Malevolent hackers. Psychotic e-mailers. Vengeful ex-employees. What do these folks have in common? Your computers. Day and night they’re relentlessly probing your defenses, looking for trade secrets, customer credit card numbers or simply the adrenaline rush of wiping out a loaded hard drive. It may be only a matter of time before they pay dirt.
Doing business in the Internet age is a little like Frodo Baggins’ Lord of the Rings journey to Mount Doom — moments of triumph interspersed with sudden vicious attacks from out the blue. In 2001, a hacker penetrated Conshohocken, Pennsylvania’s Webcertificate.com and demanded a cash payment to keep him from exposing the personal information of 350,000 customers. Early this year a massive assault by a virus-like worm called Mydoom took down the Web servers of SCO Group, a software company in Lindon, Utah. Danger lurks in every Web interaction.
“Malware,” a new-fangled term for viruses, worms, Trojan horses and other electronic microbes, cost companies $55 billion last year, according to Trend Micro, a developer of antivirus software. Data theft and targeted denial-of-service attacks are even more expensive. The problem has become so bad that Bill Gates recently advised Microsoft customers that “security is as big and important a challenge as any our industry has ever tackled” and pledged to make it the company’s top priority.
Don’t take comfort in the fact that your business isn’t an obvious target like the Pentagon or American Express. Viruses are equal-opportunity assassins. Cyber-predators look for easy prey, and small-to-midsize companies often fit that bill.
The good news — yes, there is some! — is that you can protect your data without spending a small fortune. Inexpensive antivirus software from Trend Micro, Symantec, Network Associates, Panda and more than dozen other companies zap bugs on sight. Firewalls built into Microsoft’s Windows XP and Apple’s OS X deter hack attacks by making your company’s computers invisible on the Web. Third-party firewall programs from Tiny Software, Zone Labs, BlackIce and other vendors go even further, keeping virus-like Trojan horse programs from surreptitiously sending your confidential data through hidden back doors.
Hardware firewalls, often built into network routers made by Cisco, Asante, Linksys, SMC and other vendors, add yet another layer of protection. Many also let you create encrypted “virtual private networks” on the Internet, securely linking field offices and telecommuters. Companies with especially sensitive data and deep pockets can install ultra-sensitive intrusion detection systems that continuously sniff inbound and outbound traffic for signs of trouble, such as unusual server activity at 2 a.m.
But technology alone won’t do it. You also need a smart game plan. Most experts say a truly effective defense strategy needs to address these issues:
Software configuration. Make sure antivirus programs are on every machine, no exceptions, and that they are set to scan every downloaded file and incoming and outgoing email. They should also thoroughly inspect hard disks on a daily or weekly schedule. Adjust each computer’s firewall to the highest level possible without impeding the ability of the user to function productively. Password protect those settings to prevent intentional or unintentional changes.
Software updates. Let antivirus software install the latest virus definitions as soon as they become available. Promptly apply operating system security patches to eliminate newly-discovered vulnerabilities. Windows XP can do so automatically. Be on the lookout for upcoming “service packs” for Windows XP and Windows Server 2003, which will include a number of security enhancements.
File access. Protect your company’s intellectual property and other sensitive data by restricting access to certain files. If you are running Windows XP Professional and Microsoft Small Business Server 2003, use built-in controls to set individual user permissions.
Back ups. Make copies of all files nightly to minimize damage if a hard drive is trashed by a virus or malfunction. A RAID system that simultaneously writes data to two disks provides continuous protection against drive crashes, but a virus that destroys one drive will probably get the other, too. Put important stuff onto a removable medium, such as a tape or rewritable CD or DVD where a virus can’t get it, and store it off premise so it’s protected from theft or fire.
Laptop protection. Require users to take special precautions, such as using a startup password and encrypting data so a thief can’t access the information. Avoid sending highly sensitive materials over public Wi-Fi networks, where it may be easily intercepted, and subject each machine to a virus scan before it is reconnected to the company network.
Education. Teach employees Internet security procedures, stressing the potential threats to company and their livelihood. Make it clear what kinds of Web sites are to be avoided and instruct them to delete unexpected (and possibly virus-infested) email attachments without opening them.
There are no guarantees here. But a well-conceived strategy, backed up by good technology and common sense can make you an intimidating target, and feel a little bit safer.