  
special report: technology
By Elizabeth Geldermann, of SBT
When
several computer viruses took over the computer
systems of a local tax consulting firm, the employees
were unable to use their computers, and they
were concerned that vital information about their
clients would be compromised. The business
owner had not implemented a security infrastructure
into the company's computer system because employees
had been told not to surf the Internet or open
e-mail attachments from unknown recipients.
However,
an attack still occurred. Several days,
and several dollars later, the company was back
up and running, this time with security. "We
took a layered approach to security," said Raj
Chandra, a wireless optimization engineer for
Milwaukee-based NetSolutions Corp., which set
up the new security system for the company. "We
protected their perimeter, we ensured their local
resources were secure and we enforced security
policies, including changing vital information
on a regular basis and quarterly checks on their
network security. For obvious reasons, we cannot
give out the company name."
Business
computer systems are becoming increasingly vulnerable
to such attacks, according to information technology
industry experts, and many business owners have
misconceptions about their chances of becoming
targets for hackers, viruses and security breaches. "People
used to say that if a new company survived after
two years, they were fortunate, but now with
viruses and a lack of protection, companies are
going down a lot sooner," said Laverne Ihm, chief
executive officer of NetSolutions. "A lot more
companies are going belly up because they don't
have protection."
Some clients that NetSolutions has worked with made every employee an administrator in their system, which makes internal security an issue, Chandra said. "Company information needs to be on a right-to-know and need-to-know basis to eliminate liabilities for a business," said Jeremy LaSage, president and principal consultant for NetSolutions.
Small Business Information Security Readiness, a study conducted this year by the Small Business Technology Institute, revealed that most owners of small businesses are not protecting themselves from possible internal or external security threats. The study was sponsored by Symantec Corp. a Cupertino, Calif.-based security partner for businesses. The study found that small businesses are becoming more vulnerable to information security threats or breaches as the businesses continue to invest in upgrading technology and mobilizing employees.
"Small
businesses are largely unaware and uneducated
about information security risks and their economic
repercussions, and they have a complacent and
passive attitude towards information security
protection," the study's key findings said. At
least 40 percent of the small businesses surveyed
use networks and mobile devices, but less than
one third of small businesses increased their
security spending in the last year, according
to the study, which surveyed more than 1,000
small businesses that employed 1 to 10 employees.
"We see trends where bad guys are looking more at small businesses as targets," said Kraig Lane, group product manager for Symantec. "Small businesses have the same type of customer data as big companies, but appear to be less protected. It is the same mentality of a criminal that would rob a convenience store or liquor store instead of a bank." Chandra said some business owners think that if they are farther away from a big city, they are less vulnerable, or if they are a small company, no hacker would go after them.
Businesses need to adopt multiple layers of security to protect themselves from both the casual and experienced hacker, IT industry experts say. Small businesses tend to purchase wireless routers to connect employee laptops in the office or enable employees to work off-site, without purchasing additional security measures. Some businesses believe a router that comes with a firewall will suffice, Lane said.
A firewall is a helpful tool, but it acts more like a fence that hackers can try to gain access through by sending multiple worms and viruses toward it, Lane said. "What has happened with big companies is that the firewall acts as a perimeter," Lane said. "There have been a lot of attacks over time developed by bad guys that realize (the perimeters) are like big castle walls in the company. so they shoot huge flaming arrows at (the perimeter). They may shoot 100 arrows that are blocked, but if one gets inside the castle wall and the building roofs are made of straw, the whole place will burn down."
Multiple layers of security, including intrusion detection and spam and spyware filtering systems, provide more protection than just the firewall. That way, the flaming arrows might cause a small loss in productivity, but the contents inside the castle, or computer system and server, will not burn, IT industry experts say. At a minimum, business owners who have a limited budget for security measures should at least implement virus protection, software firewalls and a content filtering system, Lane said.
Firewalls cannot protect against fraudulent e-mails and advertisements, so employees should be trained to recognize and avoid responding to them. By not implementing security measures, companies take a calculated risk that can cost more to be reactive than to be proactive, Tushaus said. Unfortunately, a business owner will not see or appreciate a return on investment for a security infrastructure until something happens, Chandra said.
"We
are finding now that in the past, the bad guys
were a lot like electronic graffiti writers and
would confuse computer systems and owners. We
wondered why they were writing these viruses
and not getting money for it because it looks
like it takes a lot of time and they can't get
any credit for it," Lane said. "Now we are finding
that people have moved to be more like electronic
pickpockets where they are trying to get credit
card numbers or rip off small businesses."
