Plan for attack

Information and the ability to manage it are exposed to numerous potential threats. Are you prepared for the loss of or attack on key systems?

Two years ago, a tornado swept through the property of Jowin Express during working hours. Barely missing the office, the tornado dismantled the shop and severed power lines. In an instant, Jowin Express’s information systems were dead.

“We scrambled around when it happened,” recalls B.J. Childress, office manager of the 70-truck carrier based in Columbia, Miss. In a matter of minutes, employees started a generator outside and ran extension cords into the office to revive the computers. Even though Jowin Express’s offices had no lights, business sprang back to life.

With information being one of your most important assets, downtime is devastating – especially in the Internet age. Losing critical applications for only a few minutes can disrupt business enough to produce financial hardships.

All businesses are prone to disruptions from system failures, power loss, intruders and viruses and other threats that can immobilize information systems, destroy data or compromise confidential information. Plan now to avoid serious consequences when trouble does occur.

Recovering from catastrophe
A business continuity plan outlines how you will restore core functions to minimize downtime from the failure of any type of system, technological or organizational. One threat is a disaster, such as a flood, fire or tornado. Hardware may be destroyed. Or you may lose electricity – the lifeblood of information systems. It’s important to review and update your recovery plan periodically. As technology changes, your priority for restoring systems changes as well.

At USA Motor Express, restoring the Internet connection is the first priority following any disruption since many critical applications, such as mobile communications, are tied to the company’s software through the Internet, says Jim Cook, director of quality and training for the 240-truck carrier based in Florence, Ala.

To prepare for the worst-case scenario – a natural disaster that destroys the office – Cook says the company has pre-assigned specific tasks to personnel to salvage equipment from headquarters to set up operations at one of several designated recovery sites. Should USA Motor Express need to purchase new equipment in an emergency, it has credit accounts already set up at local computer companies. The company also keeps backup data to restore applications in a fireproof box at an offsite location, Cook says.

At Jowin Express, the most critical application is an Internet-based freight-matching program called DAT Partners. In the event of a power outage from a natural disaster or other cause, Jowin Express would plug the phone system into its generator and run a power extension to the server that runs DAT Partners. The company would then run an extension cord to the router, modem, and switch for its DSL Internet connection, and an extension to a workstation.

“At this point, we would be able to work and keep the business going,” Childress says.

Although a generator is probably a wise investment for any time-sensitive business, at least protect your systems from temporary power loss. Uninterrupted power supply (UPS) devices use battery power to supply power to a system for a short time – generally about 20 minutes. Some UPS systems also work with the computer or server’s operating system to automatically shut down the system to prevent data corruption and data loss. This feature is especially useful should a power outage occur after hours, says technology expert Joshua Feinburg, co-founder of SmallBizTechTalk.com. Another important precaution is surge protection for any business-critical device.

Something as simple as hardware failure can cost you downtime. Even if the data is backed up to tape on a consistent basis, a hard drive failure in a company’s main server could cripple your operation. It could take hours to replace the hardware and restore backup files.

When a hard drive failed at D&D Sexton Inc., however, the Carthage, Mo.-based refrigerated carrier didn’t skip a beat. Rusty Heisten, information systems manager of the 100-truck carrier, quickly unplugged the bad hard drive and plugged in a mirrored hard drive.

“Luckily, we have configured our servers with two hard drives,” Heisten says. “That saved me big time.”

Loss of operating capability is only one concern. Don’t forget about loss of critical data. The most important step you can take to guard against catastrophic loss is to maintain backups off site. (See “Always have a backup”)

Thwarting hackers
The notion of data security conjures up images of someone trying to hack into your systems. It’s certainly possible for a small company to operate an information system that is fully isolated from the outside world. But customers may need access to your information and besides, once you connect anything to the Internet, you are no longer totally secure from hackers.

The most common reason someone hacks into your network is simply because he can, says Nick Brigman, vice president of product strategy of RedSiren, a Pittsburgh, Pa.-based company that specializes in information security services. Some intruders might use your servers to post secret websites, store data, host applications or steal resources and bandwidth. It’s probably a minority of hackers who seek purposely to damage data and extract confidential information, Brigman says.

