How Small Business Can Fight Internet Hackers

First, company e-mails started to take forever to arrive. Then Jose Cruz, network specialist for apparel maker Nanette Lepore, kept getting kicked off the company's central server. A few hours later sales machines at the company's nine boutiques were routinely getting bumped off-line when they tried to connect to the central server. Cruz became increasingly alarmed. Hackers were attacking the business with a so-called denial of service attack, using an army of computers to bombard a server with bogus requests for information, and making it impossible for legitimate ones to get through. "This was a malicious attack to shut down the company," Cruz says. Engineers from his Internet service provider eventually traced the raid to hackers in Asia.

But when the onslaught occurred, in November 2008, at least the 100-person, $150 million business was prepared. It had a battle plan. It had redundant servers, with multiple links between stores, the company's central database, and the Internet. Its Web hosting was offsite, its security software up to date. Cruz's first call was to the Internet service provider that handles Nanette Lepore's boutiques' Web access, which switched off the link that was being bombarded and established a secondary link for the stores to use. Things did not return to normal until three days later, when the ISP was able to effectively block the rogue signals.

In 2007, the company hadn't been so lucky. Without a network engineer in charge of security, and using only off-the-shelf routers for protection, the company's network was a soft target. Two different hacker groups broke into the servers for the company's Las Vegas location. The first hackers, based in the U.S., installed software that recorded individual keystrokes and took screenshots of the terminal handling customer transactions, transmitting the information every two seconds. Simultaneously, a cell in Italy hacked customer information related to potentially hundreds of credit cards. That information was sold and used to create duplicate credit cards for Spanish criminals. Local authorities got involved, then the FBI. Nanette Lepore had to close down its Las Vegas store for three days, and deal with the hassle and embarrassment of having to notify customers whose accounts had been compromised.

Hacker attacks are serious business, and small businesses are under siege. Stamford (Conn.)-based research firm Gartner estimates that about 25% of all small businesses suffered a hacker attack in 2008, up from about 10% in 2003. Small businesses "are seeing more attacks, and they are being targeted more," says Adam Hils, principal analyst for network security at Gartner. Hackers "figured out that small and midsize businesses are easier to get into, and users are more likely to download bad things." They are most likely looking for customer information, which can be sold on a sophisticated black market. Even if you are prepared, an assault can still put your business at risk.

The nature of the most common attacks has also changed. These days they mostly involve employees surfing the Web or responding to e-mails that sound legitimate but are really bogus schemes fishing for information. The "drive-by" takes advantage of the innocent computer user who stumbles across a site run by hackers. When the surfer clicks on links embedded in the Web site, malicious code is automatically downloaded. Often, the goal is to turn the computer into part of a "botnet"—an army of zombie computers controlled by hackers. They're often used to launch denial of service attacks, such as the one Nanette Lepore suffered. In most cases, the code operates in the background, unbeknownst to the computers' users. But it can also open up your network to the prying eyes of criminals. In the well-known "phishing" scam, a computer user receives a fraudulent e-mail that appears to come from a bank or other familiar institution, asking for information such as user names and passwords. START WITH THE BASICSThese days it's no longer sufficient to try to protect your network with a simple firewall. "It used to be in the old days you had a firewall, and firewalls were analogous to a physical wall," says Christian Christiansen, vice-president for security products and services for IDC. "That is no longer the case." With more employees working remotely, there are more points of entry to your network. Vulnerabilities can be created by laptops, PDAs, removable drives, and even smartphones. Desktops and laptops absolutely have to be protected. Smartphones and PDAs are less of an issue—so far.

But security is now just as much an employee management issue as it is a technological one. You'll want to start with the basics, such as making sure your software is up to date. Banish passwords that are simple or easily guessed. Security experts recommend passwords up to 26 characters long that form a memorable phrase, rather than an eight-character jumble that means nothing and is easily forgotten. Change passwords every three to six months.

To secure your Internet connection, you can use packages that include antivirus and anti-malware abilities, intrusion detection systems, and, in some cases, sniffers for virus-infected e-mails. Such packages may also include applications that create "white lists"—lists of safe Web sites. If employees work remotely, make sure they tap into your network via a virtual private network, or VPN. You can also set ground rules about the kinds of Web sites they can visit during their work hours.

