Small Business
Cybercrime can kill venture
March 10, 2000: 11:21 a.m. ET

Small businesses can be destroyed by hackers; but security measures can help
By Staff Writer Hope Hamashige
graphic graphic
NEW YORK (CNNfn) - June Neptune had to sell her family-owned Internet service business last year, forcing 100 of her workers to the unemployment line. The reason: a computer hacker in Germany.
    While use of the Internet grows, so do cybercrimes, which are on the rise each year. The most recent survey conducted by the Computer Security Institute at Carnegie Mellon University revealed that system penetration by outsiders grew by 30 percent in 1999. Unauthorized access by insiders rose too, by 55 percent last year.
    Even the biggest Internet companies with the most sophisticated technology are vulnerable to hackers, a trend highlighted last month when hackers stopped traffic on several popular Internet sites including Yahoo! (YHOO: Research, Estimates) and (AMZN: Research, Estimates).
    Small businesses, while less visible than the eBays (EBAY: Research, Estimates) of the world, are no less vulnerable to cybercrime. But unlike big business, small businesses have a harder time of surviving cybercrime, especially if the hacker gets hold of some company secrets or critical information.
How hackers destroyed one company

    In Neptune's case, the attacker broke in through a customer service terminal that had not been shut off. Once she became aware of the attack, she tried to discover the hacker and end the tampering by creating additional firewalls around the site.
    Eventually, Secret Service agents were able to put a name to her tormenter. The hacker turned out to be a German student who received a 14-month probation sentence for electronic break-ins and later attempting to extort Neptune.
    The hacking did stop, but the ordeal proved to be too much for her little company. She invested $500,000 to bolster security and pay overtime to employees who had helped improve the system. In the end, she had to tell her clients that an intruder had seen their credit card information and that they should check their statements for unauthorized charges. Once that got out, it was the beginning of the end.
    "It completely stopped our expansion," she said. "Until then we were signing up about 600 new customers a month."
Make security a priority

    To protect your site from cybercrime, the first thing you need to do is to change the way you think about the security of their computer systems. Scott Charney, a partner in PricewaterhouseCoopers' investigations division, said security is an afterthought for most small businesses when they buy computers.
    "They need to budget for security," he said. "Small-business owners have to view it as a necessary part of their electronic equipment purchases."
    He also said that small-business owners must have their systems assessed regularly, not just once.
    "There are some threats you pay for once, but computers aren't like that. You secure them the first time and then they are upgraded and you start over. Every time the technology changes you are vulnerable to new problems."
    Charney suggested that small businesses that do not have an in-house information technology department should consider getting help from the outside. The cost will vary greatly depending on the size of the system, but the good news for small businesses is that the smaller the system, the smaller the cost.
    Roger Farnsworth, manager of security products for Cisco Systems (CSCO: Research, Estimates), recently shared this list of simple solutions for small businesses to improve the security of their computer systems.
  • Require employees to choose strong passwords (Use more than three letters and use a combination of letters and numbers).
  • Require new passwords every 90 days.
  • Make sure your virus protection subscription is current.
  • Educate employees about attachments to e-mails.
  • Install a total solution software package.
  • Assess your security regularly.
  • Remove employees' network access immediately when they leave the company.
  • If you allow people to work at home, provide a secure, centrally managed server for remote traffic.
  • Update your Web service software regularly.
  • Don't run any unnecessary network services.

    Charney added that the most effective way to ensure security is often the simplest. He suggests employers must repeatedly tell employees never to give away their passwords.
    One of the most common ways hackers get into systems, he said, is to deceive employees into thinking they work for the company's information technology department and ask for their password. Most of the time they get the information they want, he said.
    While there is never any way to protect a system completely, it is best to take as many protective measures as you can.
    "You can minimize the risk but you are not going to get risk down to zero," Charney said. "It's like life. You can walk in well-lighted areas, but you might still get mugged." Back to top

  RELATED STORIES CEO sees no defense against attack - Feb. 10, 2000

ZDNet latest hacked site - Feb. 9, 2000

eBay,, Amazon, sites hit - Feb. 8, 2000


Cisco Systems Inc.

Carnegie Mellon University


Note: Pages will open in a new browser window
External sites are not endorsed by CNNmoney