention is a pound of cure."

Myth Busters:

The common misconceptions that business owners have about security can become a deadly threat to a business. NetSolutions busts some of the more common myths its clients have believed in the past.

Wireless Myths:

" I dont have a wireless network: It may be true that a business owner has not installed a wireless network but owners need to be sure their employees have not plugged in a wireless access point, leaving a company network vulnerable.

" Wireless network is plug and play: When wireless networks are installed, IT professionals change default settings and secure the network.

" Wired equivalent privacy (WEP) will keep me secure:

It is well known and documented that WEP is not secure and if employed, business owners increase the risk of compromising their network security.

" My business is too inconsequential to be hacked: This is simply not true. According to statistics from FBI/CERT, hackers dont discriminate  everyone is a potential target.

" I am secure: Business owners may say this without knowing the last time a system security audit was run on their network.

Wired Network Myths:

" I dont go on the Internet: Users do not have to be on the Internet to get infected with a virus. Networks can become infected via corrupt disks, files and other means.

" It doesnt matter if everyone in the office gets administrative privileges: Business owners dramatically increase the risk of network compromise if everyone on the network is an administrator.

" Windows 98 is just as good for our business needs: From a security standpoint, it is well documented that Microsoft did not have security in mind while designing the 98 operating system. Business owners increase the risk of security breach and compromise valuable data if they are still using Windows 98.

" A firewall will keep me secure: A firewall is only as good as its configuration and is only one aspect of securing a network.

" Microsoft patches will wreak havoc on my existing network: Business owners are advised to back up their systems prior to installing the latest patches, but if the latest patches arent downloaded, business owners risk serious damage to their network.

Elizabeth Geldermann is a reporter for Small Business Times. Send technology news to her at elizabeth.geldermann@biztimes.com or by calling her at (414) 277-8181, ext. 121. Technology news can also be sent to: Elizabeth Geldermann, Small Business Times, 1123 N. Water St., Milwaukee, WI 53202.

September 2, 2005, Small Business Times, Milwaukee, WI