Just because trucking isn’t as obvious a target as, say, banking, you can’t lower your guard. Most hackers aren’t looking at it that way. They want servers they can use for their purposes, and yours are as good as any. But their intrusion can still be very damaging to the integrity of your systems.

At a minimum, any business that uses the Internet should have a firewall – a hardware and software system designed to restrict access to your internal network. To enhance the review and monitoring of all critical system logs for suspect activity, businesses should also consider implementing an intrusion detection system, Brigman says. Intrusion detection systems (IDSs) scan networks for attackers, monitor their activities, and immediately notify the system administrator. IDSs are also able to identify intruders and initiate preventive actions on the company’s behalf, Brigman says.

If you have employees that connect to your network from home or other remote locations via high-speed, broadband connections – cable or DSL – require employees to install a firewall on their home system. RedSiren also recommends that employees be required to connect to your corporate network only through a virtual private network (VPN.

VPNs carry benefits beyond security. As an alternative to dedicated lease lines or even long distance charges on telephone connections, a VPN can provide secure, remote access to

Together with opportunity, the Internet carries great risks to data security.

internal systems through an Internet connection. That means that a traveling employee can use an ISP’s local access number to interface with the company’s network. The information is encrypted and decoded at each end.

Hacking has become an even greater threat in the wireless age. Wireless local area networks (WLANs) recently have become cost-effective alternatives to wired networks, but WLANs bring even greater security concerns. (See “Security without wires,”)

Securing against viruses
Although hacking is a serious threat to information systems, viruses, worms, trojans and similar dangers are probably bigger worries for most companies. To put the threat in perspective, think of a virus as a hacker that can gain access to systems through anyone in your company who uses the Internet.

Computer viruses can slip into a network in several ways, but most often as an e-mail attachment. Feinburg recommends purchasing antivirus software on a subscription basis, instead of buying an off-the-shelf product that may become obsolete in a week. He also suggests using the built-in scheduling mechanisms of antivurus software programs to schedule a full system scan after hours.

Ruan Transportation Management Systems uses Norton Server Antivirus on a subscription basis, says Roy Cashman, chief information officer for the Des Moines, Iowa-based company.

“Everyday we download the latest virus updates,” Cashman says. The company updates the antivirus software on the company’s servers and installs the latest virus updates on all its desktops. Ruan also trains employees to use care when downloading files to their desktop computers, Cashman says.

USA Motor Express has set very strict guidelines for its employees to follow on how to open and review e-mail, Cook says. If an e-mail comes from a source that employees cannot verify, they are instructed to delete it. The company uses Symantec’s Norton Utilities on its servers and updates the software once a week on its workstations.

RedSiren suggests minimizing your external exposure to virus attacks by minimizing Internet access and connectivity as much as possible. This includes:

  • Distinguishing between convenience access and essential business access. Convenience access can be identified as services such as mail lists, traffic and weather advisories, PointCast, multicast, instant messaging, etc. These services automatically open Internet access providing an access point into your network that can be exploited.
  • Opening and closing connections as needed rather than leaving services up continuously.
  • Removing Internet access from those employees who may not need it for business purposes.

Internal security
While various technologies such as firewalls and VPNs protect your systems from external access, they don’t necessarily protect you from internal intrusions – meaning your own employees.

Password requirements are the most common way to protect information from unauthorized intruders inside company walls. Ruan Transportation, for example, uses passwords to authenticate who is logging in. The company also uses password protection at the application level. Customer service and dispatch, for example, do not have access to the payroll system. And even within a certain system, certain data and tables are restricted to certain people, Cashman says.

At USA Motor Express, management asks that all employees have a password-protected screen saver that, after a short period of inactivity, requires employees to enter the password to get back into the system. They also change the network administrator password periodically as well as the root password on each server, Cook says.

Security features are only as good as the efforts a company makes to manage and enforce them. RedSiren recommends changing passwords for all super-user or power IDs such as Root, dbadmin, and application manager IDs, especially if that information has become widely shared. Also, revisit access control lists to ensure that access to critical functions and resources is limited. And you must have a procedure that ensures that employees who resign or are terminated lose access to systems immediately.

