From the April 2004 issue of Entrepreneur

Something is lurking in your inbox. A war driver is sniffing around your Wi-Fi. That e-mail attachment has bad intentions. Your passwords may be compromised. Hackers are salivating over your Web site. Sometimes, it feels like your business is under a constant security siege. Well, it's time to stop worrying and start getting savvy about network security. Knowledge and preparation are the only things standing between you and lost data, lost productivity and lost money. If you've been wondering about biometrics, are curious about the effectiveness of firewalls, or have concerns about employee espionage, then read on to see what experts and other entrepreneurs are doing about these and other issues. After all, when it comes to network security, prevention is more than half the battle. -A.C.K.

Putting the Heat on Spam

Spam isn't just annoying-it also costs your business money. It may be hard to quantify in dollars, but all that time you and your employees spend picking out the e-mail chaff from the e-mail wheat adds up to lost productivity and lost cash. Market and technology research firm Ferris Research Inc. estimates that spam cost American corporations more than $10 billion last year.

President and founder Paul Hodara's company, NetWave Technologies Inc. , has been providing Web services to businesses for years. Demand from customers led the New York City-based company to offer an anti-spam solution that essentially allows companies with their own e-mail servers to outsource spam fighting to NetWave.

Hodara's advice for dealing with spam starts in a very nontech place. "I like to look at policies before looking at software. I like to have employees set up procedures internally within their organization," he says. He suggests that a written policy include items like not responding to spam e-mails, not clicking on opt-out links, and not posting your e-mail address on Web sites where it can be harvested. Make sure your employees are educated and that your anti-spam policy is companywide and well enforced.

With new anti-spam solutions popping up seemingly every week, Hodara has one piece of advice for entrepreneurs searching for the right fit: "Do your research." He recommends trying out downloadable evaluation copies and reading up on reviews and user feedback online. Home offices and businesses with just a few e-mail users can benefit from over-the-counter software like McAfee SpamKiller or Symantec's Norton AntiSpam .

Moving up in size to businesses with their own e-mail servers, you either have to implement a solution on your server, like Trend Micro's InterScan VirusWall , or outsource to a company like NetWave. Outsourcing means not having to maintain the software yourself, a boon for entrepreneurs without an in-house IT staff. Whether you're one person or you have 100 employees, now is the time to take back your e-mail and take back your time and productivity. As the research shows, spam is only going to get worse. -A.C.K.

Spy Games

Employee espionage: It sounds like something out of a spy movie, and you can almost imagine an employee dangling from ropes and sliding under laser beams. The reality isn't as breathtaking, but it's still dangerous for your business. It can manifest in stolen customer lists, proprietary information or software; in business check fraud; or in siphoning money from the books.

The first point to understand is that any business can be at risk. It's not just obviously disgruntled employees who become problems, but also employees who are facing financial difficulties or thinking about starting rival companies. Detective Michael Terrell with the Omaha Police Department in Omaha, Nebraska, has investigated a variety of white-collar crimes and cybercrimes. "We always ask, 'Did you do a background check or a criminal history check?' If you don't do a background check, you don't know who you're getting," says Terrell. In Omaha, for example, a county check is available for $7 through the police department, while a statewide check costs just $10. A small investment upfront can save you from a big loss later.

Protecting your business from employee espionage starts with drafting a policy and putting it into effect. In both your employee handbook and contracts for contract employees, be sure to include language stipulating that all work produced belongs to the company and not to the worker. "If you're going to put [employees] in a sensitive position where they're going to handle client databases or money, there should be a buddy system," Terrell recommends. "One person shouldn't have access to everything." On a computer level, scrupulous backups of your server and use of passwords can help protect your data.

Educating yourself about the dangers of employee espionage, what to look for and how to prepare your business is key. Says Terrell, "Get with your local law enforcement if you do nothing else." Most police departments are available to share information or give presentations. Take advantage of that. -A.C.K.

