Cure for the Common Virus

Is your computer system safe from hackers? Local businesses crack down on cyber crime.

Over the past few years, local realtor Victor Brandt had read countless articles on how computer viruses had cost American companies billions of dollars. That’s why he made computer security a priority when he decided to open up his own small business, Kahala Realty Associates, eight months ago.

“We have an open work-group station, and we all have access to the Internet, so we worry about computer security tremendously,” Brandt says. “I think it’s highly critical to have that in place before you leave computers on and open to the public or hackers.”

Corporations nationwide spent about $12.3 billion to clean up damage from computer viruses in 2001, reports the Computer Science and Telecommunications Board, a branch of the National Research Council. Two of last year’s most destructive culprits were the Nimda virus and the Goner worm, two mass-mailing entities capable of causing computers serious disruption. Just last Christmas, an international hacker ring released a program that could turn AOL’s Instant Messenger into a key to unlock home computers. The group had discovered a hole in the 100-million-user program that could let a hacker assume control of a victim’s computer.

Unfortunately, many companies won’t invest in a quality computer-security system until they are confronted with one of a heap of potential threats. Any company with Internet-capable computers is vulnerable to external attacks.

“Often what causes people to buy security things is a crisis where they lose something,” says Century Computers President Rick Marine. “We shouldn’t be in a reactive crisis mode, but a lot of people are.”

Thirty percent of local businesses are vulnerable to having their IT (information technology) systems shut down, Marine reported last year in Century’s survey of 50 companies in Hawaii.

Christopher Young, state deputy attorney general, says computer crime is a fairly new area of investigation for Hawaii’s law-enforcement agencies. Last year, a law went into effect that would strengthen civil and criminal penalties for computer offenses.

Antivirus Advocate: William Musson, vice president of the Information System Security Association, Hawaii Chapter, recommends investing in an antivirus progrm.

“The numbers are very hard to track,” Young says. “Most large companies do not report attacks, because it’s detrimental from their perspective. They don’t want the public to know their company is not sound, but the problem is out there. We shouldn’t fool ourselves into thinking there’s not a serious problem.”

Larger entities like banks, insurance agencies, hospitals and utility companies tend to have solid computer-security systems in place, because of their regulation by government agencies. For many small businesses, just struggling to stay afloat in the state’s current economic downturn, computer security takes a backseat, says William Musson, vice president of the Information Systems Security Association, Hawaii Chapter.

“I think the average small-business owner working 18 to 20 hours a day just trying to keep his business going – especially now – doesn’t have the time to research and try to understand the security vulnerabilities that come out,” Musson says.

Kahala Realty Associates has only eight employees, but Brandt has two part-time computer technicians to maintain the company’s server, which contains data on the $40 million to $50 million worth of properties they plan to sell this year.

Steve Gose, information systems security officer at The Queen’s Medical Center, is faced with the task of protecting information on the hospital’s more than 220,000 inpatient and outpatient cases each year. Queen’s has 70 employees in its Information Services Division.

“We do not ever purge patient-related information,” Gose says. “Any business that has an obligation to its customers and/or owners to protect the information stored on computers has a vested interest in ensuring the confidentiality, integrity and availability of that information.”

Local companies often sidestep the issue of computer security, reasoning that such a system would be too costly for their limited budgets, says Duane Takamine, vice president of Secure Technologies, which has around 400 clients. “A lot of times people get scared away because of the cost,” Takamine says. “What people need to be aware of is that the vast majority of precautions you can take have a relatively low cost.”

Whether local companies choose to hire an outside consulting firm or maintain their computer systems in-house, there are a number of computer-security options available for a range of budgets.

Takamine says: “As a general rule of thumb, you should buy the amount of security you can afford. It should be proportional to the value of the data you’re trying to protect and how much you can absorb the cost.”

Antivirus software
“If I could do one thing – if I were a business – I would invest in an antivirus program,” Musson says. “That’s where you get the most bang for your buck. Antivirus is a fairly low-cost option, and companies can get an enterprise license for multiple machines.”

Marine says that an antivirus program, which searches for and protects against any known or potential viruses, can cost from $20 to $30 for a one-year license per station. The cost of the actual software can range from $50 to a few hundred dollars. Companies also need to remember to program the software to update automatically daily or weekly, or the technology will become obsolete.

Firewalls
In addition to antivirus software, firewalls are a security necessity for any computer owner, Marine says. The type and cost of a firewall, a set of related programs that protects a private network from users in outside networks, can run the gamut.

“It depends on the organization and the amount of data they’re processing through their connection to the outside world,” Marine says.

Firewall hardware can range from $500 to $30,000. Certain versions of firewall software start below $100. “When somebody puts in a firewall, it’s current as of that day,” he says. “Tomorrow, it becomes less current. Aside from updates on that product, if you’re changing your network in any way – you’re adding on new stations, new servers, changing your IP addresses – unless you go back to the firewall and assess your vulnerability, then that firewall becomes more and more useless every day.”

Marine says firewalls and antivirus software are the “bare minimum” for any computer owner. Century Computers also offers a number of other computer-security products for businesses interested in more elaborate, more protected systems. Intrusion detection (ID) technology, a type of security-management system that scans for potential breaches from outside or within the company’s network, is comparable to having an alarm on your computer. The costs for the ID software and hardware can run into the tens of thousands of dollars. Unlike other security technology, human attention is necessary in monitoring and responding to possible threats.

Ninety percent of the companies in Century’s survey also did not conduct regular vulnerability assessments, which pinpoint holes in security in order to come up with methods to fix them. “If a company has a network system and is connected to the Internet – so they’re vulnerable to the outside world – they have services in their office that constantly need to be patched to fix a security problem,” Marine says. “Somebody needs to constantly assess where they’re at with security, how vulnerable they are to attacks from the outside and what needs to be done so they’re less vulnerable.”

Musson believes that since the Sept. 11 terrorist attacks, hackers will only become more sophisticated and more active. If the number and power of Internet viruses and worms continue to grow steadily, as many as one in 10 e-mails circulating the globe will be infected by a virus by 2007, according to e-mail-security company MessageLabs.

“It’s difficult for the average person to defend against that sort of attack,” Musson says. “Education is paramount. At least you understand what’s going on, what the threats are. After that, you can go out and get deeper in trying to lock down your system, but, realistically, most small businesses in Hawaii don’t do that.”

Do you like what you read? Subscribe to Hawaii Business Magazine »