The Internet has changed the way companies do business, allowing a growing number of small and medium-sized firms to pay bills, conduct financial transactions with partners and sell goods and services to customers online. But the Internet has also made it more possible for sensitive company information and private customer information to be tracked and gathered and stolen online, including credit card numbers, social security numbers, bank account data, and other sensitive information that could be exploited if it ends up in the wrong hands.

The total cost of Internet-related fraud complaints from consumers rose from $206 million in 2003 to $336 million in 2005, according to the U.S. Federal Trade Commission. Internet-related complains accounted for 46 percent of all fraud complaints to the agency. For businesses with Internet related transactions, or other forms of ecommerce, encrypting sensitive data about a business or customers is essential these days.

“SMB systems may hold data that companies want to protect, such as business critical or personal information,” says Dave Cole, Internet Security Expert at Symantec, the Cupertino, Calif. security software maker. “Encryption increases the security of data transmissions, reducing the risk of third-party observers being privy to content (for example, the password to your online banking services). Encryption can also be used for stored data. Encryption can help protect your Web site or e-business information assets from unauthorized access.”

Basics of Encryption

To combat the threat from fraud and hackers, most major Web sites use some form of digital encryption to protect sensitive data. Encryption is the process of scrambling data in order to make it unreadable without special knowledge of steps that can lead to unscrambling the code. While in computer terms, encryption is performed today with the use of algorithms, the concept of encryption has been around for many centuries in the form of ciphers and codes. In fact, in the decades following World War II, encryption in a digital form was primarily used only by government agencies and major corporations.

Until the advent of the automatic teller machine, most banking customers didn’t even have a personal identification number (PIN), and a signature was all that was required for most transactions when payment was made with a check or credit card.

How Encryption is Used

With increased online use, business is conducted where the various parties have practically no contact either face-to-face or even over the phone. Orders on a Web site can be processed with a few clicks of the mouse. The buyer often never communicates with a seller, except to enter a form, and the seller just simply processes orders much as it was done in the past via mail order.

Likewise, credit card or banking information can be accessed via a Web site, and businesses can transfer funds, make payments and even send money electronically through services like PayPal. It is because of this that encryption has become crucial, and for that reason, businesses should operate Web sites that offer a secure (i.e., encrypted) order forms in order to reassure customers that the business is a trustworthy one.

Layers of Encryption

Sites such as PayPal use some of the industry’s leading encryption to keep customer information and company data highly secure, says Amanda Pires, spokesperson for PayPal. “The PayPal system was built by one of the most highly regarded cryptographers in the industry, Max Levchin. Max built PayPal’s financial system from the ground up using high-level encryption.”

Historically, encryptions in the form of ciphers were codes using transposition or substitution of characters. This made deciphering the information slow and tedious. But even that method could be defeated with enough time and resources. With computers, encryption and decryption can be done extremely fast, and in many ways, the encryption from most Web sites is far more advanced than any used by governments only a few decades ago.

Today, in fact, there are symmetric key algorithms that are basically private-key cryptography, where two users must share the same software to read each other’s messages or information. This is used by businesses and government agencies to keep outsides from reading any of the data. Each party needs to have the common key.  But if the key is compromised, a new key can be provided for future transmission of information.

Asymmetric Keys

The other type of encryption, one that most small businesses will likely deploy, is asymmetric key algorithm, which uses both public-key and private-key cryptography. With this method, a user can send data via the public-key that is then encrypted, while the receiver, who is only one who can decrypt the information, uses the private-key. This is how credit card information is protected when a customer orders online from your Web site. The downside to this type of key is that if a site is successfully hacked, then the user’s information is compromised.

However, when you consider that credit cards regularly pass through the mail, charge slips can be lost with vital information clearly printed and cards are often stolen, encryption is actually pretty secure. It should make customers feel more secure in using your company’s Web site to buy goods or services.

Data and the flow of information inside the corporate structure are crucial to any business today. Yet computing itself has become a commodity. So how does a fast-growing enterprise balance its critical data needs against the expense and demands of server computing?

That’s where offsite data centers, or co-location facilities, come in. Small and medium-sized businesses are planning to purchase an average of 3.6 new servers each in 2006, according to a small and medium-sized business survey by Forrester Research, the Cambridge, Mass. research firm. The survey found that 48 percent of small businesses planned to increase spending on servers this year. But rather than creating their own mini server farms, many companies instead are opting to rent rack space offsite, inside buildings designed exclusively to house thousands of servers hooked up to the Internet.

The advantages are numerous. “Co-lo” centers offer extremely high-bandwidth Internet connections, redundant power and cooling systems, back-up generators and 24-hour security.

Get over the offsite paranoia

But, as with any rental in a large complex, tenants worry about the neighbors. How many competitors walk past the cage loaded with your mission-critical equipment on the way to service their own?

 “The attraction to keeping your servers on-site is complete control,” says Miles Kelly, vice president of marketing and strategy for 365 Main Inc., a San Francisco-based data center supplier. “Some companies are just too paranoid to go offsite.”

But many are getting over that paranoia — and fast. When 365 Main opened their 227,000-square-foot center in San Francisco in 2004, it had one customer and one equipment rack. By the summer of 2006, when the company’s 350-plus customers had filled the flagship center, 365 Main opened a 315,000-square-foot facility in Chandler, Ariz. Nearly two-thirds of its rentable space filled within weeks of opening.

Both regional and national competitors, like Equinix and Digital Realty Trust Inc., are seeing similar demand.

While some data center facilities provide maintenance and support services to hosted servers, many “co-lo” providers focus on what they call “environmentals” — power, cooling, security and broadband connections — leaving care of the hardware to the tenant owners.

These environmental factors are the key arguments in favor of moving servers off site.

The hidden costs of onsite servers

Power supply often triggers the move. As a business adds servers to its local facility, managers quickly see their power bills skyrocket and, worse, that the regional utility simply cannot supply any more energy to the building. The power problem is compounded by the fact that a typical high-end server in 2006 consumes four times the power of a high-end server from 2003. Offsite data centers offer what they call a mega-plug – twice the power capacity that’s actually required to run the facility at full capacity.

Cooling, or the lack of it, can also trigger the move. Even an hour or two without air-conditioning can cause high-end servers to crash, and companies are loathe to purchase the redundant systems needed to guarantee the machines keep their cool.

Security requirements built into the Sarbanes-Oxley Act of 2002, a federal law that required companies to practice better account for internal control processes, also drive servers offsite. Under that law, public companies must ensure that customer data is protected at all times. Rather than hire a night shift to guard the machines, smaller companies prefer to send servers offsite.

Internet connectivity, particularly for companies that rely on a strong Web presence, also can be a deciding factor. Shared data centers offer top-quality fiber-optic links and volume deals from a variety of connectivity providers.

Expect to pay $600 to $1,000 per month per rack at most self-service co-location centers. Some companies prefer to break down cost into monthly charges per square foot, which range from $18 to $30.

Hurricanes. Floods. Tornados. Fires. Earthquakes. Explosions. Extended power outages. Disgruntled employees. Hackers. And, most recently, terrorist attacks.

Those are just 10 examples of circumstances that could disable your company by damaging your computer systems and destroying your valuable data. They’re also 10 good arguments for having a comprehensive, constantly updated disaster-recovery plan.

Need a few more reasons? Blizzards. Forced evacuation due to toxic contamination (remember the anthrax scare in 2001?). Vandalism or theft. Civil unrest. Computer viruses. And the list goes on.

Naturally, nobody can plan for all those eventualities. But too many small to midsized companies don’t plan for any of them. The Small Business Pipeline, a technology-related Web site and newsletter, found that nearly three-quarters of the 237 SMBs it surveyed in April 2004 had no written disaster-response strategies.

And the penalties for being unprepared can be mighty steep: The American Red Cross, among others, estimates that as many as 40% of SMBs simply never reopen after a disaster such as a flood, tornado, or earthquake. In many of those cases, of course, insurance covers replacement of physical assets. But if companies haven’t protected their digital assets, such as critical financial and customer information, they may be out of luck — and out of business.

Most entrepreneurs now understand the importance of network security. But shielding your systems won’t do much good if, in the worst-case scenario, they no longer exist. And if you back up information but store the duplicated materials onsite or in an adjacent building, as some downtown Manhattan businesses did before the terrorist attacks of September 2001, you won’t be any better off in a disaster that affects an entire region.

For those reasons, the cornerstone of any successful disaster-recovery — or, in more positive parlance, business-continuity — plan is at least one offsite data center anywhere from a few miles to a few states away. At the very least, the distant site should contain complete, constantly updated copies of all company information; preferably, it’s more than a repository — it’s a mirror image of your main system, set up to let you easily access, search, and retrieve data from afar. Ideally, it should be a “fail-over” set-up, meaning that, when disaster strikes, your systems switch to the remote site, allowing you to run your company from there.

