In this age of information, there are very few businesses that don’t rely heavily on computers and the Internet to function. With a few clicks of a mouse, customers can browse inventory and purchase a product without stepping inside a store. Documents are scanned and emailed instead of printed and faxed. Even meetings are held by video conferencing instead of in actual conference rooms. However, the speed and convenience of the Internet has a dark side—it has provided criminals with an easier way to steal.
Instead of picking pockets, cyberthieves infect the computers of unsuspecting Internet users with malware that scans their files for information that can be used for monetary gain. Credit card numbers and bank account numbers are obvious enticements, but so are Social Security numbers and medical insurance numbers. The cyberthieves are very clever with their stolen information. Small, occasional charges can be made that don’t arouse suspicion with the cardholder. Social Security numbers can be used to establish fake identities and a growing area of theft is medical identity. “If I can get your personal information and group policy info, I can go to a doctor and pretend I’m you and get health care on your policy,” explains Steven Vicinanza, founder and CEO of BlueWave Computing in Smyrna. “People are going in for surgery with these things.”
Any company that accepts credit card payments over the Internet is at high risk for attack, but so are medical offices, investment firms, insurance agencies or any other business that stores valuable personal information of clients. Even if a company doesn’t store sensitive client information, viruses can crash hard drives resulting in irrevocable data loss. “Remediation can be very time consuming and very expensive,” says Vicinanza. “We’ve seen companies that got hit with a virus internally and had days of downtime for the whole company. So, the expense is not just paying for the service, but loss of productivity and lost business.”
As large companies invest in the protection of their information assets, small and medium businesses (SMBs) become easy prey for hackers because they usually have weaker defenses. “A small company that is connected to the Internet has the same risk profile as Coca-Cola,” says Herbert Mattord, Ph.D., assistant professor of information security and assurance at Kennesaw State University (KSU). “The problem is they have almost the same risk as a bigger company but without the resources to defend themselves.”
Establishing an effective defense against cyberthieves is not an easy thing to do because they constantly create new ways to infiltrate the systems. Compounding the problem is the steady influx of new technology supporting Internet access. It is becoming common in the workplace for businesses to adopt a bring your own device (BYOD) model that allows employees to access the company network with personal devices, which can further compromise security measures. “A hacker can basically invade you on your laptop, desktop, tablet and phone. You’re vulnerable in a larger variety of ways than ever before,” says Chad Massaker, CEO of Carceron in Vinings. “The biggest trend is the amount of people getting infected on their phones.”
Between the advances in technology and the creativity of hackers, information security has become an advanced field of study. What used to be a quick download of an anti-viral program is now a career. KSU offers a bachelor’s degree in information security and assurance in the Coles College of Business. “The program arose because we saw the need for securing information in computers in an organization,” says Amy Woszczynski, interim dean of the department of information systems at KSU. “Our students are very much in demand because they have the technical competency and they understand what they need to do to protect an organization’s most valuable asset—its information.”
Brandon Milligan, academic dean at Lincoln College of Technology, has also seen changes in curriculum as schools struggle to stay current. “I’ve been teaching at Lincoln for 13 years and I’ve seen our IT program go through nine or 10 revisions since the program has been in existence. Ten years ago, security was maybe a chapter in a book. Now it’s a course in and of itself.”
For many small business owners, sending an email or downloading an app to a tablet is the extent of their technical knowledge. They might not understand terms like malware, phishing, worms and bots, much less how to protect against them. Here are five local experts with five recommendations for basic IT protection:
Have a Firewall
According to pcmag.com, a firewall is used to give users secure access to the Internet as well as separate a company’s public web server from its internal network. It is the first line of defense against Internet predators. “We believe in layers of defense so first is the firewall. Next is making sure that simple things like the PCs behind the firewall are patched with the latest Microsoft and application patches,” says Terry Lebo, chief technology officer at ProviDyn in Vinings.
Spam Filters and Anti-Virus Software
“The problem with spam isn’t the spam itself. It just sucks up your bandwidth that could be used for other things, which is bad enough. But the problem is a measurable quantity of spam comes with malware attached to it,” explains Mattord. “An employee opens up one of these emails and all of a sudden, malware is running on your company computer. The really scary ones lie there and watch everything that goes on in your computer. If they see something that looks like a bank account number or credit card number, they forward it out disguised as regular network traffic off to a server somewhere in the Ukraine or Russia.”
It is vital that all computers on the office network are loaded with current anti-virus software, even Macs. The key is to keep the programs up-to-date with the latest versions. New viruses are always coming out and anti-virus software companies work hard to keep up, but it won’t do any good if the subscription has expired or the latest versions are not being downloaded.
Reduce Employee Risk
“So many people are worried about external threats like viruses, but they don’t spend nearly enough focusing on their internal threats, basically their employees,” says Massaker. “We’re always shocked at the owner’s underestimation of the ability of an employee to hamstring their business.” Whether through careless acts such as clicking on infected emails to purposeful sabotage through deleting critical files, employees have the ability to impact the company’s information resources simply by having access. Training employees on safe practices is essential, as is limiting access and establishing audit trails.
It is also wise to control the use of non-essential websites and applications, and not just for productivity reasons. Games and peer-to-peer sites are usually web-based and use a lot of the available bandwidth, slowing computer function. They can also spread malware. Massaker cautions, “Social media is probably the second biggest point of exposure. Do not accept friend requests from people you don’t know.”
This might seem obvious, but the reality is that most people choose easy passwords so they can remember them and they tend to use the same password for all of their accounts, making it easy for hackers to break in. “The password is the key to the user getting access to the resources. Complexity policies are the big thing. Now some passwords have to have an uppercase letter, a character and a number thrown in,” says Milligan. “And you want the users to change those passwords on a frequent basis.”
Another mistake some businesses make is to install Wi-Fi in their facility and allow their customers to use it. They give their customers the login information without realizing that their whole network is open. “Get your network locked down so you can perform your daily activities but you’re not open to attack from the outside,” suggests Lebo.
“One of the most important things is to do a security audit because that will tell you what things are missing, where are the gaping holes,” Vicinanza says. “We haven’t found one example of a company that didn’t have any issues.”
Typically, these audits are done by a professional IT company that specializes in security issues. In some industries, security audits are becoming a requirement for doing business, especially in relation to health care and some government contracts. For instance, any company that has access to patients’ medical information has to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and those companies are required to have certain security protocols in place. If there is a security breach, HIPAA requires the company to notify everyone whose file was compromised. According to Vicinanza, the cost of notification can be as much as $130 to $150 per person. “Security audits are cost effective especially when compared to the potential liability if data is lost,” he points out.
Securing the company’s network and protecting its data should be given the same attention and investment that the physical space is given. If your office is broken into and your computers are stolen, your insurance company will replace them. But how do you restore your business reputation with customers after a major data spill? If your company relies on the Internet, then information security should be considered another basic cost of doing business.