Bug Control

With Internet onslaughts such as last year's SQL Slammer and Blaster, "The threats have changed," says Vincent Weafer, senior director of Symantec's Security Response group in Cupertino, California. You can be attacked directly over the Internet or by e-mail, rogue Web sites, IM, wireless access point, peer-to-peer packages, shared file folders or probably something else tomorrow. Says Weafer, "If you have a system that's exposed, it can be automatically scanned and attacked within 15 to 20 minutes."

Increasingly, small firms are targets for such attacks. That's not because hackers are more interested in your customers per se, but because they "want to compromise your box so they can use it to attack someone else," Weafer explains. What you need, he says, is "defense in depth." That means using a suite of tools to protect both individual PCs and shared network resources, such as an Internet gateway or a messaging server. Weafer also emphasizes the need to regularly update antivirus software, which the latest packages make easy.

Additionally, you must take special care with laptops and other remote PCs. Weafer points out, "You have situations where 90 percent of machines are well protected, and then you bring in a laptop and infect the whole network."

Antivirus makers have taken steps to respond more quickly and predictably to major crises, notes David Perry, global director of education in the Cupertino, California, office of Trend Micro, a security software and services firm. However, antivirus software doesn't do the whole job. You also need a properly configured firewall, regularly implemented security patches for Windows or other critical software, passwords that are enforced, and a company security policy that everyone understands.

Other software tools that are trickling down from larger enterprises could also prove highly desirable. Content-filtering tools not only block spam and access to inappropriate Web sites, but also check for key information coming in or going out-making sure that credit card information doesn't go out over e-mail, for instance. Intrusion detection alerts you when someone is trying to break in or if a program is logging keystrokes, for example.

Additionally, you should scan your system for vulnerabilities. There are a host of automated tools for this job. You can try some for free (such as Qualys), since the vendors know that security is not a one-shot deal. Alternatively, you may want to bring in a security specialist, especially if you're expanding or making major changes in your network. -E.B.

The Great Wall

In the mind-bogglingly complex world of Internet security, a firewall's role seems straightforward: It's software and/or hardware that sits between your computers and the Internet, keeping the nasty stuff out. But firewalls come in many guises, playing a more complex role as threats broaden and integrating with antivirus and other defensive tools.

The firewall bundled with Windows XP is a simple example, blocking inbound access but not addressing other threats such as e-mail viruses or desktop programs that access the Net in ways you don't want.

Stand-alone software products offer much more. For instance, Zone Labs' free ZoneAlarm allows only the programs you've approved to access the Internet and offers very basic e-mail threat prevention. At the high end, ZoneAlarm Pro also locks up personal information and key files on the PC, does content filtering against e-mail viruses and other plagues, and offers many other handy protections. Similarly, antivirus vendors may bundle firewall services with their full-featured suites, such as Symantec's Client Service Small Business Edition and Trend Micro's InterScan VirusWall for Small and Medium Business.

Of course, you can also buy hardware firewalls, which many believe provide better security, especially for network deployment. The trend here is to combine a firewall with "every security service you can think of and plunk it into a single box," says Mark Bouchard, a senior program director at META Group Inc., an IT research and consulting firm with headquarters in Stamford, Connecticut. Growing businesses appreciate the convenience of this approach-you just plug the hardware into the network, do some configuration and you're ready to go. Among the many appliance vendors are Check Point Software Technologies, Cisco Systems, SonicWall and WatchGuard Technologies.

Regardless of which approach companies decide to take, firewalls must be correctly configured, open only for the services that are needed. (Curiously enough, some vendors leave everything open by default!)

Additionally, running personal firewalls on each PC, and not just remote PCs or notebooks, may improve your protection against attacks such as Blaster, which slipped through many main external firewalls. Says Bouchard, "Companies could go a long way to securing their environments by putting personal firewalls on all their PCs." -E.B.

Hacked!

Hackers know where your public Web site lives. And it can be a mighty juicy target, particularly if it's running an e-commerce operation or is hooked into other critical databases.