Protecting your information systems from the daily threats inside and outside your business is an active insurance policy that you can’t afford to ignore.


Always have a backup
The foundation of any business continuity plan is an ongoing strategy for backing up and restoring data. Backups are used not only to protect against loss of data due to system failures; they are also a second line of defense against computer viruses and file corruption. But no system is truly effective unless it provides for off-site storage or, at the very least, vaulting that effectively guards against fires, floods and other destructive forces.

Regardless of what type of backup technology you have, it’s important to make data backup as automatic as possible. At the most basic level, backup jobs need to be carried out consistently at predetermined times, generally daily, says technology expert Joshua Feinburg, co-founder of SmallBizTechTalk.com.

Most third-party backup software programs suited for small businesses include intuitive scheduling tools to help automate backup jobs, Feinburg says.

In addition to using software to automate the backup process, businesses should use various tape media planning such as daily and weekly tape rotations, off-site storage and permanent monthly archives, Feinburg says. Also, Feinburg recommends that companies consider all sources of valuable company information in their backup plan, including specialty applications and data stored on desktop PCs, notebooks and PDAs.

Electronic vaulting
One of the problems of using a tape system for backing up data is that it requires someone to manage the tape rotation and off-site storage. Such internal processes can leave data vulnerable to employee error or even sabotage.

Electronic vaulting services from vendors such as Iron Mountain and One Safe Place give businesses the convenience of automatic backups for servers and PCs through secure Internet connections. Electronic vaulting companies will back up the data onto tape and store the tapes off site for added protection.

“(Electronic vaulting) is really helpful for companies that have remote servers that don’t have huge IT groups to manage that process,” says Melissa Burman, director of corporate communications for Iron Mountain.

Iron Mountain’s pricing is monthly, based on the number of gigabites you’re protecting – about $50 to $100 per gigabyte, says Lori Cotton, director of product marketing.

Compared to tape, an electronic vaulting service may be pricey for a small business. Being able to restore data to within minutes of the disruption, however, may justify the additional cost, as the cost may be similar with respect to importance of the data you’re trying to protect. In addition, most businesses only use tape to back up servers, while so much information – an estimated 60 percent of a company’s data – resides on a PC, Cotton says.


Security without wires
What if you could give your shop technicians the ability to connect to your computer network without any wires? Suppose your managers could use personal data assistants (PDAs) to send and receive e-mail instantly anywhere on your property. Wireless local area networks (WLANs) recently have become cost-effective alternatives to wired networks for businesses of all sizes and even for personal use at home.

WLANs give you the flexibility to connect to internal networks and broadband Internet connections anywhere within a certain radius of a base unit. The problem is, without appropriate precautions, anybody within range could gain access to your systems. WLANs come with all the security concerns of wired systems – and then some.

Although WLANs operate on a variety of frequency standards, the most popular is 802.11b. Some common uses for 802.11b include automatically transferring data from onboard computers as trucks enter the perimeter of the yard and short-range communications between a handheld and onboard computer. Some carriers also use WLANs at terminals to automate cross-docking operations.

Besides installing a firewall as you would on a wired network, the first step in securing an 802.11b network is to enable the wireless encryption protocol, says Hank Hoffman, president of Siricomm in Joplin, Mo. Without that precaution, anyone with a laptop or PDA and an 802.11b card might be able to access some portions of your network by getting within the range of your WLAN access point. To protect against a professional hacker, you could purchase additional security for encrypting data and user authentication, Hoffman says.

When implementing a WLAN, the most important thing to look at is the range of access points within the network, says Mark Sands, vice president and division counsel of Qualcomm Wireless Business Solutions. If the access points of the network are easily accessible, you can have a serious problem. If your access points are inside a warehouse, however, the security of an 802.11b network really becomes an issue of the warehouse’s physical security, Sands says.


Resources
Antivirus software
Symantec Norton AntiVirus products
Network Associates
Computer Associates
McAfee VirusScan and NetShield

Intrustion detection systems