San Diego Business Journal

Is Your Business Safe From Computer Hackers?
Five Steps for Keeping Unwanted 'Visitors' at Bay

BY WILLIAM RAY
Special to the Business Journal

Many businesses think they have an invisible cloak of invincibility when it comes to computer security. But saying, "It won't happen to me" is simply not enough.

Harm to your office systems and data can be a fatal blow aimed at the heart of your company, affecting your daily operations and your credibility with customers and the public. It is not just large companies that need protection against security breaches , every business needs a strategy for keeping hackers at bay.

Even if you think you're safe enough, consider these recent survey results. Hacker attacks were up 28 percent during the first half of 2002, which averaged out to 32 attacks per company each week.

Even more troubling was the finding that most companies were not even aware that they have been hacked.

While the Internet has undoubtedly revolutionized business, it has also added vulnerabilities all its own. Eighty-five percent of companies now report security breaches, and 64 percent report financial losses due to these attacks , amounting to $120 million annually.

- Five Steps You Need To Protect Your Business

Know the internal and external risks you face and turn them into a security policy. You cannot protect yourself unless you have thought about what internal and external threats you face and how serious they are. There is no one-size-fits-all list of risks. Every business has individual vulnerabilities and priorities.

External threats become more important as your network extends to suppliers, customers and partners. This automatically means network security must be given high priority. External threats include unauthorized users such as hackers, saboteurs and thieves, as well as network users who leave their computer poorly protected, providing opportunities for unauthorized users.

A major internal risk most companies are not aware of is mismanaged identities from employees who have left the organization, but who are still able to access the network. Typically, 20 percent of user accounts belong to employees who haven't worked for the organization for five years or longer.

Your security policy should also include risks associated with equipment malfunctions and natural disasters such as fires, floods and accidental damage.

- Get help to find hidden weak points. Sometimes, searching for the weak spots can be like looking for a needle in the haystack. Not all the risks you face will be obvious, especially if you do not have a full-time information technology expert in-house. One way to identify risks is by having an independent third party conduct an audit of your security systems to find vulnerabilities before you purchase protective hardware or software.

Many security management products on the market today offer a holistic, "dashboard-style" view of entire systems. The ability to view the entire system dashboard-style allows administrators to identity and correlate specific security vulnerabilities and then take proper action to resolve them.

- Make fixed assets physically secure.

Your building's alarm system will put off thieves from outside, but that does not stop anyone inside from opening a machine and stealing memory or a processor.

One option is to buy an inexpensive security kit that consists of a hacksaw-proof cable and padlock, which will prevent a computer being opened or physically removed. In addition consider security tags, which will help police to track down the property's legal owner in the event of recovery.

Put your most valuable material, such as servers and archived data, in an access-controlled room rather than leaving it distributed around your premises.

- Computer viruses, like human ones, affect everybody.

The "Melissa," "Bill Clinton" and "I Love You" viruses have caused tens of millions of dollars in damage in the last few years. Like most security threats, they hit smaller companies as much as large ones.

Protecting against threats is not as simple as deploying a software package and forgetting all about it.

Making sure you don't lose data to a virus means constant reviews, patches and vulnerability signature updates. This will do no more than improve the odds of staying ahead of virus authors, who are perfecting their craft as fast as virus protection specialists can develop solutions.

Your best protection comes down to policy and procedure as much as technology. Employees must have rigorous instructions concerning receipt of suspicious e-mails and what to do in the event of infection. Furthermore, there are tools available that help define and enforce security and privacy policies so organizations can ensure consistency across all aspects of their businesses.

- Don't Make It Easy For Hackers

A little common sense goes a long way. Many hackers target big companies for "ethical" reasons. But they are not averse to creating a bit of chaos anywhere they can. And they probably know more about your computers than you do.

The FBI lists the following as the most common mistakes companies and their employees make that leaves their data vulnerable.

- Default installation of operating systems and applications.

- Weak passwords , about 40 percent of us use the word "password."

- Incomplete back up of data.

- Unneeded ports left open.

- Data packets not filtered for correct incoming and outgoing addresses.

There are precautions you can take to increase your security, especially from internal threats.

- Use password management software to help employees choose strong passwords.

- Have password expiration dates.

- Create stronger authentication by combining passwords with biometrics.

While you cannot protect against everything, you can at least be prepared. These security steps will help to protect your business the next time hackers come knocking at your door.

Ray is IBM San Diego's senior location executive and software executive.