Security Alert!

The constant threat of worms, viruses, and spyware hacks has builders wondering where to turn. Start your security program by following these eight steps.

By Steve Zurier

If you think a Trojan Horse is the mascot of the University of Southern California's football team or Klez is Jewish folk music, it's time to focus on information technology (IT) security. Builders are not immune to the threats posed by the hacker community's bag of tricks, the top three of which IT security research group the Computer Security Institute (CSI) says are computer viruses, identity theft, and denial-of-service attacks.

Builders have long put IT issues on the back burner and not having a plan for IT security is asking for trouble. It's time to understand that the threat is real: The CSI's 2003 survey of 530 mid- to large-sized companies found that the average company lost $803,973 to cyber crime last year. And e-mail security service MessageLabs estimates that by this April, 70 percent of Internet e-mail traffic will be spam, some of which contain malicious codes and viruses.

What can builders do? For starters, get religious about backups, don't give access to employees beyond their job definitions, and be sure you have anti-virus software covering all the computers on your network.

"I see a number of our builder clients concerned about the Internet, but too many don't have up-to-date, anti-virus software [or] backups of their data, or they set up a firewall but leave it and don't change the default password from the vendor," says Bruce McCully, owner of Dynamic Edge in Ann Arbor, Mich., a technology consulting firm that works with local builders.

Another issue is the threat from within. Forty-five percent of the companies CSI surveyed reported unauthorized access by insiders in 2003. And 80 percent said employees abused Internet access in some way, such as surfing for pornography, gambling, or shopping online during work hours.

The truth is that every system is breakable and IT security software vendors can barely keep up with the hackers. The trick is to understand that, while the hackers will never go away, there's no need to panic. Better to be proactive because you need your computers to stay competitive. Here are eight steps to get your IT security program under way.

1) Threat: Being alone during an attack. Solution: Develop a relationship with an IT professional. Builders are in the business of acquiring land and building houses. Few are computer experts. If you're a small builder running a workgroup with four or five personal computers, it would be a big mistake to think you can build houses by day and manage your network at night.

Find a local IT pro you can trust and get him acquainted with your business. Word-of-mouth recommendations are best. Other avenues to contact include the American Electronics Association and the Information Technology Association of America, or call builder-oriented consulting companies such as Shinn Consulting or Joe Stoddard's Mountain Consulting Group.

The worst scenario is not to have a relationship with an IT pro when the next e-mail virus hits, and the hard drive with the latest copy of Quick Books just got wiped out. Remember that sending a hard drive to a data recovery service can cost from a few hundred to a few thousand dollars.

2) Threat: Internal hackers. Solution: Cut off potential internal security breaches. A common mistake builders make is to have the same person oversee the general ledger, accounts receivable, and accounts payable functions. When one person has access to all that information, it's too easy to divert funds from one account to another.

Start by granting rights by functional areas, for example, by estimating, project management, and accounting, the three areas where most of the financial information changes hands. Second, restrict access to certain fields such as payroll rates, costs, and financials. (Your bookkeeper needs access to payroll information but doesn't need to see cost breakouts or company financial data.) You also may want to specify that only certain people have the right to electronically sign off on invoices of more than $5,000.

And it's important to use audit trail features within standard back-office programs such as Master Builder. Never turn off the audit trail. You want to be able to track where money is going as well as when and why changes were made. Another good idea is to have everyone who handles sensitive information sign a confidentiality agreement.

3) Threat: Unsecured data. Solution: Encrypt sensitive business information. One feature offered by the more expensive back-office systems such as Timberline is the ability to encrypt certain parts of the data. This is especially useful for protecting human resources information as well as sensitive benefit data from network administrators and others who may need access to maintain the network, but would have no reason to view the actual data.

However, a full implementation of Timberline Production Management can run into six figures, but that level of security is one reason why enterprise-level, back-office software is so pricey. Another option: Primavera has a project control and document management product called Expedition that runs $2,500 per concurrent user and offers an encrypted audit trail.

4) Threat: Virus attacks and spyware hacks. Solution: Use anti-virus and anti-spyware software. Every machine on your company's network should be covered by anti-virus software. People think they can get by without it, but anti-virus software, such as Symantec's Norton Antivirus or McAfee's VirusScan, protects computers from standard worms and viruses, and the Symantec and McAfee Web sites will keep you informed of the latest upgrades and patches. Another choice is AVG Anti-Virus from Grisoft, which is free for personal use. Be sure to set up the software you select so that anti-virus updates are automatically downloaded and installed during off-hours.

