Louisa Robazza still doesn’t know who broke into her company or why they left one vital item behind. What she does know is that the burglary cost her firm more than $40,000 in equipment, lost time and revenue—and nearly crippled her operations.
Until that fateful day last December, Robazza, managing director of Ad Vendors International Inc., was confident that her company was physically secure. The London, Ont.-based advertising agency was growing at a torrid pace, and a year earlier had relocated to prime office space in a safe part of the city.
But just two days after Ad Vendors took delivery of $25,000 worth of computer equipment, thieves bypassed the deadbolts in its office by using crowbars to pry open the doors and punch their way through the drywall. The intruders were undeterred by window stickers warning of a security presence—perhaps knowing that the CCTV cameras around the building weren’t working. Besides the new equipment, Ad Vendors lost weeks’ worth of work and personal information that Robazza and her employees had stored on their computers.
The repercussions would have been far worse had the thieves stolen Ad Vendors’ computer server, too—in fact, Robazza says that likely would have put her out of business. She was also lucky that Ad Vendors didn’t lose any confidential customer information and—thanks to a home-based employee with access to the company server—continued to meet orders on time. That left its reputation with clients mercifully untarnished, which is often the gravest damage from a break-in.
Many other firms aren’t so fortunate. A Canadian Federation of Independent Business study estimates that 43% of companies that experience a major crisis, from natural disasters to major theft, never reopen. A further 29% that do resume operations close within two years.
But if you think your business is unlikely to endure a criminal act, think again. Across Canada last year, businesses reported 69,000 break-and-enters alone. Identity theft costs companies and consumers an estimated $2 billion annually, according to the Canadian Council of Better Business Bureaus. Cybercrime—including hacking, “phishing” and the use of spyware—is growing exponentially as thieves realize the value of sensitive information on the black market. In May, the Canadian Association of Police Boards, which represents police-oversight boards, said its own surveys of the public and police plus numerous other studies suggest that cybercrime is close to becoming the No. 1 crime category in Canada. To make things worse, the bad guys (and girls) are increasingly operating in teams and deploying modern technologies to more effectively relieve small businesses of everything from scrap metal to credit-card numbers.
Although there’s no definitive figure for the cost of crime to Canadian companies, it clearly runs into the many billions of dollars—even before the cost of ruined corporate reputations is factored in.
Fortunately, you can at least minimize the threat to your firm. A new generation of alarm systems, CCTV cameras and other sophisticated technologies can make your business tough to crack. You can use vulnerability-detection software, security patches and other measures to fend off virtual intruders. And you can build employee awareness of the threats, training them not to fall for the tricks of online and offline predators.
But none of that will happen until you believe you’re at risk.
The attitude that crime is a worry only for big companies is particularly widespread among entrepreneurial firms when it comes to computer-based threats. For instance, a recent survey by McAfee Inc., a Santa Clara, Calif.-based security-software firm, found that 45% of North America’s small and mid-sized business owners don’t feel they’re a target for cybercriminals.
Increasingly, that’s exactly what they are. Bruce Cowper, chief security advisor at Mississauga, Ont.-based Microsoft Canada, says automated hacking tools have made it more profitable to attack smaller companies. A hacker doesn’t care that he’s never heard of your firm; only that his automated probes have revealed that your network is vulnerable. “Attackers are always going to take the path of least resistance,” says Rohyt Belani, managing partner of Intrepidus Group Inc., a New York-based information-security consultancy. “They know the security budgets for SMEs are limited compared to larger organizations.”
Cpl. Louis Robertson, head of the RCMP’s criminal intelligence analysis unit and a specialist in crimes against business, shakes his head at the denial he finds at so many companies about the risks posed by the rise of the Internet: “Unfortunately, Canadian businesses are still conducting business the way they were 25 years ago.” Robertson cites numerous cases in which firms that have suffered an IT-based fraud or network breach have admitted to having left their computers vulnerable. Often these risks could have been massively reduced by securing and limiting access to the network. Yet, says Robertson, when asked why they hadn’t done so, victimized business owners often shrug and offer the old excuse, “This is the way we’ve always done things.”