That means you need to be extremely rigorous about enforcing standard security practices for your Web server. You start by following the laundry list of security recommendations for the software, carefully managing how those operating the site get access to it (simple password protection won't do) and taking other steps, such as turning off services you aren't using. E-commerce operations demand special attention to keep all transactions encrypted and the database secure.

Eric Ogren, senior analyst with communications research and consulting firm The Yankee Group, in Boston, suggests two more defensive weapons for your Web site security arsenal: First, protect the Web site applications by putting security software and/or hardware in front of the Web server that understands what kind of application traffic is appropriate. There's a fast-evolving collection of products for this, from vendors such as KaVaDo, NetContinuum and Sanctum.

Secondly, Ogren recommends installing a network integrity system from vendors such as Arbor Networks and Top Layer Networks. These systems can be seen as successors to intrusion-detection systems, which have been more focused on giving alarms than on dealing with them. Network integrity systems take a more active role in dealing with attacks.

As with any Internet-connected network, you should be sure to scan your site setup for security glitches. In addition to general software tools for network security, Web site security vendors such as KaVaDo and Sanctum offer specialized packages for this.

But for growing businesses, these specialized tools raise a problem: They typically target enterprise operations and are not necessarily cheap or easy to install and run. This suggests that, to get the best protection for your site, you should outsource security to a company already outfitted with a suitable infrastructure. (You may already be doing so if you rent Web and database servers from a host or outsource your entire site and e-commerce operation; there are many other reasons why renting such services can be cost-effective.)

If you choose to go the outsource route, be sure to grill your supplier in detail about its security practices, backup and disaster-recovery expectations. Alternatively, if you choose to do it all on your own, it may well be worth the cost to hire a security consultant. -E.B.

Air Raid

In the world of Internet security, experts say, one of the greatest astonishments is the number of Wi-Fi networks completely open to the world.

"You've got to know something about Wi-Fi to protect yourself," says David Perry, global director of education at Trend Micro. "Turning on network security would be a good start," he adds drily.

"People know of the risk that someone in the company parking lot can nail you through your Wi-Fi network, but you've also got to think about the risks when you travel," says Frederick Felman, marketing vice president at San Francisco-based Zone Labs, a provider of Internet security solutions.

Example: "I recently stayed in a hotel and left my computer on overnight," Felman says. "While I slept, my computer went out on a visit to meet its friends all around the world. In the morning, I counted 75 discrete individuals trying 275 different ways to get into my PC." (His company's ZoneAlarm Pro package stopped them all, he says.)

So-called Wi-Fi "war driving"-wandering around and tapping into wireless networks-has evolved into a well-established practice with user-friendly software, notes Perry. While many war drivers are just looking for free Internet access, some have darker designs.

Experts suggest taking the following steps to protect your company:

1. Set up WEP properly. While Wi-Fi's basic WEP encryption is very far from perfect, setting it up properly on the wireless access point and on each PC cuts your risk. Wi-Fi security is evolving quickly; the latest version of Windows XP supports a WPA (Wi-Fi Protected Access) standard that is much improved.

2. Guard your overall network against improper Wi-Fi access. Hook the wireless access point to an appropriate security gateway rather than directly to the network, and make sure individual PCs are properly protected. Consider third-party software, devices and/or services specialized for wireless security.

3. On the road, use VPN software when connecting your laptop to your office network. In fact, it's a good idea to do this from any remote location-whether or not you are wireless.

As handheld computers get more powerful and as the variety of Wi-Fi connections grows, it's more and more important to keep an eye on the potential threats. Zone Lab parent Check Point Software Technologies already offers the VPN-1 SecureClient product for Pocket PCs. -E.B.

To Tell the Truth

"If you receive an e-mail from one of your friends about a virus, it is almost always a hoax," says Perry. "If you're asked to send it to a friend, it is 100 percent a hoax. We have never found an e-mail chain letter, ever, that was anything real at all."

