Perhaps you recall those cute commercials where the cartoon ranger bear tells you, "Only you can prevent forest fires. Only you?"
A similar self-focused mantra was drilled into my head by information security departments while I was working in corporate: "Our employees are our first line of defense." As an entrepreneur, you and your employees are your company's first line of defense against hacker attacks, phishing, spam, viruses and trojans. Gosh, this sounds a lot like a war; and, in some respects, it is.
At least that's how it felt to Glory Borgeson of Borgeson Consulting Inc., whose website was hacked last month.
"The worst part is not that the site was compromised; it's that my webmaster told me the hosting company only has backups for four days," Borgeson says. "And because nothing has changed on my website in four days, they have no backup.
"My webmaster thought they were performing backups monthly. Meanwhile, to my surprise, my webmaster also doesn't have much of the code."
Just like preventing accidental forest fires is your responsibility, so is backing up your website and all associated files. Don't rely on someone to maintain your business for you.
The Hard Facts
Monte Robertson of Software Security Solutions cautions, "Risky online behavior is more likely to happen at small companies." He cites the finding of a Trend Micro study that surveyed 1,600 internet users in corporations across the U.S., UK, Germany and Japan. The study found that high-risk activities, such as visiting non-work-related websites, shopping online, poking around in social networking communities, downloading various types of files and checking personal e-mail were all more apt to occur within small businesses.
A sizable 32 percent of small business employees in the UK admitted to downloading executable files (to install software for instant messaging or gaming). At the least, that could lead to virus, trojan and denial-of-service attacks. Far worse, it could invite identity and data theft, as well as leaving gaping security holes open for compromise.
Sadly, if you look at the amount of data for sale within these phishing farms, it's clear that only a small portion of security breaches gets reported. As a result, 44 states have passed laws requiring businesses to tell their customers when their personal information has been compromised. This means that in six states, disclosure is still a choice.
Tighter Credit Card Security
Woe be unto you if your company accepts credit cards online. As of June 30, 2008, the Payment Card Industry Data Security Standard (PCI-DSS) requires all web merchants either to put a special firewall in place to secure their web-based applications or complete a web application code review to address possible vulnerabilities (download PDF about this requirement). Having these security measures in place has been the recommended practice for the past 18 months; now it's become a regulation.
Needless to say, this deadline will pass many companies by. However, the penalty for noncompliance isn't clear. Penalty information isn't contained in the informational PDF about the requirement or anywhere within three clicks of the organization's home page. Attempts to search for the word "penalty" return zero matching results. To add to the confusion, because there's no formal certification process, no one's sure who's qualified to conduct audits.
This reeks of the early Sarbanes-Oxley compliance debacle after the bill setting new standards for corporate accountability was adopted in April 2002.
The Mess Behind the Mess
The main source of web security challenges stems from small businesses being . . . well . . . small. Many small companies don't have internal IT departments to counsel them on the do's and don'ts of web security. This explains why spam, phishing and spyware activities are most often reported within smaller companies.
Additionally, smaller firms are used as target practice by up-and-coming hackers and phishers who want to earn their stripes.
Ryan Barnett, director of application security for Breach Security and member of the Web Application Security Consortium (WASC), notes several causes:
- The volume of business done over the web will continue to grow exponentially over the next few decades, and the nature of security attacks will reflect this increase.
- To remain competitive, companies rush to launch new online services and applications, and the results are flawed web applications with serious security holes.
- Criminals have upped the ante with their targeting capabilities. They now use automated scanners to find flaws they can exploit in websites, requiring businesses to consistently re-evaluate their applications and implement new methods to stop these vicious attacks.
What You Can Do
1. Hire ethical hackers. There are reputable "white hat" hacking firms that will test your company's security measures and tell you how to fix them. It might seem counterintuitive to pay someone to attempt to break through your security barriers, but it's better to have someone you know trying to get in rather than someone you don't.
2. Use different passwords based on security needs. John Smart, founder partner and technical director of Internet Design, says, "If your password is the same across the board, it is possible for unscrupulous people to access your e-mail, files and sensitive financial data with that one password." He suggests using different passwords based on the sensitivity of the data they're protecting. For example, server access passwords might be 27 digits, e-mail might be 12 digits and your book club password may only have four digits, with each password essentially having its own "security level."
Sidebar Fun Fact: There are 6,634,204,312,890,625 possible password combinations when using eight characters with the 95 keyboard character combinations.
3. Create an "acceptable use" policy. This is an employee policy that outlines what constitutes acceptable use of company property; it also spells out actions that will be taken if the rules are broken.
"This increases productivity, reduces legal liability and protects the company's information," says Tom Wozniak, CTO of Managed Systems.
4. Maintain security at home. With the increase of telecommuters and people who work from home full-time, home network security is a must. IT Security firm Fiberlink Communications recommends treating an at-home network (whether wired or wireless) as you would a public network and advises password protecting your at-home wireless connection.
5. Double (and triple) down. The fact is, different security tools suit different purposes. Even security market leaders may not offer the best set of tools for your company's needs. That's why every business needs layers of security.
Reality Isn't Just for TV
The grim reality is that smaller firms may not rake in as much revenue as some of the bigger firms and can't garner the interest of top talent; yet they are forced to contend with as much--or more--of the hacking onslaught as their larger counterparts do, with less money to devote to training and infrastructure.
The threat of a "geek in the basement" releasing viruses just to inflict damage has gone mainstream; hacking and phishing have become a multimillion-dollar business. It's up to small firms to keep digital pirates from sinking the ship.