A Cybersecurity Pro Talks Shop
Small businesses are increasingly being targeted with viruses and identity theft. This former White House adviser offers tips on playing defense
Howard Schmidt, former White House cybersecurity adviser (he served as vice-chair of the President's Critical Infrastructure Protection Board for 15 months, from 2002 to 2003) and current president and CEO of R&H Security Consulting, which works in both the public and private sectors, knows computer security inside and out.
He started working in the industry before it was big, as a city police officer in 1983, and spearheaded cybersecurity innovations in the both the public and private sector, most notably at the Air Force Office of Special Investigations, where he established the first dedicated computer forensic lab in the government. Schmidt also served as chief security officer for Microsoft (MSFT) from 1997 to 2002, and was vice-president, chief information security officer, and chief security strategist for eBay (EBAY) from 2003 to 2005.
Schmidt says that while small businesses have been slow to catch up to the security advances made by their larger counterparts, new technology allows them to employ the same level of protection affordably. Further, he says that now is the time to do it, since criminals are increasingly targeting small businesses with viruses, spamming, bot networks (where computers are co-opted and used to send spam or take over other systems), and identity theft (see BusinessWeek.com, 7/17/06, "The Plot to Hijack Your Computer").
Schmidt spoke recently with BusinessWeek.com reporter Jeffrey Gangemi about the security threats small businesses face, and how they can better protect themselves. Edited excerpts of their conversation follow.
Your security background has centered on big business and government. Why have you turned your attention to small business?
As we have been getting better as large enterprises at achieving better protection, hiring better staff, requiring certification of employees for security functions, and moving security functions into the executive ranks, there's this feeling that we're doing O.K. there. That's why I've been focusing on small and medium-sized businesses—because they're the ones that have a lot more issues to deal with.
How do security concerns for small business differ from big business?
It's a matter of resources, first and foremost. Large enterprises can have an IT security staff of 20 to 40 people. They have an IT department that keeps things up and running 24-7. Small and medium-sized businesses just don't have that luxury. Small companies have to comply with just as many regulations [as big businesses], and they're strapped for time.
There's also a misconception that criminals are just looking to go after the big guys. In fact, criminals are increasingly going after smaller companies for the exact reason that they often don't have the same level of protection as the bigger ones. From my perspective, the big focus should be on prevention and reporting. If you can prevent a crime, there's less hassle for everyone.
The other thing about small and medium-sized businesses is that they have a branding issue unlike the big guys. It's quite conceivable that, if a small company has trouble with cybercrime and loses people's information or something, then a customer would choose to go elsewhere—to a big brand or chain or something—because they might not trust the small company. It's difficult for the small guy to recover the brand when something bad has happened.
What are the main types of cybercrime and the main issues that small businesses face?
To be successful online, a company's computer system must be available 24 hours a day, seven days a week. The biggest threats to that are the viruses, worms, and problems that actually cause companies to have to go offline because their system isn't working.
A collateral piece of that is what's called bot networks. If a company doesn't keep up with security patches, doesn't run antivirus [programs], and becomes the victim of a virus or a worm, then their system can be remotely controlled by bad guys and used to attack other systems.
Criminals will establish a network of sometimes as many as 50,000 computers that they use to attack other systems. They often will use unsuspecting computer systems to distribute spam.
Criminals can not only use the company's co-opted computer to attack other systems, but co-opting it also generally gives them full access to anything that takes place on that system. For example, when they take over control of a system, or "bot it," they often will install things like keystroke loggers to capture your passwords when you go to do online banking.
And when an employee is entering customer data, the bad guys can grab that as well. A customer becomes a victim, and the company loses the data. So that's a double loss right there.
Does a user know their computer has been co-opted, and how would they prevent such an attack?
Never. They don't know unless someone calls them and asks why the user is attacking the caller's system. They have to get antivirus protection, a firewall, antispyware software, and antiphishing software. And they should also protect the servers where they keep company records and stuff like that.
How much would it cost roughly for a 20-person company to get the base level of security?
Somewhere in the area of $200 per year per person to protect against the basic level of threats.
What are the most basic steps that all small companies can take to protect themselves, regardless of resources?
The first thing companies can do is understand that they have to have a plan relating to security as part of their business plan. When someone submits a business plan for financing to a bank or the SBA or another entity, part of it should discuss their Internet security plan.
The software-based solutions that are out there—Symantec, McAfee, and others—have integrated security suites that are designed so that you don't have to install 15 different programs. That's one of the things that makes it affordable.
Also, you must have a training plan. If a company has a policy that allows employees to pick up personal e-mail on the corporate system, they need to use the same safeguards on their personal account as they would on their work account.
For instance, everyone should know that you can't open and click on unexpected attachments. Don't click through links on Web sites that come through personal or corporate e-mail. Don't register the company e-mail address with Web sites.
Is there inexpensive training for inexperienced IT people?
Often big companies like Microsoft and Oracle (ORCL) hold training sessions for their customers or potential customers. We've also seen local chambers of commerce holding training sessions, and law enforcement will sometimes hold seminars on how consumers and businesses can protect themselves from identity theft, as well as how to protect their computer systems.
How does a company perform a vulnerability assessment, especially if they have a patchwork of security systems in place?
Most of the Web sites, like Symantec and McAfee, allow users to log in and do an assessment of their computer system. The sites perform a general vulnerability assessment and will tell you not only where you might have things configured improperly but also where things are outdated.
Also, companies like Google (GOOG) and Microsoft can provide online software that will perform a vulnerability assessment of your system as often as you want, send you a report, and tell you how to fix those things. Large companies have been doing this for years, and it's just becoming affordable for small and medium-size businesses as well.
What else should small businesses focus on?
It's important for small businesses and their employees to focus on passwords. People need to use strong, or complex, passwords, particularly when credit-card numbers are involved. Another important thing for small businesses is to back files up. Hard drives and DVDs are just so cheap these days.
Even consumers can spend less than $100 and back up everything they've got. Small businesses should do the same thing, so they can recover and come back up in a relatively short period of time (see BusinessWeek.com, 10/24/06, "Podcast: Backing Up Your Data"). Also, be sure to set up your Web browser properly. Every browser has instructions in plain English for how to set up and secure the system.
Jeffrey Gangemi is a freelance writer based in Mendoza, Argentina.