Of course, there are some chain letters that do pose real trouble. Some carry worms or viruses. Others aim to grab your passwords or credit information by posing as messages from companies such as eBay. "Those are especially nasty; they strike people at all levels of sophistication," comments Frederick Felman at Zone Labs.

Other malignant messages can include a link that sends you to a rogue site-one that may look like, say, eBay but be something quite different.

Then there are the get-rich-quick schemes such as "Help me store my gold," notes Vincent Weafer at Symantec Security Response group. "Hoaxes will always be there."

While content-filtering technology can tackle much of this infected spam, "education is a big part of the response," Weafer says. "The human aspect is often the weakest link. Anything that seems too good to be true is."

Employees who are in doubt about something they receive via e-mail or see on a Web site should check with the go-to person in the company, Weafer notes, or visit valid Web sites such as those run by Microsoft and the security software companies.

"No matter how sophisticated your technology barriers are, the human element can be absolutely critical," says security expert W. David Stephenson of Stephenson Strategies, a security consulting firm in Medfield, Massachusetts. That means not only keeping employees informed, but also empowering them to make the right decisions, he emphasizes.

"While you must continuously keep on top of security advances, at the same time, you must understand that everyone in the company may be the last line of defense," Stephenson advises. "Don't just tell them what the rules are; explain them."

And make sure that everyone gets it. The Human Firewall Counciloffers advice and resources that can help you make sure all employees have gotten the word. -E.B.

When Words Fail

Passwords are a pain-and they often foul up their jobs.

We pick passwords that are easily guessed. We use the same passwords over and over again-in places where they are absolutely critical and in other places where we don't even bother to guard them. We share passwords inappropriately, forget them, blast them out via e-mail for all the world to see, or even set up our computers to ignore them altogether.

Make no mistake about it, that's a huge problem when people all over the world are constantly-and quietly-trying to waltz into your computers to grab control of customer information or the computers themselves.

And that huge problem is driving the spread of biometric security measures, based on individual physical characteristics that are distinctive and reliably quantifiable. The main techniques include fingerprint, hand, iris and face scanning. Fingerprint scanning is the leading approach, accounting for about half of the $1.5 billion market, according to biometric consulting and services firm International Biometric Group. Leading player AuthenTec shipped its millionth fingerprint scanner last year.

Biometric devices can be directly integrated into computer hardware. For instance, MPC Computers builds fingerprint scanners into its TransPort notebook line, which the company says sells briskly to small and midsize businesses. And unlike the case with smart cards (any plastic card with an embedded microchip where data can be stored), you can't lose or leave behind your means of access.

As slick as these devices are, however, they add cost and potential inconvenience, and some techniques (such as iris scanning) may make users uneasy. Also, it's often possible to fool the devices, experts say. Finally, according to Eric Ogren at The Yankee Group, due to accuracy and expense issues, biometrics is still not for everyone at this point.

"We do believe there is a need for better identification, and the technologies are getting better each year," says Mark Bouchard at META Group. "But we continue to see some pretty dramatic shortcomings. You have to balance keeping the right people in and the wrong people out. We're seeing a 2 to 3 percent error rate, which is pretty high."

According to Bouchard, "Overall, we're skeptical on biometrics but [are] keeping an eye out." -E.B.

Playing It Safe

What can you do to protect your e-commerce site from fraud?

Forget about the dotcom bust-e-commerce is actually looking pretty healthy these days. Entrepreneurs who are either starting their own e-commerce projects or looking to add e-commerce capabilities to an existing site will have to deal with accepting credit cards. But online shoppers are warier than ever about security, and business owners should be, too. In 2002, 45 percent of fraud complaints made to the FTC were Internet related. Online auctions are the most notorious source of fraud, but credit and debit card fraud take up their share.

When Justin Souter, co-founder of personal Web-publishing service InkNoise Inc., set up an e-commerce solution, he made sure it was secure. "It was pretty straightforward. The hardest part is to understand what all the pieces are and how they interrelate," he says. Some entrepreneurs will choose to let someone else handle their credit card transactions. Services like Yahoo! Stores do the work for you. Just be sure your provider is reputable and has secure credit card technologies built in.