You should also consider protecting your computers from spyware, which is software that sends information about your Web surfing habits to the company selling a product over the Internet. Spyware is unknowingly installed from Web ads, downloads, or e-mail sales pitches. Hackers exploit vulnerabilities in spyware to steal company financial information or lift credit card numbers. A few of the leading anti-spyware programs are PepiMK Software's SpyBot Search & Destroy, Lavasoft's Ad-Aware, and Enigma Software Group's SpyHunter.

5) Threat: Outside hackers. Solution: Deploy firewall/routers. A firewall/router is a device that sits between the Internet and the company's network that protects your network from hackers. The better models can also alert you to unauthorized outgoing traffic. One important note: Do not use the default password that comes with the product. When you install the router/firewall, take the time to set a password with at least six characters--and don't use something obvious such as a child's name or favorite pet. The best passwords have a mix of upper and lower case letters and numbers.

Also be sure that the router offers basic firewall features such as packet inspection and intrusion detection. Some products may say firewall/router but don't actually have firewall software built in. Newer products tend to have all the right features--but check the box before you buy.

6) Threat: Kids roaming for free Internet access. Solution: Take steps to protect your wireless network. Small businesses want to run wireless notebook computers anywhere in the office, but they must recognize that once they go wireless there are packs of teenagers roaming neighborhoods and office parks looking for free online access. Be sure to enable the encryption when you set up your wireless network.

One important point: If you've heard that the encryption for wireless networks is less than acceptable, you've heard correctly. But help is on the way. Wireless encryption protocol (WEP), the first standard for wireless encryption, is slowly being replaced by a stronger version called Wi-Fi protected access (WPA). Linksys has been shipping WPA in its 802.11g routers, wireless cards, PCI adapters, and access points since last fall. WPA is also available in 802.11b wireless cards and will be available in other devices later this year. For wireless novices, the difference in the letters is the bandwidth: An 802.11g network runs data over a small network at 54 megabits per second, while 802.11b is an earlier, more stable standard but has a much slower bandwidth of just 11 megabits per second.

Another tool to help foil hackers is to use Media Access Control (MAC) filtering. The MAC address is the unique serial number that identifies a specific network card from all others. By enabling MAC filtering in the wireless setup you're telling the system that it can only connect to the specific computers on your network. This stops hackers from gaining access to your Internet connection or worse yet--your financial and human resources data.

7) Threat: Fires and natural disasters. Solution: Develop a disaster recovery plan. Here's where you have to start thinking the way you do when you buy insurance. When planning for a disaster, assume your offices will burn down, so keep a backup of your critical business information in a second location, preferably not your home.

Some builders have second or third buildings at their office locations that are used as garages or storage areas--that will work if you're a small operation and don't have any branches or remote offices. The backup will save you in the event of a natural disaster, but it will also come in handy when you suspect fraud because it allows you to go back in time and trace any pattern changes in financial or cost information. Small builders looking for an inexpensive way to back up data may want to check out www.connected.com. This outsourced service charges $24.95 a month for up to 10 GB of storage per individual PC account. A five-user license for 10 GB of storage per PC is $89.75 a month with a $50 setup fee.

8) Threat: Power failures. Solution: Build fault tolerance into your network. Intrusion is one form of security, but you also have to protect the reliability of your network. Most people think fault tolerance is only for large corporate enterprise networks, but small companies can take some steps to protect themselves in the event of a power failure, electrical short, or premature failure.

Start by buying dual hard drives for your computers and a hardware-based redundant array of inexpensive disks (RAID) controller. A RAID, or mirrored hard drive setup, for most PCs runs $200 to $500. Along with fault-tolerant hard drives, larger companies should consider using servers that can run dual power supplies ($400 and up) and dual network interface cards (another $200). Finally, spend the money on an uninterruptible power supply, a device that offers backup power when electrical power fails or drops to an unacceptable voltage level. Figure it would cost $100 per workstation and $250 per server to protect your system.

This security plan was developed through a series of interviews with leading security associations, product vendors, and technology consultants. The following companies contributed valuable insight into the building of this list: Computer Security Institute, San Francisco; Connected Corp., Framingham, Mass.; Dynamic Edge, Ann Arbor, Mich.; Intuit, Mountain View, Calif.; Linksys, a division of Cisco Systems, Irvine, Calif.; Mountain Consulting Group, Elkland, Pa.; Primavera Systems, Bala Cynwyd, Pa.; Timberline Software Corp., Beaverton, Ore.