Nearly 60% of small businesses rely on traditional firewalls. But newer, so-called multifunction firewalls (which use hardware, software, or a combination) offer some improvement. They serve as a gateway, inspecting data leaving the company and data coming in. Many have e-mail sniffers that look for dangerous attachments or other pieces of code that can infect a network. Or they notify account administrators of attempted break-ins. Prices run the gamut from $2 a month for up to 100 people to a flat $5,000 for a powerful box that sits at your company. Vendors include CheckPoint, Symantec, SonicWall, WatchGuard, and Zscaler. The firewalls also may create white lists and give workers VPN access.

OUTDATED SOFTWAREOnce you have your security system in place, you need a set of rules that will ensure employees aren't inadvertently infecting your network. Put the policy in writing, but don't make it so long or draconian that it inhibits employee creativity. "I've talked to some small businesses that copy large companies with 100-page plans," Hils says. "When it is too complicated, it is counterproductive." Hils says a reasonable policy might, for example, allow open access to Web sites (a good security system ought to filter out the ones with malicious code) but restrict employees to an hour or two day when they can do things like visit social networks, where viruses are known to lurk. And when it comes to social engineering scams, the solution is obvious: Never give out passwords, addresses, or any identifying customer information to unknown sources.

Out-of-date antivirus software does you little good. Some security packages will update automatically, but others require individual users to take the initiative. In that case, make sure your employees update once a week. Spot checks of your office can be useful—but do it with a light touch, to avoid the Big Brother effect, Hils says. You want to make sure passwords are not posted on computer terminals and that employees log off at the end of each workday.

Other software applications need to be kept up to date, too, especially QuickTime, Internet Explorer, Flash, and ActiveX. These applications are popular among hackers simply because they are used by millions of people, making them tempting targets for those out to infect as many computers as possible.

ODD CODEThat's exactly what happened to Leon Baranovsky, president of TeamUp! Tutors, a four-employee, $500,000 company in Los Gatos, Calif. The Friday before Labor Day, he logged onto his company's network and wrote a blog post about new ways teachers are using technology in modern educational settings. But as he was about to post his entry, Baranovsky, a former computer science engineer, noticed an odd piece of code inserted into the URL of the post. "I knew something was awry and I was alarmed," says Baranovsky, who was using WordPress, a popular blogging software. He pasted the code into Google (GOOG), and was amazed by what came back: Web posts describing that exact code as evidence of a common hack attack. He contacted his Web development team, which had to rebuild parts of his site. First they had to remove WordPress, then reload the latest version. The newer version blocks the hole, but Baranovsky says he was unaware that WordPress updated its software every couple of months, and that he had missed the most recent upgrade. "I am being more diligent about that now," he says. Then Baranovsky's team had to take a backup of the company's data from the day before the attack and reload that on the server, recreating several days' worth of work. The company's Web site was offline for two hours. "The Web site is our storefront, and so it is like any other business when you close the doors during business hours," Baranovsky says. "You don't know what you have lost and whatever leads we may have had coming in." The other cost is credibility, Baranovsky says, in an era when customers and potential clients expect Web sites to be up 24/7.

Overly simple passwords and the lack of a data backup plan led to a damaging hack attack against Nolcha, a New York consulting firm with six employees and $800,000 in annual revenue. "It was nerve-racking and frightening. It was like I had no control," says Kerry Bannigan, Nolcha's CEO. Early this year, Bannigan says she was awakened in the middle of the night by the company's Web site manager. Hackers in Turkey had shut down her company's site and replaced it with their own insignia. Nolcha, which consults in the fashion industry, had extensive blogs and thousands of images from fashion shows and events on hundreds of pages. All of them were corrupted. Worse, Bannigan's outside Web programmer hadn't backed up her data. "It made things tough for the whole week, and for weeks after, letting the clients know we were all O.K.," she says. It took 48 hours to fix the technical problems and two weeks to reassure her clients.

Bannigan's Web programmer suspects an easily guessed password for the administrative panel on the site enabled the attack. Now Bannigan uses more complex passwords and changes them frequently. She makes sure her staff doesn't share them with anyone. And she's making regular backups.

It's also critical to keep in mind that Internet threats are evolving. In the coming years, PDAs and smartphones will become more common routes for attacks, experts say. Such attacks are already on the rise in Asia, says Vincent Weafer, vice-president of security response for Symantec. For entrepreneurs, that means never taking their eyes off the ball when it comes to Internet security. "As a business owner, we all wear 20 hats, and now I have to be the Web guy, too," Bannigan says.

Return to the BWSmallBiz December 2009/January 2010 Table of Contents

    Before it's here, it's on the Bloomberg Terminal.