Technologies that can help ensure business continuity during a catastrophe include:

Tapes. You can rely on the old standby of duplicating data onto tapes, then transporting them to an offsite facility — either your own or a service provider’s. (At many small companies, somebody often just takes the tapes home — certainly not the best way to safeguard information in the event of widespread disaster. Better to rely on a storage site that’s at least 50 to 75 miles away.

Disks. A newer option, offered by companies such as IntraDyn Inc. of Edina, Minn., lets companies to back up data onto disks, which, they say, are easier to search, cheaper to transport and store, and more durable than tapes.

The Internet. Thanks to increased bandwidth, you can also do ever-larger backups online, either sending data to your own remote site or to that of a service provider. In either case, your budget will determine whether you’ve got a “cold” or “warm” backup — which cost less but can take days to fully restore operations — or a more expensive “hot” one, which should put you back in business within minutes or a few hours.

Meanwhile, companies like Connected Corp. of Framingham, Mass., offer software or services that automatically back up small companies’ individual PCs. That’s a particularly useful option for smaller-scale problems, such as a single hard-drive failure or a power failure affecting just a few users. (My next column will take an in-depth look at storage options.)

But before making any technology choices, it’s important to craft an information disaster-recovery plan — a formal written policy that’s part of a comprehensive company-wide business-continuity strategy.

To start, appoint an information crisis-response team. Assign each member specific responsibilities, but allow for overlap: At least two people should be assigned to every major task. Provide all members with multiple ways to contact each other in a disaster. Install a voice mailbox on a remote system in case your own telecommunications system is down. Designate an outside gathering place in case you can’t access your building.

Then, take inventory of your company’s information assets, recommends Elaine S. Price, CEO and president of CYA Technologies Inc., which makes business-continuity and collaboration software. Go beyond the network: Remember to account for data stored in e-mail, on individual desktop and laptop hard drives, on intranets and extranets, or in remote offices.

Rank each component according to its current relevance and importance to business processes, Price recommends. For instance, ask “Could my company function without access to this particular data?” Obviously, if the answer is no, that information gets the highest rating. Critical financial documents, competitive data, and confidential customer records should also receive top-priority status, as should anything you’re required to keep by law. In contrast, promotional materials, historical sales data, and materials from past projects and initiatives probably deserve lower ratings.

Focus on the top-ranked data first. Back it up constantly — preferably several times daily in at least two locations — and choose storage methods that let you quickly find and retrieve what you need in a crisis.

Calculate the costs of recreating critical information — and, if applicable, the potential damage from data that’s permanently lost. The Federal Emergency Management Agency recommends examining both temporary and permanent replacement costs. The numbers may be frightening, but they provide a good gauge for determining the potential ROI on your storage and data-recovery solutions.

Choose a remote site that’s far enough from your primary location that it’s unlikely to be affected by the same disaster, but close enough so you can get there in a hurry. For instance, one Inc. 500 CEO set up a disaster-recovery center in an outbuilding near his vacation home, about 45 miles from the high-tech company’s headquarters; he already knows how to reach that site by either the main highway or the back roads. Tip: For the best chance of quick recovery, select sites or providers beyond your company’s own power grid.

Update the plan constantly to account for personnel changes, process improvements, increasing amounts of data, emerging technologies, and, sadly, any new threats.

Sidebar: Resources

Following are some resources for learning more about business continuity and disaster recovery:

WEB SITES

American Red Cross

Resources to help businesses prepare for and respond to disasters

Institute for Business & Home Safety

Resources to help SMBs prepare for and respond to disasters
Open for Business: Disaster Planning Toolkit for the Small Business Owner (free 39-page PDF document developed with U.S. Small Business Administration)

The Hartford Financial Services Group , Small Business Insurance Center

Free online template for a building a disaster-response plan

The Small Business Administration

Disaster-preparedness and recovery information

VENDOR WHITE PAPERS

CYA Technologies Inc. (several selections)

Business Continuity Doesn’t Have to Break the Bank, by NSI Software (registration required)
Guaranteed” title=”http://www.bitpipe.com/data/rlist?t=987097376_96003994\”>Guaranteed” target=”_blank”>www.bitpipe.com/data/rlist?t=987097376_96003994″>Guaranteed Backup for Small and Medium Businesses, by Live Vault (registration required)
www.bitpipe.com/detail/RES/1077127452_427.html?src=TRM_TOPN “>Six Tips Small and Medium Businesses Can Use to Protect Their Critical Data, by NSI Software (registration required)

BOOKS

Avoiding Disaster: How to Keep Your Business Going When Catastrophe Strikes, by John Laye (John Wiley & Sons, 2002).

The Backup Book: Disaster Recovery from Data Center to Desktop, edited by Dorian Cougias, E.L. Heiberger, and Karstan Koop (Schaser-Vartan Books, 2003)

Contingency Planning and Disaster Recovery: A Small Business Guide, by Donna R. Childs and Stefan Dietrich (John Wiley & Sons, 2002)

With so much sensitive information streaming through the Internet, it’s no wonder that high-tech crime-fighting units are springing up all over the country to combat digital fraud, theft, and sabotage.

Police sergeant Don Brister of the High Technology Crimes Detail in San Jose, Calif., investigates corporate espionage, among other offenses. Brister warns that with such crimes on the rise, companies should do more than build firewalls to protect their inner systems. They should also keep a sharp eye on what’s going on within the organization. Follow these few simple precautions, Brister says, and protect your company from digital mischief.

Since most corporate computer crimes are committed by former and current employees, Brister suggests that companies sever their ties with bad employees immediately. Allowing a recently fired staffer to stick around for the standard two weeks allows that worker to gather all the information and security codes necessary for future hacking. “That’s the making of a disgruntled employee who can do a lot of damage,” Brister says. “Almost any employee can bring a business to its knees. Managers and owners should look at immediate dismissal as protecting the business early on, even if it means losing a few dollars by not having a person there.”

Companies can prevent a lot of trouble, Brister says, if they conduct complete background checks on prospective hires. “We’ve been involved in many cases in which warehouse people, even people in the financial department, have had criminal records,” he says. “Even though that history is public, the company hasn’t known that it’s available or how important it is. And while many organizations would rather be kindhearted than suspicious, there are people who will go from company to company and continue stealing.”

Brister says it’s important to call in the law at the first sign of trouble. Don’t wait until a series of crimes have occurred. Early reporting means that police can log the incidents and have more leads to follow. Even if there isn’t yet a high-tech-crime unit in your city, Brister says, state police departments often have forensic computer labs. And if state agencies aren’t able to help, Brister suggests calling the FBI, the Secret Service, the U.S. Customs Service, or even the post office.

A few years ago, macro viruses were one of the most common categories of computer predators. Instead of targeting programs, they infected documents and templates, most notably programs such as Microsoft’s Word or Excel. The most notorious macro virus was the Melissa, a combination virus and worm, unleashed in 1999 by a New Jersey man who named the virus after a lap dancer and wound up confessing in court later that he caused $80 million in damage to U.S. businesses. The virus traveled via e-mail, targeting Microsoft Outlook users, and eventually forced such companies such as Microsoft, Intel, and Lockheed Martin to shut down their e-mail gateways for a spell.

At one time, macro viruses comprised an estimated 75 percent of the viruses in circulation according to Webopedia. Then they dropped from the headlines as software makers improved anti-virus programs and other computer threats became more prevalent. But anti-virus software vendor Kaspersky Lab in May revealed the discovery of a new macro virus that targets open-source applications, such as OpenOffice and StarOffice. (OpenOffice.org, the group that released the open source office program, disputes applying the label “virus” to Stardust, the exploit discovered by Kaspersky Labs.)

Assuming that macros may make a comeback, here is what you should know to protect your business:

What are macro viruses

Macro viruses are written in the internal macro language of an application. A “macro” is a sequence of commands that allows users to customize certain tasks with a single click. Among other things, users can use macros to format text, log in, and check mail accounts, copy data between applications. and generate reports. Macro viruses infect computers by replacing the normal macros that handle these tasks with a virus. That’s why Microsoft Office products — such as Word, Excel and PowerPoint — were their most frequent targets in the past.

Method of infection

Macro viruses spread through e-mail attachments, CD-ROMS, networks, modems, and the Internet. When you open a file containing a macro virus, it can infect your entire system, embedding itself in other documents and templates already stored on your machine, as well future ones. If you share an infected file with someone else, it will invade their system as well if they don’t have anti-virus software installed. By this method, it can quickly spread and overwhelm a network.

