DECEMBER 11, 2006
Small Biz
By Jeffrey Gangemi
Cybercriminals Target Small Biz
Instead of going after large companies, hackers are now targeting small businesses, whose systems are often more vulnerable than those of the big guys
Even though Craig Brown was hired to be financial controller at Menlo Park (Calif.)-based Summer Hill, a 45-employee home-furnishings company, his boss figured computer-savvy Brown could lend an occasional hand with information technology. However, since the company had set up little-to-no protection against viruses, spam, and other Internet nasties, IT soon took over the bulk of Brown's days.
And when the company's network started to slow to a crawl, Brown was constantly being pulled away from number-crunching to address the problem. It turned out that a trojan, or virus-like bug that can cause a host of different problems, had infiltrated the company's 12-computer network and was sending spam to other systems (see BusinessWeek.com, 5/29/06, "Meet the Hackers").
Summer Hill is far from alone. Many small businesses are more vulnerable to cybercrime than they think, according to the 2005 Small Business Information Security Readiness Study of 1,000 small businesses with anywhere from 1 to 100 employees. The study was jointly sponsored by the Small Business Technology Institute, a nonprofit group based in San Jose created to foster adoption of information technology by small businesses, and software giant Symantec (SYMC).
The report reveals that many small businesses fail to understand the damage that can be caused by information security incidents, aren't educated about cyberthreats, and fail to adequately invest in security. The Institute has a smaller study planned for 2007 but says the 2005 research is still indicative of the proportions and trends affecting small-business owners today.
Looking for Easy Marks According to the study, approximately 70% of small businesses consider information security a high priority, and more than 80% have confidence in their existing protective measures. But 56% of small businesses experienced one or more security incidents in the past 12 months before completing the survey, and many still weren't taking the appropriate steps to prevent them in the future. Almost one-fifth of the small businesses surveyed didn't use virus scanning for e-mail, and more than 60% didn't protect their wireless networks with even the simplest encryption.
Gone are the days when big business was the prime target of amateur hackers and professional cybercriminals. The security advances made by larger firms have deterred many of them, says Howard Schmidt, president and CEO of R&H Security Consulting and former White House cybersecurity adviser. Seeking an easier target, troublemakers are now attacking small businesses, which are often inadequately protected against cybercrime, Schmidt explains. That's because small firms have less time, resources, and experience to devote to the issue.
The requisite protection for all businesses, large or small, includes anti-virus software, a firewall, anti-spyware software, and anti-phishing software on all computer systems, and it shouldn't be an afterthought, says Schmidt. "When someone submits a business plan for financing to a bank or the SBA [Small Business Administration] or something, the business plan should not just be about their customer base, product ideas, and marketing strategy. It's also important that they have an Internet security plan in place," he says.
Good Security Isn't Cheap For companies with an e-commerce platform, that means getting the highest level of security out of each transaction and protecting customers' personal information. The easiest way to guarantee that customer data won't be stolen: Enlist the payment services of Verisign (VRSN) or PayPal (EBAY), says John Jack, CEO of Fortify Software, a small Palo Alto (Calif.)-based computer security company. "For the nominal amount that some of these technologies cost, the potential savings is almost a no-brainer," Jack says.
But security doesn't always come cheap. That's why Schmidt encourages firms that can't afford the security software suites offered by companies like McAfee (MFE) and Symantec to instead create their own patchwork of security applications to get a vulnerability assessment from a reputable source—generally a large security firm—to identify and shore up any exposed part of their system. For vulnerability assessments, Schmidt says it's possible to run one for free on the Symantec or McAfee Web site. For the best protection, though, he recommends contracting with a small company that does real-time or near real-time vulnerability assessments.
Though the price of security applications often varies according to the number of users, Schmidt says that, as a general rule, companies should be willing to spend about $200 per year per employee for a solid level of protection.
Turnkey Security Solutions Startup tech companies have begun developing suites of applications geared specifically to keeping small businesses safe in cyberspace. San Mateo (Calif.)-based Untangle, previously named Metavize, is one such company. Its networking security and antivirus software is free for small companies with 10 employees or less, $75 a month for outfits with between 11 and 30 employees, and $195 a month for those with more than 30 employees. Once installed, individual applications—such as one that blocks specific URLs—can be easily added, and companies can cherry-pick applications that they need.
Summer Hill has been investing $85 a month for a beta version of Untangle's software to fix its network slowdown problem and get ongoing online security services, and is pleased with the results. The company hooked up with Untangle through a referral. "We use technology, but we don't have high-tech experts working here. What we needed was a good, all-encompassing solution that we don't need to think about," says Brown.
TrustELI, a Mount Laurel (N.J.)-based firm that claims to offer the benefits of an IT staff in one affordable system, is chaired by former cybersecurity czar Schmidt. For a one-time fee of about $200 and an estimated $10 monthly management fee, a business with up to five computers can install the system, which includes a cable or DSL modem with a four-port router and a wireless modem. The router, managed via the TrustELI's command center, provides antivirus, anti-spyware, spamware, anti-phishing, content filtering, and a virtual private network. "Appliances at big companies have their [secure] gateways to protect against a lot of this stuff. [The TrustELI product] is made for small businesses, and it…blocks all the harmful stuff from coming in to begin with," says Schmidt.
"When you have a 20-person company that is really good at making chocolate wafers for holiday distribution and knows little about computer systems," says Schmidt, it should be able to dedicate the majority of its time to its core competency—not to thinking about security all the time.
[an error occurred while processing this directive]
