Locking It Down

Cyberthieves are watching. Here's how to keep your data safe and sound

Every six to eight months, a zombie attacks the e-mail server at Guy Brown, a Brentwood (Tenn.) company that refurbishes and sells office products. It's not a Dawn of the Dead zombie, but a virus that invades computer systems to send bogus junk mail. The intruder has even caused one of the $150 million company's biggest customers to stop accepting its e-mails. "A small business is about the relationships you have," says Philip Markuson, senior vice-president for operations at the 70-employee company. But cyber compromises can make clients start wondering whether "you have trouble running your business properly and diminish the trust you've built up," he says. That's why Guy Brown is upgrading security for its technology infrastructure, including spending about $5,000 to create a virtual padlock to keep out Internet hackers.

Smart move, and one that is not as common as it should be. More small businesses now have Web sites and e-commerce capabilities—potentially exposing company and customer data to thieves—but lack the safeguards many big companies have in place. About 57% of small companies don't think they need a formal plan to secure their data, and 61% say they never sought information on properly protecting their files, according to a March, 2007, survey by the National Federation of Independent Business and Visa USA. "Criminals look for the weakest link in the chain," says Gurpreet Dhillon, a professor of information systems at Virginia Commonwealth University. "Where's the weakest link? Small businesses."

Hackers are increasingly sophisticated, too. In the past, viruses with names such as Mydoom and iloveyou were spread by people craving media attention. These days, says Larry Clinton, president of the Internet Security Alliance, a trade association devoted to Internet information security, "the criminals are more like Tony Soprano than Ferris Bueller. Organized criminals are now doing it—not to show off, but to make money."

Protecting your network means taking a series of steps, including installing security hardware and software, putting an employee in charge of security, and educating all your workers.


Hackers' tactics, and the products to combat them, are always changing. Having an employee dedicated to security will help you stay on top of things, says Ron Teixeira, executive director of the National Cyber Security Alliance, a public-private partnership that includes the Homeland Security Dept. and the Federal Trade Commission. Typically, the head of your IT department should fill that role. Companies that don't have IT staff should think about hiring a consulting firm. The best way to find one: referrals. Scott Testa, an adjunct professor at St. Joseph's University in Philadelphia who specializes in small company technology, advises entrepreneurs to ask firms if they have experience with small companies and with their industry. They should also ask about whether their staff will be available at any time in case of a security breach. "Independent, third-party firms that don't sell products are more objective," says Testa.

At a minimum, says Rob Fitzgerald, a computer forensics expert and president of Lorenzi Group, a consulting company in Danvers, Mass., "small businesses should have in place a firewall and have antispam/spyware and antivirus software installed on all computers." A firewall, which can include hardware or software or both, prevents unauthorized access to your network. All messages coming in or leaving your company pass through the firewall, which blocks those that do not meet your security criteria. Fitzgerald recommends that all small companies use firewall hardware. Sonicwall's (SNWL) TZ, Fortinet's Fortigate Unified Threat Management, and Cisco's (CSCO) Pix are all boxes you can plug into your modem. Buying the providers' annual service agreements, which run about $100 a year, gets you updates and access to tech support staff.

You will need to buy software for each computer, even those not hooked up to the Internet, as you could download a virus from a thumb drive. Symantec (SYMC), Grisoft (INTC), and McAfee (MFE) offer software packages that supply the basics. Figure on spending no more than $100 per computer.

Henegan Construction was getting about 3,000 virus-affected e-mails a year. So the $300 million New York company installed Symantec's antivirus software several years ago. Last year Henegan added filtering software by Websense (WBSN), which blocks certain Web sites that might be infected. The cost for the two packages is about $5,000 a year for 25 computers.

Henegan also hasn't been lucky with its laptops, which have been stolen frequently. So the company signed up with a laptop tracking company, Absolute Software in Vancouver, for $100 per computer for a three-year contract. The service recently helped Henegan recover a laptop within two months, says Juan Alessandri, head of it at Henegan.


Hardware and software are important, but they are not the whole story. You'll also need to draw up a policy on how your data must be stored and who has access, says Dhillon: "If yours is a retail outfit, follow Visa and MasterCard's (MA) encryption and data storage policies closely." He advises companies not to print complete credit-card numbers on a receipt or store data longer than necessary, and to shred invoices. Small businesses also need to make sure the wireless networks they use are encrypted. "Do not provide open wireless access from the same connection that is used for business transactions," Dhillon says.

Don't forget that a big source of security breaches are employees themselves, either through sabotage or unwittingly downloading a file with a virus attached. Teixeira points to a tactic called spearfishing, in which criminals contact employees in key positions. "They actually send an e-mail marked urgent—something like, 'we had a break-in, and we want to make sure everything is safe. Please provide us with your log in and password,'" he says. Instruct all employees not to download e-mail attachments unless they know the person who sent the message, and never to give out passwords. Send out bulletins informing workers of new scams. Clinton even recommends forbidding employees from using their computers for personal business, but providing ones they can use to surf the Internet in a common area. A little inconvenience isn't too much to pay for keeping your company's data safe.

Back to BWSmallBiz February/March 2008 Table of Contents

    Before it's here, it's on the Bloomberg Terminal.