Signs your computer is infected

While your system may function at normal levels even with a macro virus present, there are ways to detect its presence so that you can stop it before it gets too far. Consider these:

• Unexplainable behavior. You may be prompted for a password on a file that is not password-protected, or a document may unexpectedly be saved as a template.
• Strange error messages. Past examples include “Just to prove another point” or “ROBERTA, TI AMO!” or “STOP ALL FRENCH NUCLEAR TESTING IN THE PACIFIC!”
• Unexpected text appears in a document. The Melissa virus, for example, inserted quotes from the animated television series “The Simpsons” into Word documents.

Macro viruses will run on any operating system that uses susceptible applications. If you are familiar with the macros on your machine, glance through them periodically to check for any you don’t recognize. Some examples of past macro names include AutoOpen, PayLoad, and AAAZAO.

How to protect yourself

Microsoft Office can be set to display a warning message whenever a document is opened that contains macros. To make sure this option is enabled, open the application’s preferences file. Under the security tab, check the “warn before opening a file that contains macros” box. Always choose “disable macros” when asked, unless you are sure of the function of the macro. You’ll still be able to open the file and read its contents.

Microsoft Office won’t scan your hard disk, removable media such as CDs, or network to find and remove macro viruses. For that level of protection, you need to buy anti-virus software. Once it’s installed, check frequently for new virus definitions and scan your system on a regular basis.

Microsoft Office won’t scan your hard disk, removable media such as CDs, or network to find and remove macro viruses. For that level of protection, you need to buy anti-virus software. Once it’s installed, check frequently for new virus definitions and scan your system on a regular basis.

Shop Talk

CEOs Search for the Right Technology

A good data backup system can preserve not just your company but your sanity

As the Y2K panic proved, the most common culprit for lost computer data is not system failure. It’s plain old user error. And the only way to combat that is with an electronic safeguard — a data backup system.

Patrick Guthrie, president and chief technology officer of the Pajo Group, a $15-million Internet service provider in Long Beach, Calif., learned that the hard way. In early 1998 a manager’s tinkering rendered the company’s customer database inaccessible. Guthrie wasn’t too worried because he had easily recovered backed-up copies in the past. This time, however, none of his ideas worked. “We were frantic,” he says. Finally, he was forced to do something he hated: call in a consultant. “We paid him his $125 an hour,” Guthrie says ruefully. “It’s amazing how monetary limitations don’t apply when you’re trying to get your data back.” The incident was enough to spur him into looking for a backup system with more capacity and faster access.

Like many start-ups, the Pajo Group had built its backup system around the Band-Aid principle — an effective enough method when it had to find lost E-mail for its 20 customers. The company’s first purchase was a Hewlett-Packard Colorado Trakker 350 tape drive that cost about $500. “Back then [in late 1997] we were running pretty lean and mean,” says Guthrie, “so we fixed problems as they happened.”

The tape drive stored all Pajo’s data — a customer database, financial files, customers’ files, and the company’s own ISP-related files — on 350MB magnetic tapes that resembled double-thick cassettes. Each tape had cost about $20 or $30. Guthrie himself executed the backup, inserting a tape into the drive each night and removing it the next morning. He completed the procedure by storing the tapes in a fireproof box in the company’s offices in case of disaster.

The system worked fine, but Guthrie found that the recovery process averaged 10 minutes per file — an inordinate amount of time — because he had to rewind and search the entire tape for the lost data. True, he had to go through the process only about two times a month, but he knew that the number of requests was going to grow. Plus, because of his expanding client base, 350MB was too little space per tape; on many nights the tapes filled up before backup was complete. Pajo hadn’t yet begun offering 24-hour technical support, so there was no one around in the wee hours to replace the full tapes with empty ones.

Then came the last straw: the customer-database fiasco. Determined to have a more robust system, Guthrie purchased an Iomega Jaz drive for $300 at a computer superstore after spending time at Iomega’s booth at a trade show. It was bigger than his tape drive — up to one gigabyte (1,000MB) of data could be stored on a Jaz cartridge. And it was much faster. As he watched the Jaz drive back up the amount of data in 10 minutes that the Colorado drive had handled in two hours, Guthrie became an instant fan. But he realized too late that he’d made his decision too quickly. Business was still booming, and nightly backups were running about 650MB and climbing. He was now using one cartridge a day that cost $80 to $90 for storage. That meant Guthrie was paying more each week to store his data than he had spent on the drive itself.

“Up until then I had always relied on our vendors for accurate technical advice,” says Patrick Guthrie. “I couldn’t do that anymore.”

By early 1999, Pajo’s menu of services had expanded to include hosting Web sites, colocating Web servers (meaning that his customers’ servers actually resided at Pajo), and handling thousands of E-mail accounts and more than 150 T1-line customers. To support all the traffic, Pajo had a United Nations­like network that featured operating systems ranging from Windows NT to Linux to Unix and even to the Mac OS. If Pajo were ever to move beyond the Band-Aid approach to backup, the time had come.

Guthrie started asking around for advice. The consensus, from Pajo vendors like Ingram Micro and Tech Data as well as some consultants, was that a digital audiotape (DAT) drive would be the way to go. A DAT drive can store up to 40GB of data on one tape, at a cost comparable to that of storing data on magnetic tapes — less than 10¢ per megabyte and half that for storing fully compressed data. However, compared with magnetic tapes, a DAT drive is less unwieldy to use for retrieving data. And although it’s not as fast as a Jaz drive, a DAT drive takes only about 40 seconds to locate a file.

To run the DAT drive, Guthrie’s vendors suggested that he use Seagate Technology’s Backup Exec 7.2 software (it’s now a product of Veritas) — a far more sophisticated brand of backup software than he had used with the other drives. Guthrie wasn’t quite sold, but then his sanity-check Internet search for “backup software” turned up Seagate’s name repeatedly. So he purchased Seagate’s Backup Exec software in conjunction with Hewlett-Packard’s HP SureStore DAT24 drive, so named because it was capable of holding 24GB of data (again, in a perfectly compressed world). The price: $840 for the software and $1,251 for the drive.

Guthrie installed the software as well as the DAT drive on a server running Windows NT. That was a snap, but configuring the software to back up data across a smorgasbord of operating systems wasn’t. To facilitate communication between Linux and the company’s other systems, Guthrie earlier had created shortcuts called “Samba shares.” For three days Guthrie tried to get the Backup Exec software to recognize the Samba shares, convinced that he had to be doing something wrong. Being a computer guy, he figured that if he couldn’t fix things himself, he was as good as doomed. “You’re S.O.L. once you call tech support,” he says.

It certainly felt that way as he waded through Seagate’s voice-mail system. When he finally reached a technician on the third call, he explained his problem and was told he’d receive a callback. In the mean- time, he relied on the Jaz drive for backup.

After two weeks had passed without a word from Seagate, he tried again. A manager assured him that he’d receive a call the next day. He did — and got some bad news: version 7.2 of Backup Exec didn’t include the right agents (technology used to accommodate different operating systems) to support any Linux shortcuts. But there was also some good news: the next version of the software would have the capability. (According to Stacey Ruscette, a spokesperson for Veritas, which purchased Seagate’s software division in May 1999, versions 7.3 and 8.0, released in June 1999 and February 2000 respectively, include the appropriate agent to support Linux.)

Guthrie couldn’t wait, so he returned the software. “I kept the DAT drive,” he says, “but I was back to square one.” The experience showed him how little was commonly known about backup systems. “Up until then I had always relied on our vendors for accurate technical advice. I couldn’t do that anymore.”

Guthrie instead turned to one of his young technicians, a recent college graduate with plenty of friends in other Internet companies. The technician made a few calls. He reported back to Guthrie that the highest praise for backup software capable of supporting a variety of operating systems went to Knox’s Arkeia, a product that was popular with Linux users. A few times Guthrie E-mailed Knox some questions that he was “looking for yeses to” — namely, whether the software would work with all Pajo’s operating systems (except the Mac OS), whether he could try the software risk free before buying, and whether he could get technical support 24/7. He also hoped to find a system that would allow him to start the backup from any machine, running any operating system, by means of an easy-to-navigate graphical user interface.

He got his yeses. With the guarantee of a 30-day free trial, Guthrie’s young technician downloaded the Arkeia trial software from Knox’s Web site and installed it on Pajo’s Windows NT server that day — no snags, no glitches. “It was pretty sweet,” says Guthrie. Then, when he had to call Knox to clarify some settings, he got a bonus: he found himself on the phone with Sam Siegel, the company president. (As Knox was at that point only a six-person company, Siegel took his share of customer calls.) When he found out that Siegel had had a large hand in designing the software, Guthrie took great pleasure in grilling him about the product.