They might be less complacent if they understood the size and sophistication of an organized-crime sector that’s finding rich pickings in the business world. A report by the Criminal Intelligence Service Canada, an information-sharing agency for police forces, estimates there are now 950 criminal gangs at work in Canada. The report says their crimes against business include compromising company databases, selling stolen data through black-market websites, stealing trade secrets and using malicious software to facilitate large-scale frauds and thefts.
Organized criminals target businesses because it pays. A former RCMP informant against crime gangs who spoke to PROFIT on condition of anonymity revealed that stolen credit-card numbers can fetch from $1 to $10 each, and into the hundreds of dollars for brand new cards with high credit limits. The informant said used laptops have a street value of $500 to $700—even more if they hold data of value to a fraudster or cyberthief. These numbers may seem low, but buying and selling assets such as credit-card numbers in bulk is a high-margin business for criminal groups.
Crime rings still covet the stuff thieves have always loved: jewellery, cash and electronics. And they appear to be reading the financial pages, setting their sights on commodities whose prices have recently soared. One hot item: copper wire and pipes from building sites, which robbers sell to scrap dealers for $4 to $6 per kilogram.
So disciplined are crime gangs that they’ve even gone multicultural. “There’s black, white, brown, yellow in every organized-crime group, because they associate for utility,” says former RCMP undercover officer Chris Mathers, owner of Toronto-based security consultancy Chris Mathers Inc. This new “equal opportunity” stance allows crime gangs to recruit the best talent, regardless of ethnicity, making them a greater threat to business.
Criminals are even exploiting their inner nerd. Steve Montpetit, who coordinates Ontario Provincial Police teams investigating rural crime, points to a new tactic he has seen several times: during business hours, an employee who’s in on a planned burglary plants GPS markers on desired items in his company’s warehouse; his accomplices break in that night, typically through the roof, using GPS trackers to locate the goods fast. Phishing scams— e-mails that lure recipients into providing confidential data at legitimate-looking websites—have become a ubiquitous method for facilitating crimes in both the physical and virtual world. They can fool one of your employees into revealing, say, a building-access code that will let the bad guys walk right through your front door. And a Microsoft security iIntelligence report notes that nefarious e-mails purporting to come from social-networking sites are proliferating. Duped recipients might, say, click on a link to what they think is a Facebook page, which then uploads spyware onto their employer’s computer network.
Of course, not all criminal tactics are this up-to-the-minute. Mathers describes one perennial ploy in which a would-be thief sticks a long object such as a broomstick through a building’s mail slot to trip the alarm, retreats to a safe distance and sees how long it takes for the cops to come. He’ll trip the alarm five or six more times over several days until the police tire of the false alarms and take longer to arrive; once the thief figures he has enough time to do the job and escape apprehension, he strikes for real. Mathers says most cops don’t know this trick, which often signals that a place is about to be robbed.
If all these threats have you on the brink of despair, take heart—there are many ways to fight back. A growing number of methods have enough James Bond in them to shake and stir the nerves of even the most experienced criminals. For instance, some newer motion and infrared detectors use pinpoint calibration to detect even the slightest disturbance or change in room temperature—and to distinguish a human intruder from a roving dog or cat. You can use these detectors to establish an electronic perimeter around your building to spot movements and alert security personnel before attackers even get to the front door. What’s more, these stealth systems are tough to detect, raising the risk levels for burglars.
Today’s wireless alarm systems are miles ahead of traditional ones that thieves can disable by cutting a cable. Many feature a biometric access system, advanced sound technologies to hear break-ins in progress and an alert sent to the business owner’s mobile phone if the alarm is tripped. CCTV cameras are also evolving rapidly. The latest models offer high-resolution images, night vision and pan, tilt and zoom functions. You or your security team can monitor them from anywhere via the Web, using two-way audio to question intruders and give instructions to staff during a break-in.
However, a prudent security strategy relies on more than fancy gizmos. Although security guards aren’t cheap—they’ll probably run you $15 to $30 per hour each—you can’t beat a human presence on-site. Employee awareness and education programs are also vital. You should teach staff to lock down their laptops at night or store them in safe rooms, be alert to unauthorized visitors and avoid transporting unencrypted customer data outside your offices on storage devices such as laptop hard drives or memory sticks.
