"Shock." That's what Arthur Aveling, president of King Arthur's Tools, which makes woodworking power tools, felt when he saw that his business Web site had been defaced. In June, a hacker hit KATools.com and scrawled the message "HACKED by aLph4Num3Ric" across the top of the home page. Aveling, 54, was alerted to the problem by a customer, contacted his hosting service, and discovered that a password had been compromised.
"I'm fortunate in that they didn't do much damage," says the Tallahassee, Florida, entrepreneur. "The dislocation was only temporary. We never lost any orders. We never lost any business." KATools.com was back to normal with a new, more complex password in place within 48 hours. Aveling's site was just one of hundreds that were hacked that week, according to SafeMode.org, a site that tracks and archives Web site defacements.
|Don't you dare outsource until you get the right
answers to all your security questions.
1 "Ask what kinds of products [outsourcers] use. Ask
them how many security people they have. Ask how many of those are
Certified Information Systems Security Professionals. [Their]
managers need to have that piece of paper."
2 "There is no silver bullet with security. It's a process that includes everybody in your infrastructure and every tool in every system. Everything with security goes back to a policy. Have a good security policy." -Julie Lucas, Enterasys Network
3 "Ask what measures the outsourcer has taken to protect your system. It's important [to get] some sort of third-party assurance that [the outsourcer] has been audited and that there is adequate security in place." -George Kurtz, Foundstone
Like many entrepreneurs, Aveling feels there's little he can do about his Web site's security when his hosting provider seems like such a distant entity. "My attitude is that if it's working OK, I'll leave it alone," he says. But the incident has him taking a closer look at how he can ensure security when his business outsources.
The Computer Security Institute's (CSI) "2001 Computer Crime and Security Survey" shows that 85 percent of respondents had detected a security breach within the previous year. While most of those responding to the survey were large companies and government agencies, those statistics don't bode well for growing businesses, either.
Letting another company handle your computer, network or Web hosting duties can save a lot of in-house headaches. But "out of sight, out of mind" and "outsourcing" don't go together. Julie Lucas, information assurance director at network hardware and services provider Enterasys Network, cautions, "There's always added risk whenever you outsource anything [involving] computers. Companies need to do a certain amount of due diligence before they trust another organization to oversee their infrastructure." Any outsourced function, from employee payrolls to Web site design, can be a point of vulnerability.
One of the fastest-growing threats is damage caused by Internet attacks. Datamonitor reports that e-security breaches cause more than $15 billion in worldwide damages annually. Hacking and cracking don't just happen to other businesses. George Kurtz, CEO of managed security service provider Foundstone in Irvine, California, says, "The threat is real. I make the analogy to a drive-by shooting on the information highway. Just being at the wrong place at the wrong time [can put you at risk]."
In the CSI survey, 70 percent of respondents cited their Internet connection as a frequent point of attack. Most entrepreneurs know to ask their outsourcer about a firewall, but Kurtz warns, "A firewall nowadays is nothing more than a speed bump in breaking into some of these systems." Some outsourcers offer security services at an added price, but you have to ask for them-and pay for them.
The stereotypical teenage hacker plugging away at home is only one small part of the security equation. Insiders have traditionally been a great source of threats. "When you outsource, you're increasing the number of insiders who have access to your system," says Lucas. That includes current employees and ex-employees as well as the outsourcer's staff. Security breaches can result from the actions of disgruntled ex-employees who still have password access or from unintentional worker errors.
Compromised proprietary data or customer information can spell doom for a growing business. Client confidence is an issue, but Lucas also sees the potential for legal entanglements. Civil lawsuits are an extreme, but foreseeable, next step. For example, if your system is used as a stepping stone to break into another company's system, you could be sued for not taking proper security measures.
Looking toward a future full of undersecured wireless systems and increasingly complex network operations, security will continue to be a major issue. As hacking tools become more sophisticated and more widely available, the security measures you use-and those your outsourcers use-must continue evolving to keep up. "I don't want to paint a gloom-and-doom picture," says Kurtz, "but it keeps getting worse every day."
- Computer Security Institute
(415) 947-6370, www.gocsi.com
(212) 686-7400, www.datamonitor.com
(877) 91-FOUND, www.foundstone.com
- King Arthur's Tools
(800) 942-1300, www.katools.com