Guthrie also got some free advice. When Siegel heard that Pajo was using a Windows NT server for primary backup, Siegel made a suggestion he’d made many times before to Linux users: why not speed up the process by running the backup from the Linux machine rather than from the Windows NT one? To Guthrie, the idea was a classic example of overlooking the obvious. “We were letting our primary operating system [Windows NT] dictate where we were going to do the backup from,” he says. Guthrie moved the DAT drive from the NT box to the Linux box. “It took longer to move the DAT drive from one computer to the next than it did to install the software. We had everything up and running within 20 minutes.”

Not only did the system work perfectly, but Siegel’s claim that the backup would be 10 times faster using the Linux box was substantiated. Guthrie particularly liked the real-time graphic that monitored just how fast the backup was going. “We were all watching it, screaming, ‘Go, go, go!’ We’re men — we like to see meters,” he says.

To date, the system has never failed. And it’s no problem to find that E-mail address that’s been lost in the abyss. With the DAT drive, an administrator just selects the file in question from Arkeia’s Explorer-like log, and a dialog box tells him which tape to insert into the drive to retrieve it. The process takes, at most, three minutes.

Safety net
Matthew Barrer calls his old method for backing up his company’s data “half-assed,” but his system is not as uncommon among small businesses as you might think. Barrer copied key files from one hard drive to another through his local area network before leaving for the night.

In 1998, Barrer bought the five-year-old Philadelphia Enterpriser magazine, which is targeted at business owners and entrepreneurs in the metropolitan area. The following year he made his mark on the publication by instituting a few changes: he made the content truly regional in focus, since he knew he couldn’t compete with deep-pocketed national magazines, and he improved the company’s technology.

His first upgrade was to implement GoldMine contact-management software. Instead of using Microsoft Access to house the subscriber database and boxes of note cards to keep track of advertisers, the company began operating off three GoldMine databases: one for the Enterpriser’s 18,000 active subscribers, one for its advertisers, and one for Barrer’s own personal contacts. His second upgrade was to jury-rig that file-copying backup system to minimize the chance of losing files.

But not having an official backup system gnawed at him. He didn’t want his company to become a statistic in some backup-system manufacturer’s brochure. “Reader data in the subscriber database is not something we can reconstruct easily,” he says. “Those demographics are what our advertising revenue depends on. I needed it to be secure.”

Barrer started his search for a backup system as a relative novice. “I knew about tape drives,” he says, “but I didn’t know what else was out there at all.” To learn about his options, he began asking everyone he ran across about backup systems — both online and off.

Barrer knew he wanted something that was not labor-intensive. And from what he was hearing, online systems virtually took care of themselves. No one would have to change the tapes and make sure the data were moved off-site. “I’d much prefer that the data be in some big data warehouse, where I’m the control point,” he says. “I don’t have a full MIS department; no one’s going to be able to do that for me.”

Identifying vendors was as easy as launching his browser and searching for “online backup.” “I was looking for something that I could control and access with minimal effort, and that I could trust — it had to be encrypted and safe,” he says. He also wanted a solution that backed up any changes in his data on a daily basis. “I didn’t want to have to go back on more than a day’s activity,” he says.

He ended up focusing on three Internet-based backup services that met his criteria: @Backup, Connected, and NovaStor. Using each company’s software, Barrer could connect to the Internet and automatically back up his company’s data. Further, the software allowed incremental backups to automatically launch at the same time every day (he could even choose the time) to ferret out the files that had changed in the past 24 hours.

Barrer liked the sound of that — a workable day-to-day backup solution that would require little to no involvement from him. Now he just had to discover which one would best meet the Enterpriser’s needs.

With @Backup, for a $99 annual fee, users could back up as much as 100MB of data by means of a simple Internet connection. The company also offered a deal in which users could pay $300 a year to back up 500MB of data. Although both plans would have worked for Barrer personally, neither was good enough for his business. For the Enterpriser he wanted to make sure that he could restore everything, including applications and his Windows 98 operating system — 6.5GB of data — since he didn’t have an internal technical team to handle such a task. Besides, he didn’t much cotton to the idea of signing a long-term contract.

Connected’s Online Backup and NovaStor’s NovaNet-Web (which is hosted by Compaq) both had the monthly, commitment-free pricing he liked — around $20 a month. Plus, they offered enough storage space for a systemwide backup. (In NovaStor’s case, if a company wants the initial backup to be done on-site, it must purchase a $200 NovaNet software package.) Price considerations alone would have made it easy to go with Connected, but Barrer was drawn to NovaStor’s connection with Compaq. Although both companies backed up clients’ data onto digital linear tape (DLT) at secure data facilities, NovaStor used a Compaq-owned data center whereas Connected had its own. (DLT drives start at twice the price of DAT drives, and their smallest capacity is 40GB — which is the largest capacity for DAT drives.) Moreover, Compaq was actually the provider to whom Barrer would be paying his monthly NovaStor bill; it offered backup service with NovaStor’s software through its Web site. “If it was good enough for Compaq,” Barrer says, “it sure as heck was good enough for me.”

“If NovaStor backup was good enough for Compaq,” Matthew Barrer says, “it sure as heck was good enough for me.”

The decision made, Barrer turned to an expert for the follow-through. InfoQuest, a NovaStor value-added reseller also located in Pennsylvania, installed NovaStor’s NovaNet 7 onto the Enterpriser’s Windows NT and oversaw the initial backup, which involved 6.5GB worth of applications and operating systems on two tapes. Two copies of the information were made. One was transferred off-site to the Compaq data bank, and the other resides at InfoQuest, where it’s available for easy retrieval in case of a full-blown disaster.

The rest of the Enterpriser’s data — financial files, business correspondence, the GoldMine databases — were backed up by InfoQuest using NovaNet-Web, NovaStor’s online backup software. All Barrer had to do was install his own CD-ROM of software on the Enterpriser’s server. Although he did call NovaNet’s customer-service reps to guide him, he was able, with virtually no problems, to use the software’s wizard to answer a series of questions that automatically set up the schedule of when he wanted his data backed up. “It passed my software test,” he said. “I was able to install it without looking at a manual.” Now, every night when the clock strikes 12, NovaNet-Web scans Barrer’s computers for changes and performs backups of any changed files. The whole process takes about 10 minutes.

NovaNet-Web also backs up Barrer’s laptop nightly. “If I’m online at that late hour, I’ll get a message saying, ‘Do you want to back up now?’” says Barrer. “And if I miss it, I can just back up the next time I connect to the Internet.”

Barrer couldn’t be more pleased. Not only does he have a backup system that operates without human intervention, but he also has a system that works. In one case Barrer used NovaStor to restore his 45MB database of contacts, which, according to NovaStor, had been corrupted when something malfunctioned. Although the parties don’t agree on how the data were lost or whose fault it was, Barrer doesn’t particularly care. He just made sure he got a restored file, because into the void had gone the one record he’d never dare to delete: his mother’s.

Mie-Yun Lee is the editorial director and founder of BuyerZone, an Internet buying service that features expert purchasing advice and tools for small and midsize businesses. You can conduct your own search for an online backup system at www.buyerzone.com/computers/backup-remote/index.html. Sandra Boncek contributed to this article.

Please e-mail your comments to editors@inc.com.

Not scared of losing your data to a corporate thief? You should be

Bob McNeal sits down in a cubicle in his Alexandria, Va., office with his morning coffee. He turns on his computer and flips open his notebook to check out the specifics of today’s assignment. He clicks a couple of buttons on the screen and runs his usual scripted program, entering in a few numbers from those that are scribbled in his notebook. He types in some commands, following routine instructions from his database of tools. Then he patiently waits for the computer to process his programs and answer his questions — questions that could be worth thousands of dollars to his client.

Two hours later, McNeal has completed his assignment. He has broken into the computer network of MBA Management Inc., located some 20 miles away in Fairfax, and verified that he can access every computer and every database in the company. And, McNeal tells his boss, he can read the user ID and password of every single employee. Is that enough, he asks, or should he continue?

That’s hacking. Sorry to make it seem so banal. But it doesn’t take some wild-eyed rocket scientist with a supercomputer and nothing better to do but type ingenious code into the wee hours of the morning to perform it. Most of what hackers do is disarmingly simple. Often they use readily available vulnerability-seeking software programs, which some experts call “point, click, and attack tools.” And most of the time hackers are pretty successful — especially when they target small companies, which typically don’t spend either the time or the resources they need to protect themselves. The simplest tricks can do tremendous damage. (Witness the “I Love You” bug that was sent earlier this year in an E-mail attachment.)

Most small companies that are hooked up to the Internet do what James Mugnolo, president of MBA Management, did: assume that their Internet service provider will furnish a secure connection. It took McNeal just one morning to reveal how faulty an assumption that was.

