OHIO HOW BUSINESSES CAN PROTECT COMPUTER DATA Beacon Journal 02/20/2006 How businesses can protect computer data

Strong passwords, restricted access, background checks on employees among steps that help
By Jan Norman
Orange County Register

The irreplaceable jewels of most businesses these days are not equipment and inventory, but information.

And too many small businesses aren't adequately protecting those jewels against the epidemic of identity and information theft, said Ron Williams, chief executive of Talon Executive Services, a Fountain Valley, Calif., security company.

Consider:

• The security of computerized personal data of 56.2 million people was compromised in 2005.

• Federal law holds employers liable for loss or theft of employee information. Federal fines can be $2,500 per employee.

• Fifty-one percent of identity thefts are done by employees or contractors inside a company.

Companies can take protective action without spending a lot of money to prevent the theft of proprietary information, trade secrets and personal data, say Williams and Todd Stefan, president of Talon Cyber Tec LLC, a related company to Talon Executive Services specializing in computer security.

They have plenty of experience. Williams' 22 years with the Secret Service included a stint in the credit-card and identity-theft section. Stefan is a pioneer in information security used by many large corporations. Here are easy, inexpensive steps they say even small firms can do.

• Create strong passwords. Any word in the dictionary, especially a short one, is a weak password, Stefan said.

``Software can run every word in the dictionary in minutes to crack a password,'' he said. ``It's called demon dialers.'' A strong password has eight characters, some numerals, some letters, he added. It might take a thief 10 minutes to crack a four-character password and three months to crack an eight-character word. ``If it takes a long time, that thief will go for another victim,'' he said.

• Change passwords periodically. Part of having a strong password is to change it, Stefan said. This step also protects against former employees, especially in the information technology department, who can still access the system and steal data.

• Be aware. Being conscious that thieves want to steal information and turn it into cash is the first step in data security, Williams said.

Clients often hire Talon to try to crack their computer security system.

``We'll call a key person and say, `This is so and so in IT. We have to take you offline for maintenance. What's your password and we'll bring you back up when we're done.' Almost everyone gives us their password.''

• Install anti-virus and anti-spam software. Many products, often reasonably priced, are on the market that can put up a powerful wall against intruders, Stefan said.

• Restrict internal access. ``Remember that 75 percent of security breaches occur from inside,'' Williams said. ``That's where we see small companies unprepared because they want to establish a culture of trust.'' Unfortunately, one bad employee with full access to everything in the company's computer can steal trade secrets, destroy data and kill a business, he said.

Stefan added, ``It's like locking file cabinets. Set up password-protected cells (on the computer) so only the people who need to access proprietary information can get at it.''

• Change your attitude. ``Small-business owners think, `Information theft won't happen to me. Cisco's information is worth a lot more,' so they don't protect themselves,'' Stefan said. ``If someone steals $3 million from a $10 million company, that's huge -- plus, it kills customers' trust.''

• Use intrusion detection systems on computers. A computer that creates an audit trail will set off alarms when an employee (or outside hacker) tries to do something malicious, Stefan said. Many such programs are free.

• Do background checks before hiring. Many thieves jump from company to company stealing data and quitting just before they're caught.

``A lot of small and midsized businesses do cursory backgrounds on new hires,'' Williams said. ``Or they check for a criminal record in Orange County. But maybe the person just moved from Texas