Part of the reason that hackers may have turned into electronic pickpockets is because the information is available, Lane said. More people are using the Internet as an automated teller machine or giving companies credit card numbers to keep on file for convenience, he said. Companies that keep credit card numbers in a computer system are not necessarily safeguarded against attacks by viruses and hackers, Lane said. Although security and computer system companies are trying to educate small and medium-sized business owners about proper security measures that need to be in place for both the sake of the business and its clients, many business owners pass up opportunities to educate themselves because they believe someone is trying to sell them an unnecessary product or they do not have the time to learn, IT industry experts say.
Both
Symantec and NetSolutions, among many other companies,
offer free education to consumers and businesses,
Lane and Chandra said. "Companies say they can't
afford to do it, but really, they can't afford
not to do it," said Keith Gagnon, business technology
consultant for NetSolutions. NetSolutions provides
companies with business consulting, vulnerability
scans of computer systems and intrusion detection
and offers clients a variety of security solutions,
said Allen Waters, corporate marketing director
for the company.
When software programs are created and continuously updated, holes in the programs are inevitable, Chandra said. Each hole in a program causes users to be vulnerable to problems with the software and susceptible to hackers. Software providers create "patches" to fix those holes. NetSolutions currently has a list of 1,500 and 2,000 vulnerabilities and patches, Chandra said.
"It
is part of our philosophy to manage security," Chandra
said. "For example, Microsoft releases patches
for security, and hackers hope people don't use
them. Hackers write programs for those vulnerabilities." Chandra
likened the process of securing a complex computer
system to taking care of a large house. "When
a house starts with four walls, (individuals)
know where there are flaws because they can see
them. But for a house that constantly grows,
after 15 years it is a mansion and how can one
monitor all of the walls?" Chandra said. "Essentially
it becomes bigger than you and it is the same
for security. There are so many leaks, back doors
and alleys that no one has considered."
Microsoft, for example, announces vulnerabilities it has found on a security Web site (www.microsoft.com/security) and provides patches for those vulnerabilities, Waters said. "Education could be a good service for people. If they receive it and understand it, for little or almost no effort they can avoid disaster, because it can cost 10 to 100 times more to fix a problem then to buy security software," Lane said. "Like most things in life, an ounce of prevention is a pound of cure."
Myth Busters:
The common misconceptions that business owners have about security can become a deadly threat to a business. NetSolutions busts some of the more common myths its clients have believed in the past.
Wireless Myths:
" I
don't have a wireless network: It may be true
that a business owner has not installed a wireless
network but owners need to be sure their employees
have not plugged in a wireless access point,
leaving a company network vulnerable.
" Wireless network is plug and play: When wireless networks are installed, IT professionals change default settings and secure the network.
" Wired equivalent privacy (WEP) will keep me secure:
It is well known and documented that WEP is not secure and if employed, business owners increase the risk of compromising their network security.
" My
business is too inconsequential to be hacked:
This is simply not true. According to statistics
from FBI/CERT, hackers don't discriminate - everyone
is a potential target.
" I am secure: Business owners may say this without knowing the last time a system security audit was run on their network.
Wired Network Myths:
" I
don't go on the Internet: Users do not have to
be on the Internet to get infected with a virus.
Networks can become infected via corrupt disks,
files and other means.
" It
doesn't matter if everyone in the office gets
administrative privileges: Business owners dramatically
increase the risk of network compromise if everyone
on the network is an administrator.
" Windows 98 is just as good for our business needs: From a security standpoint, it is well documented that Microsoft did not have security in mind while designing the 98 operating system. Business owners increase the risk of security breach and compromise valuable data if they are still using Windows 98.
" A firewall will keep me secure: A firewall is only as good as its configuration and is only one aspect of securing a network.
" Microsoft
patches will wreak havoc on my existing network:
Business owners are advised to back up their
systems prior to installing the latest patches,
but if the latest patches aren't downloaded,
business owners risk serious damage to their
network.
Elizabeth Geldermann is a reporter for Small Business Times. Send technology news to her at elizabeth.geldermann@biztimes.com or by calling her at (414) 277-8181, ext. 121. Technology news can also be sent to: Elizabeth Geldermann, Small Business Times, 1123 N. Water St., Milwaukee, WI 53202.
September 2, 2005, Small Business Times, Milwaukee, WI
|