Fortunately for MBA Management, a $5-million executive-search business, Bob McNeal works for the good guys: Para-Protect Services Inc., an E-commerce and network-security company. Mugnolo, who recently moved his company to Chantilly, Va., hired Para-Protect in October 1998 to find the holes in his company’s network and recommend ways to stitch them up.

McNeal stopped his penetration test into the MBA Management network after those first two hours. Normally, such a job can take two days. “We stopped when we found we could get into everything,” says Chuck Downs, Para-Protect’s vice-president and director of operations. “There was no sense in beating that horse to death.”

Close call: James Mugnolo’s company received a nasty virus that read, “Enclosed is my résumé.”

Mugnolo had decided to test his company’s security and to spend some money upgrading it after a former employee was suspected of stealing customer data. Like most employers who have such suspicions, Mugnolo doesn’t like to discuss the details. Still, he clearly felt betrayed, and worse, the incident scared him. In its database the company keeps information on more than 50,000 workers throughout North America, as well as on an equal number of companies that are looking for employees. “Their whole business is that database,” says Downs.

Though Mugnolo didn’t hire “white hat” hackers until the company had lost data, other small-business owners are rushing to secure their networks before disaster strikes. In some cases the critical or private nature of the company’s data pushes them to it; in other cases companies see security as a differentiator for their product or service. But many have just plain seen the writing on the wall — or more precisely, in the newspaper headlines, which have blared a stream of reports on security breaches. Though well-publicized stories about computer viruses have lately brought security into the public consciousness, it’s often other threats that are more dangerous to a company’s profits and reputation. Those can include attacks that shut down Web servers, for instance, or that replace Web sites with obscene or insulting graphics. Hackers can also get in and rummage through a company’s files. Sometimes data just disappear — consider the case earlier this year at the U.S. State Department, where Madeleine Albright ordered a crackdown after a classified laptop vanished, and at Los Alamos National Laboratory, where two hard drives containing classified nuclear-weapons data were missing for more than a month.

Those sorts of events — from the annoying to the frightening — are often what it takes to make an entrepreneur recognize the need for computer security, says Terry Gudaitis of information-protection consultant Global Integrity Corp., based in Reston, Va. After all, you don’t want your company to be the next one in the headlines.

Certainly, Mugnolo doesn’t. And he has thus far been successful. In March, Para -Protect Services ran an unscheduled penetration test of MBA Management’s systems, and this time the company passed with flying colors. Since it adopted its new security measures, “we haven’t had a single instance of systems penetration,” says David Denne, MBA Management’s vice-president of marketing. That has left the company free to concentrate on growth: this year’s second quarter was its best ever, and the business grew from 35 employees to almost 60 in the first six months of the year.

In perhaps its closest call, the company escaped damage from a virus that was seemingly designed for a headhunting company: code disguised as a E-mail attachment on a résumé. That message, signed “Janet Simons,” read: “Attached is my résumé with a list of references contained within. Please feel free to call or E-mail me if you have any further questions regarding my experience. I am looking forward to hearing from you.” The attachment, however, carried a virus that could have methodically erased every single drive on MBA Management’s network.

Needless to say, that particular virus could have been disastrous for the company, where résumés flow in regularly through the E-mail system. “It probably shut down several of our competitors,” says Denne. “Our system immediately scrubbed anything that came in through the firewall, flagged it, and kept it on a server outside the firewall.” Like Mugnolo, Denne believes that MBA Management has gained a competitive edge through its stepped-up security. “I find it comforting, and therefore I think my clients find it comforting,” Denne says.

Hire a Hacker
At Para-Protect Services, Chuck Downs was surprised but not shocked that McNeal was able to break into MBA Management’s systems in just two hours. Doing what Mugnolo did — relying on his ISP to configure his connection to the Net — meant by definition that it was an open connection, Downs says.

But if Downs wasn’t appalled, Mugnolo certainly was. His business’s competitive edge — the reason companies go to him rather than to other headhunters — is his deep compilation of information on thousands of potential employees. Included in that data is sensitive information on job openings, including postings that haven’t been made public — perhaps because an employee doesn’t yet know that he or she is on the way out. Companies can unwittingly reveal a lot about their strategic plans, for example, by listing the specific skills required for various jobs. “The last thing in the world the client wants is for that information to get back to his staff or to a competitor,” says Denne.

In particular, a company that’s developing a new product doesn’t want anyone to know the nature of its work. “A breach in a program could spell the end of the whole market for their idea,” Denne adds.

Still, it’s not surprising that few people spend a lot of time worrying about Internet security. As the user looks out onto the superhighway of the Web, it’s easy to see it as a one-way street. But in fact, when you open a Web page or do virtually anything on the Internet, you send a request to the faraway computer on which that Web page is stored, and that computer sends you back information, which is opened by your browser or other software. That means your computer — and, in a company setting, the server — must be constantly open and able to receive data feeds from the outside. That openness is exactly where vulnerability lies.

For a fee of about $10,000, Para-Protect restricted the openness of MBA Management’s systems in two ways. First, the company installed a simple firewall from Prism Servers Inc., in Allison Park, Pa., at a cost of less than $3,000. The firewall was configured according to a simple rule, Downs says: “Anything coming from the Internet that is not requested from the inside is denied.” It does that by using a Unix filter to distinguish between information — like a Web page — that is coming in at a user’s request and any unknown traffic that arrives unbidden. When someone inside the network requests something from outside the firewall, the firewall issues a tag number with the request. If incoming data packets don’t contain a matching tag, the firewall won’t let them in.

There are two big exceptions. One is E-mail, which arrives unrequested. Downs put MBA Management’s E-mail system onto a separate server, which redirects incoming mail and scans it for viruses before users can access it. The other exception is the company’s own Web site, which anyone from the outside should be able to access. MBA Management disconnected the site from its corporate network and arranged to have it hosted off-site.

Second, Downs made sure that each computer went on the internal network, which is invisible to outsiders. In a normal office network with Internet access, each workstation has a unique Internet Protocol (IP) address. It was those addresses that McNeal was able to identify and attack in the penetration test. Downs changed each workstation’s IP address to a nonroutable address — meaning that outsiders can only see the address of the firewall. The result: nobody from outside can discover the IP address of an internal computer and use it as a port into the network — a common hacking procedure. Downs says that the firewall’s logs reveal that hackers have frequently scanned MBA Management’s system looking for ports since Downs put the firewall in place.

Although $3,000 is low-end for a commercial firewall, Downs says, it’s all that a small company needs. “The only thing you limit is the number of people you can service,” he says, since the small firewall has limited bandwidth capacity. The Prism product, he says, can easily handle 200 users. That should cover the short-term needs of MBA Management, which plans to double its number of networked users within a year. As the company has grown, it has periodically added servers behind the main firewall and is now running six of them.

Now that Downs feels the company is secure from outside intruders, the next move is to provide greater internal security for the databases. Currently, MBA Management uses a proprietary database running on NT servers. It is about to split the database into several parts using software called Adapt, which will allow the company to use the operating system’s security-administration features to carefully control who can have access to different levels of data.

Since installing the firewall, Para-Protect has conducted monthly tests as part of a routine security checkup. That is not to say that MBA Management’s security is 100% foolproof. But the company has put a pretty solid defense in place — solid enough to send hackers on to easier targets. And that’s a big part of what Internet security is about: making sure yours is not the easiest lock to pick.

Virtual Privacy
You could say that a kindergarten play cost entrepreneur Dana Dodds $120,000 a year, and you wouldn’t be that far off.

One afternoon in 1996, Dodds, CEO of San Diego auto insurer Reliant General Insurance Services Inc., left work to watch his daughter perform in a school play. He was immediately struck by guilt. “I had a customer-service rep whose daughter was in that class, too, but she couldn’t be there, and it bugged me,” Dodds says.

A virtual private network lets Dana Dodds’s employees work from home without sacrificing security.

Soon, about 15 of Reliant General’s employees were working from home, with no time clock — just quotas for the number of applications they processed and standards for the quality of the work they did. Back then, the workers connected to the corporate network directly through a dial-in 800 number. The phone bills for those lines ran about $120,000 a year.

Reliant General is a fast-growth company — it’s made the Inc. 500 twice, as #341 in 1998 and #417 in 1999. And Dodds is all for using the newest technology to keep his company growing at a rapid pace. So in 1997 he hired information-services director Cary White to help him do just that.

When White, 32, joined the company, he took one look at the exorbitant phone bill and told Dodds that the company could eliminate most of it by letting the telecommuters connect over the Internet. Dodds liked the idea but knew there had to be a catch. “He’s a very sharp guy when it comes to technology,” White says with a laugh. “Almost too smart for his own good.”

