Inadequately protecting sensitive information can invite intruders.
By Alana Semuels, L.A. Times Staff Writer, 05/22/07
COMBING through the guts of the website for the Los Angeles County Community Development Commission, an information technology worker for the agency came across an intruder. Someone with an Internet provider address in Germany had broken in and looked at private information normally accessible only to commission employees.
The worker immediately shut the system down.
"The intruder was poking around and came in through the outside of our network," said Richard Peters, the agency's information technology manager. "They were probably looking for confidential data."
Small organizations often think they are less of a target for hacking than large companies. But small businesses are often targeted by hackers who know that their security procedures might not be as technologically advanced as those of a bigger business with more resources.
"It can happen to anyone who has or collects people's information," said Melanie Bedwell, information officer for the California Office of Privacy Protection. "You don't have to be a major corporation to have issues come up."
After shutting down its website, the commission launched a probe to see what was compromised. It determined that the hacker had not reached confidential information, such as the names, Social Security numbers and dates of birth of 4,800 public-housing residents.
A systems upgrade recommended by a security consultant in 2005, a year before the hacking incident, increased security just enough to foil the intruder, Peters said.
The security update had separated the servers, preventing the hacker from accessing the next level of the network, he said. The agency, which has 650 employees and a tech staff of 30, had learned an important lesson: "The most important thing is to have a security review by an outside auditor," Peters said.
The commission is one of many U.S. organizations whose security has been breached in the last year. Most businesses, however, have not emerged as unscathed as the agency.
Big organizations including Bank of America Corp., UCLA and TJX Cos., the parent of the T.J. Maxx and Marshalls clothing chains, have fallen victim to hackers in recent months, according to the Privacy Rights Clearinghouse. More than 150 million records containing sensitive personal information have been involved in security breaches nationwide since 2005.
Smart security practices are not just important to protect customers' information; they are required by California law, Bedwell said.
The state requires that any business that collects and stores personally identifiable information, which includes a combination of a name and another data set such as a Social Security number, address or driver's license number, put "reasonable" security practices into place, she said. This might include having the latest security software, such as anti-spyware and anti-virus products, and making sure the information is encrypted.
There are several steps companies should take to protect information from outside hackers and unauthorized employees, said Barry Mozian, president of Fountain Valley security company Talon Executive Services Inc.
Business owners should create passwords made up of words not in the dictionary and change them frequently, even if it is a hassle to do so, Mozian said.
They should also install anti-virus and anti-spam software and intrusion detection systems that alert companies to any changes to a network.
Many small businesses skip these steps because they think they won't be targeted, said Ira Winkler, author of the book "Spies Among Us: How to Stop the Spies, Terrorists, Hackers, and Criminals You Don't Even Know You Encounter Every Day" (Wiley, 2005). But information is often stolen in surprising ways — such as an employee or friend who "borrows" a company's client list and uses it to start a business.
Businesses of any size — including a lawn-mowing company that uses a computer sporadically and a healthcare provider that has thousands of private medical records online — can benefit from hiring an outside security consultant.
Vendors such as Santa Clara, Calif.-based McAfee Inc. can help provide security services around the clock to businesses that are too small to have their own technology security staff, said Lillian Wai, McAfee's senior product marketing manager for small businesses.
Even with the latest technology and protection from outside hackers, small businesses often fall victim to hacking from the inside. More than 70% of all acts of malfeasance that affect small businesses can be attributed to an internal problem, Talon's Mozian said. Small-business owners should restrict internal access to important information, he said, and do background checks before hiring any employee.
Carey Boyarsky learned this the hard way. The Modesto resident ran a beverage supply company called Classic Beverage Inc. Overburdened with work, he hired an extra employee who he hoped would one day become a business partner. The man, who used to sell Boyarsky paper products, took control of processing payments.
Boyarsky later suspected that the employee had been issuing checks to himself and his family, allegedly making false computer entries that the money went to a vendor while channeling the funds to his own bank account. Boyarsky was forced to declare bankruptcy and still has not recouped any of the $60,000 allegedly stolen from him.
Boyarsky says he should have paid closer attention to business matters and potential discrepancies between the computer entries and his checkbook.
"I should have personally overlooked things, but I was tired and I wanted some help," he said. "Besides, I trust people."
Good management plays a large role in preventing security breaches, said Stan Stahl, president of Citadel Information Group Inc. and the Los Angeles chapter of the Information Systems Security Assn. Often, company leaders don't know what security steps are needed and ignore system needs.
"Management must be proactive and work to change the culture so that people are aware," he said. This includes outlining procedures so that employees won't damage the system inadvertently. It also includes protecting the network from malicious insiders.
"We didn't use to have to lock our doors at night, and now we have to," Stahl said. "It's the same thing when it comes to protecting our sensitive information."
alana.semuels@latimes.com
Retrieved May 29,2007 from http://www.latimes.com/technology/la-fi-smallbiztech22may22,1,821195.story?coll=la-headlines-technology&ctrack=2&cset=true
