---

---

more technology articles

• 7 Deadly Design Sins That Can Kill Your Conversions
• Understand Google's Guidelines
• Software, Not Hardware, Should Guide PC Buying
• Starting Up: Small Biz Tech Speak
• Database in the Sky

April 14, 2008

Read/Post Comments

KEEPING INTRUDERS OUT of the network isn't just a big company's headache. Small businesses that swipe customers' credit cards but have limited resources to beef up security are increasingly becoming the subject of hacker attacks.

Nearly one-third of businesses with fewer than 500 employees experienced some kind of security incident in 2006, according to the Computer Security Institute's most recent computer crime survey. Overall, businesses in the U.S. suffered an average annual loss of $350,424 last year, up significantly from $168,000 in 2006. And according to Robert Richardson, CSI's director, these reported losses typically underestimate the actual number of attacks.

"Small businesses are more and more becoming targets, as larger businesses build out more adequate business security structures," says Adam Hils, a principal analyst for small-business security at Gartner, a research firm in Stamford, Conn. Many big businesses, for instance, are installing expensive intrusion-prevention systems (or IPS), which inspect network traffic that gets past a company's firewall and blocks viruses, spyware and other unwelcome arrivals.

An IPS system, which can be attached to a company's network via hardware or downloaded as software to a personal computer, can help a company comply with regulatory measures, too. For instance, the Payment Card Industry's Data Security Standards, which are security rules imposed by credit-card companies Visa and MasterCard, require any business housing credit-card information to use, at the very least, intrusion-detection systems (or IDS). These systems, which are the precursor to IPS, simply detect bad traffic but don't block them like IPS does.

Many small businesses simply don't have deep enough pockets to install IPS systems, which can cost up to $250,000, plus an annual 20% maintenance fee. A number of alternatives, however, are available.

Building Your Defense

Not sure your small-business network is secure? Nelly Yusupova, the chief technical officer for Webgrrls International, a tech-centric networking group, offers some best network security practices.

Use firewalls. For businesses that don't deal with highly sensitive information such as customer credit-card data, a simple firewall, which acts as a wall between your computer and the Internet, will do. "If you have a small network, you can get away with just a software firewall," says Yusupova. However, larger networks should install a hardware firewall as well. "A hardware firewall is more secure and allows a single point monitoring of your whole network," she says.

Set up strong passwords. Require employees to use strong passwords, which typically include numbers, special characters, uppercase and lowercase letters. "The more characters you put in, the harder it will be to break your password," she says. Also, set passwords to expire once every one to three months, she suggests.

Update often. It's not good enough to just have a firewall or a more advanced security system: You also have to update it, says Yusupova. Be sure that your server, operating system and applications are equipped with the latest security patches. These measures will, she says, "close the security holes that can be exploited by hackers.”

Tie up loose ends. If there are empty cubicles around the office, turn off open Internet connections that aren't in use. Additionally, configure your firewall to block certain applications. For instance, some business owners don't want their employees downloading large memory-eroding programs or games.

Restrict access. If you offer a wireless connection at the office, make sure only the people you choose can gain access to your network. Use encryption and set up specific network access points. Otherwise, intruders can tap into your network and lift sensitive information. If you need to offer remote access, Yusupova suggests enlisting a virtual private network, which offers an encrypted connection to two or more computers.

The UTM Package

Small enterprises can add an extra layer of defense by opting for unified-threat-management (UTM) systems, which typically house a number of security features including firewalls, IDS, low-end IPS and anti-virus protection.

"A UTM is a package that lets [small businesses] solve a lot of problems at one time," says Charles Kolodgy, research director at IDC, a market-intelligence firm in Framingham, Mass. Using such a device not only reduces the amount of hardware sitting in a business's network, but also the time spent managing and replacing disparate security measures.

The technology can still be pricey, but business owners can pick and choose which features to include. "You can buy a UTM box for a couple hundred dollars," Kolodgy says. And then from there, you can add email and web-filtering along with an anti-spam program at about $200 a pop per year. Keep in mind, you also need to pay a subscription fee for a UTM, which can run up to $500 a year, Kolodgy says.

Web-Based Options

Some companies such as McAfee and Symantec provide web-based "Security as a Service" products for small businesses. Like hardware UTMs, this spin on "Software as a Service" — that is software that exists solely on the web — offers a layered defense that can include features such as anti-virus, anti-spyware, a desktop firewall and IPS.

These web-based services are a particularly attractive option for businesses that run all of their applications off the Internet, says Hils from Gartner. If a company uses a mix of desktop and web-based applications, however, the security offered by a web-based UTM may not suffice. For example, he says, for a device to be effective it needs to be able to weed through all the traffic that enters a network. If varying applications are being used there's no way to control what comes and goes.

With web-based options, "small companies have the advantage of paying a per user cost," says Hils. Symantec's "Endpoint Protection" product, for example, costs $80 for each computer needing protection in networks with five to 24 connections. To make this service appealing to medium-sized businesses, the cost decreases as connections increase.

A Case Study

Last August, Wyndham Capital Mortgage, an 80-employee mortgage lender in Charlotte, N.C., purchased its hardware UTM device from Calyptix Security, also based in Charlotte. A single device that's good for up to 100 users costs $3,699, plus a $1,699 subscription fee for the second year. For one equipped for up to 10 users, the cost is $999, with a fee of $449 in the second year, according to Ben Yarborough, Calyptix's chief executive officer.

The lender's head of information technology, Matt Lehnen, says he pushed for such a device because "I was looking for increased security and manageability." Before purchasing the UTM, Wyndham was using multiple pieces of hardware for various tasks such as email filtering. He thought: "Why are we paying $2,000 to $3,000 [a year] for something that only scans email? Why don't we get something that has everything?"

Despite posing potential cost and management savings, having just one device still required a fair amount of fine-tuning, says Lehnen. For example, after he switched on the UTM's blocking capabilities, "the next day nobody's BlackBerry worked," he says. The device, which blocks unusual activities, thought the company's network was being attacked. Lehnen needed to configure the device so that legitimate traffic from certain email addresses and domain names would be "whitelisted" or protected.

Calling In Help

As the Wyndham case illustrates, customization takes time, not to mention trial and error. And if you are using UTMs or IPS devices, "you need to configure them and keep them up to date," says Kolodgy from IDC.

Companies that don't have the resources to hire an internal IT staff might consider bringing in a security consultant or hiring an IT management firm. "If you have experts observing your network and managing devices, you have an extra level of confidence," says Hils. Plus, "If attacks aren't detected [or blocked] they can address them."

That's why Stephen M. Horner, owner of the firm Economic Consulting in Corpus Christi, Texas, has been relying on a technology consultant for nearly 20 years. At $75 an hour, says Horner, that's pretty cheap. After all, he says, "I'm an economist, not an IT specialist. If you're a professional in a field other than IT there's just no way to keep up.”"

Other recent Starting Up columns:

• Starting Up: No More Software in a Box?
• Starting Up: What’s CRM?

("Starting Up," a weekly column written by Diana Ransom for smSmallBiz.com, follows entrepreneurs through the early stages of launching a business. Write to her at dransom@smartmoney.com.)