The catch, White responded, lay in the open nature of the Internet. Essentially, the Internet is a very large collection of routers that are wired to one another. When you send a packet of data into cyberspace, it wanders, asking at each router, “Have you seen this IP address?” If the answer is no, the packet moves on to the next router.

However, nobody should trust that every router on the Internet will simply shoo data packets along. Hackers can put tools, called “sniffers,” on those routers and use them to peek inside every packet of data that comes along. If a packet’s contents or destination seems juicy enough, the sniffers can read everything inside.

An extra layer of worry exists for Dodds and his colleagues working in California’s auto industry: 11 years ago actress Rebecca Schaeffer was murdered by a stalker who obtained her address from the state Department of Motor Vehicles. (Since then, California has tightened its DMV privacy laws.) Not surprisingly, Dodds is passionate about the need to protect his customers. “Information for us is a trust, and we can’t give it away, and we can’t let anybody get it,” he says. “We’re talking about where they live, what cars they drive, where they work, the children that drive in the household, their driving records, their claims history — it’s very similar to credit information. It’s very private.”

For White, simply using the wide-open Internet was out. So he called in a local consultant, Paradise Technology, which built a virtual private network. At the time, VPNs were a fresh concept, and few companies of any size had tried them out. The VPN creates a tunnel of sorts between the Reliant General network and telecommuters’ computers, shielding its content from the view of the myriad routers along the way.

Axent Technologies’ PowerVPN was one of the first of its kind on the market, so Paradise chose it for Reliant General. In addition, Reliant General purchased Axent’s Defender product to authenticate users on its dial-up lines.

The system works this way: Telecommuters like Reliant policy underwriter Mike Lemieux connect to the Internet through a cable modem or a dial-up ISP. Lemieux, who works full-time from his home in El Cajon, Calif., clicks on an icon to start his session with Reliant General. Lemieux’s request then passes through several stages.

First, the firewall lets it through only if it is a request for a VPN session on the Axent machine. Anyone — even an authorized user like Lemieux — who tries to bypass that machine and connect directly to the corporate server will be blocked by the firewall. Approved requests for VPN sessions make it to the next stage: authentication by the Defender hardware. Lemieux enters his user ID and, just as he would at an ATM machine, types in a personal identification number. But in addition, using that PIN and secret data stored on Lemieux’s hard drive, the system creates a onetime password that allows him to access it. This two-level authentication means that someone would have to know Lemieux’s password and use his computer in order to impersonate him and gain access to the corporate server.

When Defender gives the go-ahead to Lemieux’s session, the PowerVPN establishes a secure tunnel that keeps all transmissions out of harm’s way. In addition, it encrypts the contents. Once the secure connection is established, Lemieux logs in to the corporate server — using yet another password — and begins working on applications just as if he were on the network in the office. So far the system has worked so well that Reliant General uses the VPN not just for its own telecommuters but also for approved outsiders, like insurance-claims reps.

Installing the system for about 25 telecommuters cost Reliant General about $20,000. Given a yearly savings of $100,000 on the phone bill, “it was pretty clear-cut, pretty much a slam-dunk decision,” says chief financial officer Greg Goodrich.

Instant reassurance: Joseph Rosmann guarantees that the children’s records are shielded from harm.

According to Dodds, the phone-bill savings haven’t been the only gain. He says telecommuters’ productivity has increased sharply — a phenomenon supported by a new poll conducted by the International Telework Association & Council, which found that nearly half of the telecommuters surveyed felt they were more productive working at home, while less than 10% thought they were less productive. According to Dodds, underwriters who used to process about 70 applications a day in the office are now doing at least 100 a day working at home. And giving a staffer time off to attend a school play no longer costs the company a small fortune.

Bedside Manner
If you think that storing kids’ immunization records doesn’t sound like a business bonanza, then you haven’t been talking with Joseph Rosmann.

Rosmann’s soft-spoken manner belies his passion about his Internet start-up, HealthRadius. The company — Rosmann’s obsession since he launched it in 1996 — will soon make many millions of dollars from its Web-based repository of children’s vaccination records, he explains in measured tones. Doctors, he says, have free access to the records. Public-health agencies pay a fee to access the records of children in their area. Health plans pay $1 a child for basic data and as much as $4 a child for more complete records. Individuals, through their employers or insurers, can access their own children’s records for a family subscription fee of $15 a year.

Eventually, every time a doctor’s office wants to check on a new patient’s history or a parent wants to sign up a kid for summer camp, money will flow into HealthRadius. What companies like Healtheon/WebMD Corp. have become for the Web-based administrative side of health care, Rosmann’s company will be for the patient-records side of it, he says.

Rosmann, 56, who formerly worked as a health-care consultant, has had to make his pitch many, many times, to venture capitalists, state health officials, doctors, and health-care administrators. Though they may expect the caricature of an Internet-start-up entrepreneur with plans as big as the sky — a young, brash, fast-talking braggadocio — what they get instead is the calm assurance of Joe Rosmann, with his mellifluous voice that never rises or rushes. Like a family doctor explaining your test results, he provides instant reassurance with his smile and bearing.

Reassurance is an important element of Rosmann’s plan. To make it work, he must collect and distribute the type of information that everyone agrees should be held in utmost privacy: medical records. Without strict assurance of the data’s security, Rosmann says, his company could never meet the requirements of health-care privacy laws — newly tightened in the wake of consumer outrage over privacy violations. And just as important, without that security, Rosmann could never sell anyone on the idea.

And these days it’s a Herculean task to ensure that Web-based transactions are private and secure. Still, for cost, speed, and simplicity, Rosmann wants to do it all — including data collection and access — over the Web.

His approach seems to be working. HealthRadius, based in Bellevue, Wash., will expand its immunization-records service to four new states this fall and expects to have more than half a million physicians involved within two years. Although the company took in just $100,000 in revenues last year, venture capitalists value the company at about $20 million. Rosmann expects revenues of close to $5 million this year.

Four years ago, when Rosmann launched HealthRadius, doctors and health-care administrators were just beginning to eye the potential of the Internet. Washington state health officials brought Rosmann in to study how to salvage a failed medical-records-exchange initiative, the Community Health Information Network. Their request, he says, was straightforward: “Get something simple started to prove that you can safely exchange medical-health records and automate the transactions between doctors, health plans, and hospitals.”

Out of that effort came two companies: Rosmann’s and a payment-exchange provider called Pointshare. Rosmann’s response to the state’s request was to break into the potentially enormous health-care-records field through the single entry point of children’s immunization data. That category is a good testing ground for the broader health-records field, he believes. For one thing, parents must frequently provide immunization records to new schools, new summer camps, and new doctors. A child typically has seen three doctors and had 23 immunizations by age six, according to HealthRadius’s research. Who wouldn’t want to make managing and exchanging all that data easier? Rosmann believed it was a market waiting to be served.

One of Rosmann’s key early contacts was information-law specialist John R. Christiansen of the Seattle office of law firm Stoel Rives LLP. Christiansen began consulting for HealthRadius in the fall of 1996. “There is no standard-setting organization out there” for electronic medical records, Christiansen says. “You can’t just go out there and say, ‘What are the steps I need to take?’” He advised Rosmann to draft his contracts with clients in a way that holds HealthRadius to an unusually high level of liability for the privacy and security of the data it collects. Only by doing so could Rosmann hope to reassure the doctors, health insurers, and parents who were HealthRadius’s targeted customers.

If you’re going to put your business on the line like that, you’d better make sure you can live up to your promises. So the first person Rosmann brought on board was not a health-care adviser, but information-security veteran Gene Shook, now vice-president of the company’s operations and development. Rosmann and Shook, working together in their quiet offices on the outskirts of Seattle, laid out a long list of steps they would take to keep medical data both secure and private.

First, they needed to be able to verify the identity of any client trying to access their records over the Web. Then they had to encrypt the data sent to and from HealthRadius servers so that only people holding the keys to unscramble it could read it. In addition, since participating doctors’ offices would submit information directly to the HealthRadius database when they performed immunizations, the company had to guarantee an even greater level of security for those transactions. Different employees at doctors’ offices — even those using the same computer — would need to have varying levels of access; for instance, some workers would be able to read but not edit patient records.

The first employee Rosmann brought on board was Gene Shook, who took charge of security.

Shook will soon install a VPN, which will offer a high degree of security. In the meantime, he turned to the encryption built into standard versions of Netscape Navigator and Microsoft Internet Explorer (called Secure Socket Layer encryption) and other Microsoft tools. For authentication, Shook currently uses the access-control system built into the Microsoft Windows NT operating system as well as the company’s own custom-developed access-control system.

