Hacked To Pieces

Think your business is too small to need network security? That's what intruders are counting on

You'd think that being small might give you some de facto immunity from hackers. After all, electronic vandals make headlines by penetrating enormous companies, such as BellSouth Corp. and Symantec Corp., or high-profile government departments such as the Pentagon and FBI. Why would they bother with you?

Good question, says Katherine Gaudette, president of Capetown-Rio Inc. She confronted it herself during a month-long battle against hackers who temporarily knocked her Redmond (Wash.) marketing-communications company off the Web. She has since learned that it's not uncommon for small businesses to get hacked; they're just too embarrassed to talk about it. Gaudette, who specializes in helping small companies look big, is willing to share her story because she hopes that it will help others avoid what her 12-person staff went through.

Her trials began on July 16 with an unexpected phone call at home. Her Internet service was inquiring about an E-mail that confirmed three-year-old Capetown's request to transfer its domain to another company. Say what? "I didn't ask for my Web site to be moved," she replied.

A two-week tug-of-war followed in which someone made repeated phony requests to transfer the domain. Gaudette squelched each one, but the hacker succeeded on the third try. With visions of porn or worse going up under Capetown's name, she scrambled to regain control, getting it back within 24 hours on July 30. Nevertheless, Gaudette checked and rechecked to make sure the system had a thorough backup as of that day, a Friday. "Something told me they weren't done," she recalls.

She was right. By Monday, Gaudette's site was "totally trashed...they were destroying everything in their path." It took several days to get it back up, using the electronic equivalent of string and chewing gum, in between meetings with police, security consultants, and venture capitalists looking over the company--not to mention running the business. It was not until mid-August that the daily attacks ended. Gaudette says the staff was left exhausted and feeling violated by the hacker's electronic strip search of their professional and personal data.

Looking back, Gaudette says, Capetown's mistake was installing a security system to cover its corporate network while leaving the Web server unprotected. The security company Capetown uses, WatchGuard Technologies Inc. in Seattle, quickly stepped in to plug that hole by extending the firewall to the Web site under an existing service contract. Still, the damage could cost thousands to repair--insurance doesn't cover all the losses--and it could have been worse. Capetown's site is just a billboard with demos. Had it been an E-commerce site, the attack could have cut off her revenue--a point she drives home to other entrepreneurs who think a low profile protects them from hackers. "I don't know why they pick on us. But they do," she says.

Bill Hancock says he knows. An FBI forensic consultant on network security, he's also executive vice-president of Network-1 Security Solutions Inc. in Dallas. Hancock believes hacker attacks on small businesses are practice for something bigger, similar to robbers knocking over a 7-Eleven before they try a bank job. But outsiders aren't the only threat. Hancock suggests keeping a wary eye on insiders--"disgruntled ex-employees, acquaintances of employees, even customers who walk into the office and notice that passwords are left on Post-it notes in plain view." (That's why getting hacked is murder on morale. "Because you don't know who's doing it, everybody becomes a suspect," Gaudette says.) Chuck Shih, an analyst at Gartner Group Inc. in Stamford, Conn., says that low-priced local ISPs are another weak point because they lack expert security personnel and systems. And your vulnerability increases dramatically when you shift from a dial-up connection to a full-time link such as T1 or cable lines, because it changes you from a moving target to one with a single, unchanging "IP address" that's always available.

The solution? "Never underestimate the strength of deterrents," says Hancock. "If it's too much of a pain to block up your Internet connection, the vandal will get bored and simply click away." Some basic survival strategies:

Passwords: They're the first line of defense. Even PCs should be protected, because everything is a potential point of entry. So should critical documents. For remote users, consider SecureID, (800 732-8743), which changes the access password every few minutes. Users carry a synchronized card or keychain that displays the current password. An outlay of $4,500 buys the system itself and cards for 25 employees.

Firewalls: These allow only authorized people to get into files on the server. You'll need one for each server in your office. Make sure it includes monitoring software and "sniffers" that can help you detect and track suspicious activity. The cost starts at $1,000 from vendors such as Check Point Software, 3Com, and Network-1 Security Solutions but figure on spending closer to $5,000 for extra layers of security. Watchguard's package, for instance, includes a "security appliance" installed on your server, plus management systems, software updates, a year of security advisories, and live support. The latter is a must because of the complexity of security; buy a service contract if it's not included.

Secure Socket Layers/Encryption: A secure socket, which comes with your server, creates a secure line of transmission to thwart hackers who try to intercept information traveling on the Web. In case they do, encryption makes the information difficult to read by scrambling a message or credit-card number during transmission--and you've got the only decoder key.

Costly? You bet. But cybercrime is a fact of life, making security just another cost of doing business. Alas, the Web really isn't so different from the offline world.

Set up an action plan to deal with hackers. Click Online Extras at frontier.businessweek.com

Before it's here, it's on the Bloomberg Terminal.