Souter, 40, wasn't satisfied with the looks and user experiences offered elsewhere, so he decided to tackle e-commerce for his Sherman Oaks, California-based company in-house. Research is the key for entrepreneurs looking for a good services match. InkNoise settled on using online bank National InterBank Banking Centerfor its business account, Charge.com for processing, and GeoTrustfor its Secure Socket Layer (SSL) certificate. That last step is important: SSL is what encrypts and secures the sensitive data sent from your customers to you.

For Souter, who's also a founder of Web site development and content management company Art+ Logic Interactive, setting up InkNoise for secure e-commerce wasn't a major deal. But for less IT-savvy entrepreneurs, he recommends bringing in someone who's familiar with coding and setting up servers to handle the task. -A.C.K.

Performing Triage

Protecting companies against hackers and other security threats is big business for entrepreneurs like this one.

Conqwest Inc.'s technical expertise is tested on an almost daily basis. A specialist in fighting viruses and spam, the firm distributes computer security alerts to more than 2,000 subscribers. Conqwest founder and CEO Michelle Drolet, 42, thrives on the busy pace at the Holliston, Massachusetts, firm. When interviewed in late January 2004, she was busy assessing how her clients' defenses stood up against MyDoom, then considered the fastest-spreading virus to date.

Conqwest customer Gary L. Lee, director of global IT infrastructure at $2 billion health-care equipment provider PerkinElmer in Wellesley, Massachusetts, says one of Conqwest's key strengths is its proactive approach to security. To wit: Conqwest began testing anti-spam technologies more than two years ago, long before the issue was the headline grabber it is today.

"Michelle really takes a lot of the weight off my shoulders, if you will, by staying more on top of things in the security marketplace than I could," Lee says. "I think [the Conqwest team] actually believes that their first objective is to do right by customers. And that, in fact, does lead to happy customers."

Conqwest, which will have its fifth birthday in its current incarnation this month, is growing at a pace of 35 per-cent year-over-year and maintains 420 to 450 active customers. Drolet won't disclose exact sales figures for the fiscal year ended March 31, 2004, except to say revenue will be between $5 million and $10 million. Conqwest employs 12 full-time staffers and works with another eight to 10 contract engineers. To extend its sales reach, the self-funded firm provides security services for customers of other local IT consultants. Conqwest also donated more than 400 hours last year in security training and other community service.

Drolet suggests that smaller companies with fewer than 20 employees can expect to pay a security consultant $1,500 to $2,000 for an assessment, and another $1,000 to $1,500 for a firewall. It will cost another few hundred dollars per month to keep the firewall updated with the latest antivirus software. "You need to look at everything once a year," Drolet says. "We talk about getting secure; we also talk about staying secure." -H.C.

Safety Net
Every business should make Net security a top priority. Michelle Drolet, founder and CEO of Conqwest Inc., a Holliston, Massachusetts-based firm that fights viruses and spam, offers these tips:

1. Make sure there's top-down support. Installing security technology won't work unless it has the support of your top managers, who can ensure it's a priority throughout the company.

2. Remember it's a continual process. Just because you're safe today doesn't mean you'll be safe tomorrow. It's wise to invest in a schedule of ongoing maintenance and management of security processes.

3. Get references, then take a chance. Because IT security is still relatively new, many companies selling security products aren't yet household names. Make sure to do your due diligence before opting for an unknown, even though these vendors are selling some of the most innovative solutions this year. -H.C.

It's All About Trust

No matter how high-tech the business, success still comes down to great customer service-and that's exactly what to look for if you outsource security.

Network Computing Architects (NCA) Inc. is proof that cul-ture is a potent ingredient in the recipe for success.