To ensure that changes that are made to HealthRadius’s database are verifiable and legally valid, Shook decided to use a method that should soon become more widespread: digital signatures that use public key interchange (PKI). Those digital signatures, provided through an authorized third party, verify two parties to each another, like a secret handshake. Washington state has recently authorized a Utah company called Digital Signature Trust to act as the licensed certificate authority for supplying digital PKI signatures. Anyone in the state can sign up with Digital Signature Trust and receive the hardware or software to generate digital IDs. Two parties that are both using those digital IDs — for instance, HealthRadius and a physician’s office — can be certain that the information that was sent exactly matches what the other party receives. In Washington, such electronic documents can now legally take the place of paper.

Shook is hoping that other states adopt compatible systems; if they don’t, HealthRadius may have to install a vast and confusing array of different digital-signature systems. (Without a common standard, Shook fears that HealthRadius may have to establish its own PKI service for its customers. That not only would be more costly and difficult — HealthRadius would have to license and distribute software to everyone who is authorized to access its data over the Web — but also would open HealthRadius up to liability for its digital-signature system.)

So far HealthRadius has spent about $1 million on technology, including security. By the time it rolls out nationally during the next year or two, Rosmann expects he will have spent $2 million to $3 million on technology. But perhaps most important, the company has already subjected itself to an intensive security audit (in the spring of 1998) and will undergo another one early next year. It also requires periodic audits of the 50 clinics and hospitals that supply it with medical-records data, and a randomly selected 5% of clients’ sites will be audited each year.

In such a review, an independent outside party rigorously examines the procedures and technology that a company is using to handle its data. In HealthRadius’s case, the auditors were interested in seeing whether the company could live up to the security standards of the Health Insurance Portability and Accountability Act of 1996. That legislation established ground rules for medical-records privacy — always a delicate subject and one made even more so in the Internet age. (DrKoop.com got into hot water recently when its advertising partner, DoubleClick, sold lists that included members’ health information. HealthRadius’s contract with its clients bars it from selling its information.)

The audit, which takes about three weeks to complete, includes interviews and a systematic review of the technology itself. That may seem like a lot of effort to secure something as relatively uncontroversial as immunization records. But a market test in 1998 confirmed that the HealthRadius service had no chance of acceptance if people felt even a slight concern that someone could access its demographic information on the more than 2 million people in its system. “We needed to act as a bank — you have direct access and no one else has access,” says Shook.

In addition, managing immunization records is just HealthRadius’s initial foray into the arena of electronic-medical-records exchange. In the not too distant future, Rosmann plans to start databases that will contain patients’ disease histories and other medical matters. At that point, he wants an unblemished security track record.

The company’s biggest vote of confidence so far has come in black and white: a letter from the National Committee for Quality Assurance (NCQA), an independent nonprofit organization that evaluates the quality of managed-care organizations. The letter, dated January 1999, stated that NCQA considered HealthRadius’s registry of immunization records an allowable source of data for its own system, which is used almost universally by health plans. “NCQA gave its blessing because we had provided the privacy,” says Rosmann. “As soon as that letter was issued, about every health plan became a customer.”

That’s not to say Rosmann is satisfied. “We still have a little sensitivity around the subject of security,” he says, still in that calm, careful voice. In fact, he has Shook shopping for three more security items. One, HackerShield from BindView Development, scans for known intrusion methods, similar to the way antivirus software checks for familiar computer viruses. A second, IPsec, is a computer-security standard that keeps unwanted data traffic from bothering a company’s servers. One benefit of that would be protection against denial-of-service attacks that can overload and disable a server. (Remember that disastrous day for Amazon.com and eBay last February?)

The third product Rosmann and Shook want, WebTrends, monitors and analyzes firewall logs for unusual activity. That will help Shook manage the company’s defenses more actively and will also help the company prosecute any hackers who try to break in. Because catching a hacker would make the kind of headlines that Rosmann would like to be in.

David S. Bernstein is a freelance writer in Watertown, Mass.

What Are You Afraid Of?

So what’s the worst that can happen? There are several types of hacker attacks, all of which have occurred in recent months.

Denial of service. Much like protesters’ barring the entrance to a physical store, hackers can shut down your E-business by making sure no customers can get through to your site. Typically, they bombard the site with data traffic, rendering the Web server useless. That is the type of attack that brought down ZDNet, E*Trade, CNN.com, eBay, Buy.com, Amazon.com, and Yahoo, each for about three to five hours, all during a period of several days in February.

Electronic theft. This scenario is just like a physical robbery: the hacker breaks into your system, finds something he wants, and downloads it to his own computer. In most cases you may retain your copy of the data, but now someone else has it as well. Is that so bad? Ask the folks at CD Universe, an Internet music retailer based in Wallingford, Conn. Last December someone describing himself as a 19-ye

Safeguarding your Web site — especially sensitive site areas such as shopping cart software — against hackers need not be an expensive and time-consuming affair.

With a few basic precautions, you can make your Web site extremely difficult and unrewarding to hack.

Your Web site is most susceptible to hacking through your shopping cart, so choose wisely. Here are three guidelines to help you choose the best one for your business:

Shop around. Use newsgroups such as AOL.com’s Search Newsgroups and online reports such as About.com’s Web Store Software Selector to verify the products you want to purchase are safe to use.

Avoid free software. Although it might seem an attractive option, downloading free shopping carts is extremely risky for three reasons: the source of the software is indeterminate; you can’t check the creator’s credentials; you have no one to hold responsible for hacking incidents.

Buy smart. Several ready-to-use shopping carts on the market today, including EasyCart, Monstercart.com, and MerchandiZer, have been designed specifically for the small, online business owner. These are often available at little or no cost.

But be aware: No software comes with a no-hacking guarantee. There’s always a chance that a hidden access password, or backdoor, might be lurking.

In 90 percent of all hacking cases, the most vital data had been provided from within the organization. Here are three rules to follow religiously:

Change the default password immediately. Whenever you purchase a ready-to-use shopping cart, your first step should be to change the default password that comes built into the software. Although this might seem an obvious precaution, it’s one many people overlook. Change your shopping cart password frequently and guard it zealously.

Change passwords often. Frequently change passwords. Tell relevant passwords only to those who truly need to use them. Use passwords that include letters and numbers, and don’t use a password that’s easy to guess. Never write your passwords on sticky notes and paste them to your desk or monitor.

Restrict access to passwords. Never allow more than one person the use of your server access password. For example, the person in charge of packaging doesn’t need to know your file upload password. If an outside agency designed your Web site, ask for all access passwords and change them immediately.

If any changes need to be made on your site, you provide the password and control access to your server at all times.

Many small, online business owners maintain their central work database and their Web server on the same computer. While this seems convenient — and necessary for storing such information as product descriptions, prices and images — any machine connected to the Web is dangerously vulnerable to attack.

Here are two ways you can thwart would-be hackers:

Delete sensitive data from the Web server. Sensitive customer data, such as addresses and credit card information, should never remain on the Web server itself. Even if the server is protected by a password, this data is only a few keystrokes from a talented hacker. Instead, devise an automated system to periodically copy any data stored on your Web server to a machine located on your premises and then delete the data on the Web server.

After the data has been copied to your off-line system, restrict access to that system as well.

Send sensitive data securely. Although the chances of a hacker intercepting data while it’s being transmitted are very low, you can protect your customer’s most sensitive information by providing a secure connection between your customer’s browser and your server.

If you host your Web site on your own server, two companies, VeriSign and Thawte Consulting, offer this security using technology called Secure Sockets Layer (SSL). These companies provide a downloadable device called a digital certificate to verify to your customers that your company is a bona fide business.

If you don’t host your own site, ask your Web host to provide a secure connection. Your host probably has a relationship with an SSL provider. It will cost you only a little more and it’s worth it; SSL protects your data from hacking and serves as reassurance to your customers.

Regularly and consistently tracking activity on your Web site will help identify hack attacks. Here are three ways to do it:

Monitor server access. Ask your network administrator to install a remote access mechanism that lets you shut down your server remotely as soon as you find evidence of suspicious activity. This will stop any hacking activity in its tracks. Your network administrator should be able to install a real-time alert, such as a beeper alarm or an automatic e-mail message, to inform you of any unauthorized attempts to access your Web server.

Monitor site traffic. Changes in site traffic patterns sometimes indicate a hacker at work. A noticeable dip in traffic could mean something’s wrong with your Web site and would require immediate attention. Be sure to monitor site traffic on a regular basis. Run extensive sitewide checks if you notice any inexplicable changes.

Run “preflight” checks. Make it a point for you or one of your employees to check the functionality of the entire site, especially the shopping cart area, every day. Here’s a checklist:

• Check whether the site is accessible on the Web.
• Check whether the home page displays the correct data.
• Perform random price checks within the Web site.
• Check the help function to see whether any data has been altered.
• Click links in the site to make sure they link to the right pages.
• Test the results of your search functions.
• Add random products to your shopping cart and proceed to checkout.

