In October 2006 a gang of fraudsters was sentenced to eight years in prison by Russian authorities for blackmailing online companies. The gang extorted more than US$4m from British companies after rendering their websites inaccessible. Online casinos and betting websites were directly targeted by the group, which used compromised zombie computers to launch the denial-of-service (DoS) attacks.

Canbet Sports Bookmakers fell victim to the scam during the 2005 Breeders’ Cup races. The company refused to pay a US$10,000 ransom demand and found that its website had been taken out of action by the hackers, at a cost of more than $200,000 in lost business for every day of downtime. Canbet was just the tip of the iceburg. According to Russian prosecutors, the gang made over 50 similar blackmail attacks in 30 different countries before finally being caught.

There are worrying signs that blackmail, corporate espionage and corporate identity theft are becoming more common online as businesses come to rely on the internet. And while the teenage hackers of yesteryear are still causing a nuisance with malicious viruses, they are now being dwarfed by organised gangs that have spotted the opportunity to make a lot of money.

Internet search engine Yahoo and money exchange service WorldPay have both suffered DoS attempts in recent years. Internet blackmailers similarly targeted British teenager Alex Tew’s million-dollar homepage project earlier this year.

According to Graham Cluely, senior technical consultant at IT security company Sophos, targeted businesses should proceed with caution. “Whatever you do, don’t pay the money as that encourages them to come back for more,” he says. “Instead, go to your local police, the National High Tech Crime Unit or the computer crime unit at Scotland Yard.”

Business owners can also talk to their internet service provider (ISP), which can help avoid DoS attacks. But don’t be complacent, says Cluely. “While smaller organisations are undoubtedly less at risk than the bigger or high-profile targets, it only requires one person to be a bit miffed with you or think that you gave him a poor service, and a DoS attack can happen.”

Target practice
While the ‘bad guys’ might be getting more sophisticated in their attacks, small businesses have typically failed to keep pace with their defences. The problem is significant, with very few smaller businesses having the knowledge, time or resources to ensure they are properly protected. Many will not have dedicated IT staff or a security department, for example.

“Small business owners normally come out of the corporate world where they have IT security available to them as a matter of course,” explains Ricky Brown from WireWorX, an outsourced IT helpdesk service that specialises in companies with fewer than 10 members of staff. “These entrepreneurs who are starting a business for the first time generally overlook security due to the number of other challenges they face in setting up the company. Many of them don’t even realise they need IT support until something happens and then it’s too late.”

To combat that problem, new business owners should swot up on security. There are a number of websites and services that provide free business advice on what the risks are and how to avoid them. A good starting point is the government-led www.getsafeonline.org [1] and Microsoft’s own specialised security portal at www.bcentral.co.uk [2].

The first line of defence – and one that is often the most overlooked – is to ensure the operating system security features are turned on. Microsoft Windows XP and its latest operating system Vista have a number of enhanced security features including automatic firewalls, which effectively put a wall between the business and the internet and prevents malicious information coming on to the network. Microsoft Outlook 2007 now has spam filters and anti-virus features built in, while Explorer 2007 trawls for phishing sites and warns users of suspicious web addresses or web content.

Microsoft Vista brings all security settings into one place and simplifies the installation process. Enhancements include Windows Defender, which monitors the system for malicious programs hidden in photos or joke emails, for example. Users can call the Microsoft helpline for help with any questions or advice on setting up these security features.

Protect and serve
But while Windows XP and Vista undoubtedly provide improved security, they are not sufficiently robust to defend against all attacks. Every month Microsoft finds security holes, so keeping up-to-date with its security patches by using the Windows update function, found on your computer’s start menu, is vital. And businesses will still need to install extra software alongside the Microsoft tools.

There are many off-the-shelf security products available to small businesses. Offerings from well-known providers such as Sophos, Symantec, McAfee and MessageLabs typically cost an initial fee with an ongoing annual licence fee on top for each user. Depending on the price you’re willing to pay, this can include firewall, anti-virus, anti-spam and anti-adware options (see separate box overpage for a full definition).

For slightly larger businesses with an infrastructure of more than two or three sites, owners may want to consider an intrusion detection system (IDS), which can be bought as an outsourced service for a yearly fee. IDS will search for hackers or malicious code trying to get into the network and alert users to the threat.

Companies that are involved in online trading – the buying and selling of goods over the internet – need an extra layer of security. Secure socket layer, or SSL, technology is the cornerstone of all ecommerce security and provides the padlock icon on the bottom right hand side of the browser. “SSL ensures data sent over the internet is protected and encrypted so can’t be eaves-dropped on, and hopefully provides a degree of assurance that you are who you say you are,” explains Ollie Whitehouse, internet security expert at product provider Symantec.

Companies that use an external ecommerce service provider should make sure they are satisfied with how and where customer data is stored, who has access to credit card numbers and how they are backed up. All of these issues have data protection implications and could seriously jeopardise business reputation if a breach was allowed to happen.

According to Whitehouse, a relatively new problem for ecommerce sites is cross-site scripting: a tool that fraudsters use in phishing scams to redirect payments. “The criminals send a link out that looks like your site and is on your site, but is malicious in nature,” he explains, adding that owners should check that their ecommerce service provider has sufficient defences against such attacks.

Someone else’s problem
If all this is sounding a bit overwhelming, owners can opt to outsource the whole security function. Managed security services such as those supplied by VeriSign, Unisys and Belgium-headquartered Ubizen, protect customers’ businesses through the configuration, management and constant monitoring of security events. These typically have 24x7 network-monitoring facilities, which cover access control, intrusion detection and prevention, and can include data backup services.

Depending on the level of need, managed security services can also ensure that anti-virus and anti-spam software is up-to-date and active and that firewalls are configured correctly.

However, even managed security will not solve all potential security problems. Corporate identity fraud, for example, is a growing threat, where fraudstars fake applications to organisations such as Companies House, changing information such as company names and addresses of organisations. In one case taken up by the Federation of Small Businesses, one family business had its address changed from where it had been located for 100 years.

One way of protecting your business from this threat is to use the protected online filling system operated by Companies House, which alerts the business owner every time a record is changed. Another is to stay vigilant and report anything that looks suspicious. And this piece of advice is valid for all your security provisions, whether online or not.