Not scared of losing your data to a corporate thief? You should be.
Bob McNeal sits down in a cubicle in his Alexandria, Va., office with his morning coffee. He turns on his computer and flips open his notebook to check out the specifics of today's assignment. He clicks a couple of buttons on the screen and runs his usual scripted program, entering in a few numbers from those that are scribbled in his notebook. He types in some commands, following routine instructions from his database of tools. Then he patiently waits for the computer to process his programs and answer his questions -- questions that could be worth thousands of dollars to his client.
Two hours later, McNeal has completed his assignment. He has broken into the computer network of MBA Management Inc., located some 20 miles away in Fairfax, and verified that he can access every computer and every database in the company. And, McNeal tells his boss, he can read the user ID and password of every single employee. Is that enough, he asks, or should he continue?
That's hacking. Sorry to make it seem so banal. But it doesn't take some wild-eyed rocket scientist with a supercomputer and nothing better to do but type ingenious code into the wee hours of the morning to perform it. Most of what hackers do is disarmingly simple. Often they use readily available vulnerability-seeking software programs, which some experts call "point, click, and attack tools." And most of the time hackers are pretty successful -- especially when they target small companies, which typically don't spend either the time or the resources they need to protect themselves. The simplest tricks can do tremendous damage. (Witness the "I Love You" bug that was sent earlier this year in an E-mail attachment.)
Most small companies that are hooked up to the Internet do what James Mugnolo, president of MBA Management, did: assume that their Internet service provider will furnish a secure connection. It took McNeal just one morning to reveal how faulty an assumption that was.
Fortunately for MBA Management, a $5-million executive-search business, Bob McNeal works for the good guys: Para-Protect Services Inc., an E-commerce and network-security company. Mugnolo, who recently moved his company to Chantilly, Va., hired Para-Protect in October 1998 to find the holes in his company's network and recommend ways to stitch them up.
McNeal stopped his penetration test into the MBA Management network after those first two hours. Normally, such a job can take two days. "We stopped when we found we could get into everything," says Chuck Downs, Para-Protect's vice-president and director of operations. "There was no sense in beating that horse to death."
Close call: James Mugnolo's company received a nasty virus that read, "Enclosed is my résumé."
Mugnolo had decided to test his company's security and to spend some money upgrading it after a former employee was suspected of stealing customer data. Like most employers who have such suspicions, Mugnolo doesn't like to discuss the details. Still, he clearly felt betrayed, and worse, the incident scared him. In its database the company keeps information on more than 50,000 workers throughout North America, as well as on an equal number of companies that are looking for employees. "Their whole business is that database," says Downs.
Though Mugnolo didn't hire "white hat" hackers until the company had lost data, other small-business owners are rushing to secure their networks before disaster strikes. In some cases the critical or private nature of the company's data pushes them to it; in other cases companies see security as a differentiator for their product or service. But many have just plain seen the writing on the wall -- or more precisely, in the newspaper headlines, which have blared a stream of reports on security breaches. Though well-publicized stories about computer viruses have lately brought security into the public consciousness, it's often other threats that are more dangerous to a company's profits and reputation. Those can include attacks that shut down Web servers, for instance, or that replace Web sites with obscene or insulting graphics. Hackers can also get in and rummage through a company's files. Sometimes data just disappear -- consider the case earlier this year at the U.S. State Department, where Madeleine Albright ordered a crackdown after a classified laptop vanished, and at Los Alamos National Laboratory, where two hard drives containing classified nuclear-weapons data were missing for more than a month.
Those sorts of events -- from the annoying to the frightening -- are often what it takes to make an entrepreneur recognize the need for computer security, says Terry Gudaitis of information-protection consultant Global Integrity Corp., based in Reston, Va. After all, you don't want your company to be the next one in the headlines.
Certainly, Mugnolo doesn't. And he has thus far been successful. In March, Para -Protect Services ran an unscheduled penetration test of MBA Management's systems, and this time the company passed with flying colors. Since it adopted its new security measures, "we haven't had a single instance of systems penetration," says David Denne, MBA Management's vice-president of marketing. That has left the company free to concentrate on growth: this year's second quarter was its best ever, and the business grew from 35 employees to almost 60 in the first six months of the year.
In perhaps its closest call, the company escaped damage from a virus that was seemingly designed for a headhunting company: code disguised as a E-mail attachment on a résumé. That message, signed "Janet Simons," read: "Attached is my résumé with a list of references contained within. Please feel free to call or E-mail me if you have any further questions regarding my experience. I am looking forward to hearing from you." The attachment, however, carried a virus that could have methodically erased every single drive on MBA Management's network.
Needless to say, that particular virus could have been disastrous for the company, where résumés flow in regularly through the E-mail system. "It probably shut down several of our competitors," says Denne. "Our system immediately scrubbed anything that came in through the firewall, flagged it, and kept it on a server outside the firewall." Like Mugnolo, Denne believes that MBA Management has gained a competitive edge through its stepped-up security. "I find it comforting, and therefore I think my clients find it comforting," Denne says.