What if you still fall victim to a hacker’s attack?

Develop an action plan to minimize further damage to your system and to avoid inadvertent destruction of evidence. Your plan should include:

• Clear delegation of tasks to specific employees in the case of a security breach.
• A contact list of your Internet service provider (ISP) and/or Web host, Web site designer, network administrators or any Web security contractors you might want to use to recover from an attack.
• A contact list of local and national authorities to inform of the incident, including the FBI’s 24-hour service for immediate guidance after the attack.
• Periodic tests of your emergency procedures.

And remember: Firewalls and fancy measures notwithstanding, the big break for a hacker will most likely be one little, vulnerable password.

Copyright © 1995-2000 Pinnacle WebWorkz Inc. All rights reserved. Do notduplicate or redistribute in any form.

We’re all trying to become more connected as part of the digital lifestyle. During the past few years, handheld devices, such as those based on the Palm OS and Microsoft Windows CE Pocket PC design, have become mainstream gadgets — taking on a front-and-center role in the digital lifestyle. Many executives and professionals, for example, have become “addicted” to these PDAs (Personal Digital Assistants), but these same gadget groupies also tend to neglect some really basic data protection and security issues.

As we start connecting our PCs to our mobile phones, digital cameras and PDAs, the stakes go up…way up. So as data becomes more concentrated and more invaluable to both business managers and ordinary, connected people, this failure to properly care for the data becomes a really scary prospect - putting some of your most private, personal and irreplaceable digital-lifestyle trappings at risk.

Small businesses, telecommuters, and remote branch offices, without full-time in-house IT pros on staff, often overlook how to protect their intellectual property stored on PDAs.

If you use PDAs for important business data, consider:

• What kind of sensitive data is or should be stored on PDAs?
• How will the PDAs get backed up?

To help you get started on the right track, here are 10 simple tips to help you protect your PDA data and avoid frustrating, related tech-support headaches.

1. Be very cautious when considering brand-new, unproven handheld models. Major design and software bugs are usually fixed in the first three to six months following the initial release. Unless you’re prepared for the risks and demands of being an early adopter, let someone else endure these all-too-common headaches.
2. Get software, peripherals and accessories bundled with your PDA purchase. This shopping approach will not only save you money and installation time, but you’ll also dramatically reduce the compatibility risks. (i.e. will everything work together seamlessly?)
3. Pay attention to vendor support offerings. Technical support and warrantees are not created equal! This is almost a mantra of personal technology adoption: whom you buy something from is often as important (or even more important) than what you buy.
4. Make sure the PDA is compatible with your operating system. If your office is wedded to a particular version of Microsoft Windows or another OS, be sure your PDA can sync up its data with your desktop or notebook PCs.
5. Insist on a PDA that’s “well-connected.” USB interfaces tend to be the easiest to configure and troubleshoot, while providing the best performance. Avoid older, legacy serial interfaces whenever possible.
6. Don’t take “plug-and-play” claims at face value. Over the years, Microsoft Windows hecklers have taken many a cheap shot at the OS family by branding it “plug and pray.” Before making a PDA purchase, check out some independent product reviews in leading personal technology magazines and online portals. Pay particular attention to comments regarding device drivers and ease-of-installation.
7. Do your homework before making the purchase. Because of their small size and minimal cost, PDAs are often impulse purchases. However, making the “right” hardware and software selections can have an enormous impact on lowering your computer support costs. Select the “wrong” hardware and software…and well let’s not even go there! (Hint: It’s not a pretty picture.)
8. Watch out for dangerous end-user installation snafus. Unless your supported end users are very PC savvy, you probably don’t want to leave users to install and support their own PDA to desktop connectivity. All too often, a user inadvertently will break a multitude of key software configurations while accepting default installation settings.
9. Consider whether any proprietary data should be “PDA-banned.” Be sure you’ve thought through what kinds of sensitive data can be stored on a PDA, given that the pocket-sized PDA devices are inherently vulnerable to theft.
10. Back it up before you lose it. In the same context of data security, establish some kind of backup procedures. We’ve all heard the horror stories of users losing three years of appointments and 2,000 customer names that were stored on their PDAs and not backed up anywhere else. Don’t let your organization or supported users become one of these statistics.

The Bottom Line

PDAs are taking on an increasingly important role in the digital lifestyle. Use these simple, low-tech tips and best practices to minimize your PDA support headaches and maximize the security of your incredibly valuable data.

PDA Information on the Web

Casio Cassiopeia — http://www.casio.com/personalpcs/
Handspring Visor — http://www.handspring.com
HP Jordana/Compaq iPAQ — http://www.hp.com
Microsoft Windows CE — http://www.microsoft.com/windows/embedded/wince/
Palm OS — http://www.palm.com/us/
PDABuzz — http://www.pdabuzz.com
PDA LIVE — http://www.pdalive.com
PDA Street — http://www.pdastreet.com
Pocket PC Passion — Small Biz Tech Talk — http://www.smallbiztechtalk.com
Tucows PDA — http://www.pilotzone.com

Key Terms Defined

Microsoft Windows CE — a specialty version of the Microsoft Windows operating system originally designed for handheld computers based on Microsoft’s Pocket PC design specification; largest major competitor is the Palm OS.
Palm OS — a specialty operating system designed for handheld computers manufactured and marketed by Palm and others; largest major competitor is Microsoft Windows CE.
PDA (Personal Digital Assistant) — a handheld, pocket-sized computer generally designed for the Microsoft Windows CE or Palm OS platforms.
USB (Universal Serial Bus) Port — hardware communications interface used to connect peripherals to computer systems; eventually could replace parallel and serial interfaces in PCs; offers far superior performance throughput and easier configuration than both parallel and serial port-based peripherals.

Joshua Feinberg (joshua@smallbiztechtalk.com” title=”mailto:joshua@smallbiztechtalk.com\”>joshua@smallbiztechtalk.com“>joshua@smallbiztechtalk.com”>joshua@smallbiztechtalk.com) helps small businesses save money on computer support costs. His latest book, What Your Computer Consultant Doesn’t Want You to Know (.99, Small Biz Tech Talk Press), exposes 101 money-saving secrets of expensive techies. To order Joshua’s new book, visit http://www.SmallBizTechTalk.com or call 866-TECH-EXPERT (866-832-4397).

© Copyright 2003, Joshua Feinberg
Small Biz Tech Talk is a registered trademark of KISTech Communications

If you have your Web site or a network server in-house, or you can’t afford a moment of downtime due to hardware failure, you may need to build a custom solution that involves redundant hard drives or a backup server. You may want to consider RAID, redundant servers, and/or removable hard drives. RAID (redundant array of independent disks) is a configuration of one or more hard disk drives that work together to increase performance and/or fault tolerance. A set of RAID drives comes with a special hard drive controller with RAID functionality built into it. RAID improves performance by striping data (interleaving it) across multiple drives, so that more than one disk drive is reading and writing data at the same time, which allows several disk drives do the task of one drive and improves the speed. RAID provides fault protection (protects against data loss due to hard drive failure) by using one of two techniques: mirroring or parity.

RAID: RAID is available for either the Mac or PC. A RAID controller adds $300 to $2,000 onto the cost of a server. The difference in price depends the levels of RAID supported and the number of channels. The higher the number of channels, the faster the controller and hard drives can communicate. You’ll also need to factor in the cost of the extra drives needed to support RAID.

Windows NT 4.0 ships with a feature that allows software control of RAID, eliminating the need for a separate hardware controller. However, you’ll need to be aware of the limitations of software RAID. Software RAID uses the computer’s CPU, rather than a separate CPU on the controller, slowing down system performance. It can also be difficult to configure.

If you’re interested in RAID, your best bet is to look for a server that comes with a RAID controller that is preconfigured for you. This will save you the extra expense and time of adding RAID to an existing system.

Vendors of RAID systems or controllers include Adaptec, Dot Hill, Compaq, Mylex, and StorageTek.

Redundant server: This will cost you an extra server, plus any failover technology/software. It would be best to look into this option when you’re purchasing your primary server.

Removable hard drives: You can buy Jaz, Orb, and Zip drives for either a PC or Mac.

• Castlewood’s 2.2 GB Orb drive costs $230. Media cost $40 per disk.
• The Iomega Zip 100 MB costs $100. Disks cost around $10 each for 100 MB of memory.
• The Iomega Zip 250 MB costs $200. Disks cost between $15 and $20 each for 250 MB of memory. It is backward compatible with 100 MB Zip drives.
• Iomega’s Jaz 2GB drive costs around $350. A single 2 GB cartridge costs around $100.

Copyright © 1995-2000 Pinnacle WebWorkz Inc. All rightsreserved. Do not duplicate or redistribute in any form.