One serious vulnerability that a disturbingly high proportion of companies haven’t cottoned on to is unguarded wireless ports. No one knows this better than Edmonton’s Brad “Renderman” Haines, a black fedora-wearing “wardriver” who trolls malls and industrial parks seeking unprotected wireless networks. But he’s no hacker; rather, he uses public speaking and his website Renderlab.net to urge people to shield their wireless networks by changing the default system IDs and administrator passwords that come with wireless routers and enabling Wi-Fi Protected Access encryption to protect data as it flies through the air.
Haines says 30% of the wireless networks he encounters are unsecure. While that’s down from 70% when he started wardriving in 2002, it suggests that tens of thousands of networks in Canada remain vulnerable. Although some business owners may simply be unaware of the problem, Haines says many still don’t grasp that their IT assets are critical infrastructure that needs safeguarding: “You just want to smack them.”
The first step in breaking free of such dangerous complacency is to admit that it’s not a question of if, but when your firm will be a target. Police and security analysts recommend a layered approach to security, so that you’re not counting on just one or two barriers to do the job. “Whatever you have is stealable,” says Ed Fitchett, president of the Ontario chapter of the Canadian Security Association, which represents security firms. “What you have to do is make sure you’ve slowed down, either on the exterior or the interior, someone’s ability to do damage.” In the IT realm, multiple layers can persuade a cyberprowler to move on to a softer target. And in the physical realm, they can buy you the 15 to 20 minutes it will likely take for law enforcement to arrive after your alarm is tripped.
Mathers cites one case that shows the importance of impeding criminal progress. He investigated a robbery at a high-end clothing store in which burglars breached its barred windows and gated front door, stole $300,000 worth of merchandise and fled from the scene unscathed in eight minutes. Mathers figures a couple of more layers, such as an audible alarm and locks tethered to the pricier merchandise, would have thwarted the intruders.
Still, even if you invest in multiple layers of IT and physical security, you might be vulnerable from another direction: the inside.
Unfortunately, things can get messy when it comes to prosecuting or reprimanding wrongdoers who work for you. Consider the Toronto manufacturer that discovered a teenaged employee using its courier account to ship products that retail for up to $10,000 a pop to U.S. buyers, then pocketing the payments. Rather than call in the police and spoil the teen’s future employment prospects, the company contacted his parents after the teen admitted to the theft. He was fired and had the cost of the stolen merchandise docked from his severance pay. But his father threatened to sue the firm for doing so, contending that his son was owed his full severance. The father backed down when lawyers for the company outlined the legal consequences the young man would face if the authorities were told of his actions.
This firm has since jettisoned its lenient approach to internal crime. It has limited access to storage and production facilities on weekends, installed a more sophisticated inventory-tracking system and warned staff that it will immediately report any thefts to police. So far, it hasn’t suffered any further incidents.
Mathers says you can guard against inside jobs by using video surveillance and monitored computer logs, conducting stringent background checks on new hires and limiting employee access to specified data-storage devices. As well, you should promote a company culture of honesty and integrity. Leading by example, Mathers says, can be a cheap and effective way to deter employee theft.
Yet even a solid security strategy designed to stop thieves coming from any direction isn’t foolproof. You also need a recoery plan in case you take a big hit, as one Toronto-based design firm did when it suffered major losses of computer equipment. It was robbed twice this May, the second time after installing a high-tech alarm system. Thieves drove a stolen car through the door to a locked but unmonitored loading dock and went about their business. The cost: about $50,000 in stolen computers and further security upgrades, including erecting a cinder-block wall at the loading dock. The firm’s saving grace was its off-site backup of data, which allowed it to resume business in less than a day. (In fact, the CEO credits the backup for keeping her company afloat.)
Louise Robazza, whose ad agency narrowly escaped ruin last December, has added some security layers of her own, including an outside security service, motion detectors and beefed-up alarms. She happily reports that Ad Vendors, which relocated within London three months after the break-in, has rebounded from near-catastrophe with no further harm to its revenue or reputation.
Still, the theft has shattered Robazza’s former complacency about crime: “We all think it’s never going to happen to us.”
Criminals are counting on it.BY CHRIS ATCHISON