Founded in 1992 by Internet whiz Craig Suhadolnik, 46, the 40-person firm has emerged like a phoenix from a December 2001 fire that destroyed its Washington state headquarters, to become a leading West Coast provider of IT security services to small businesses and corporate accounts. NCA's management team credits customers and suppliers with helping them get back on their feet. "It didn't even enter my mind that we weren't going to do it," Suhadolnik says.

So strong are NCA's technical credentials that many local financial services operations and several of the top IT manufacturers it represents-including firewall maker NetScreen Technologies and IP-telephone maker Shoreline Communications-are also its customers. NCA, based in Bellevue, Washington, expects sales of $15 million for the year ending June 30, 2004-approximately 80 percent of which will come from security assessments and installations of firewalls and other intrusion-detection products.

Tom Gobeille, the 45-year-old president and CEO of NCA, says a driving tenet is to ensure employees spend at least 50 percent of their time with existing or prospective customers. "The higher the percent of customer interaction, the higher the percent of success, especially at the right levels," he says. "People forget to spend time with customers, and that is a fundamental flaw with a lot of people's businesses."

NCA usually limits initial contact with prospects to a $1,500 consultation. Consider that it can bill upwards of $250 to $275 per hour for its services, and it's easy to get carried away. "If we think that people don't need what we sell, we will tell them upfront," Gobeille says.

That sort of candor won over Eduard Telders, security manager for Seattle-based PEMCO Mutual Insurance Co., who has been working with NCA for close to four years. His company balanced hiring in-house staff with outside security resources because it was more cost-effective. His team tapped NCA because of its technical depth and can-do mind-set, and he is evaluating how to extend the relationship into other security areas.

"They impressed us with not only their expertise on the subject, but [also] their corporate culture and their attitude," Telders says. "Even in the middle of recovering from the fire, they were able to do incredible stuff." -H.C.

Think Ahead

Before you invest in security technology, Tom Gobeille, president and CEO of IT security firm Network Computing Architects Inc., in Bellevue, Washington, suggests the following:

1. Assess first. Most companies have added to their corporate networks haphazardly and may not know where they're vulnerable. Hire an outside expert to run penetration tests.

2. Don't be afraid to start small. Sometimes, a lower-cost, all-in-one firewall or VPN may be all your company needs to get started.

3. Remember training. Your company could own the most sophisticated security in the world, but it's all for naught if your employees don't understand how to help keep you safe. -H.C.

Cool Tools

Walled in: For offices that need to secure a network with broadband Internet access, the Firebox 700 from WatchGuard Technologiesis an affordable firewall and VPN security appliance. One box provides firewall protection and secure VPN access for remote workers. And the Firebox 700 is geared for easy setup. · Street price: $1,700

Slamming spam...and more: You can get your anti-spam, antivirus, URL blocking, e-mail security and malicious-code defense all in one convenient package with Computer Associates'eTrust Secure Content Manager. Prices start at $55 per user; volume pricing is available. An integrated solution like this one can save your business money over purchasing components individually from separate vendors. · Street price: varies

Box of tricks:Check Point Software Technologies'Safe@ Office, a managed services appliance, takes care of many of your security needs. It's loaded with Network Associates' McAfee VirusScan ASaP online solution. Firewall, VPN and content-filtering features round out the capabilities of this box. Designed for businesses with up to 100 employees, it's geared for ease of use and fast setup. · Street price: varies

Hands down: Biometrics made easy: This USB fingerprint identifier lets you say goodbye to passwords. It's small enough for you to take along in your notebook case and also includes a two-port USB hub. A 3-foot cable allows you to hook it up to desktop PCs as well. A one-year warranty is standard. · Targus'DEFCON Authenticator· Street price: $120

Zone of defense: When you need a firewall for your home office or very small office, Zone Labs'ZoneAlarm Proleads the pack. It offers protection from everything from worms to spyware. ZoneAlarm Pro's ad-blocking and cookie-control features make the Internet a safer place to be. But this software is compatible with PCs only; Mac users will have to look elsewhere. · Street price: $49.95