Inc Well | Small Business Advice for Chicago Entrepreneurs
A how-to blog for Chicago business

How Startups Can Protect Themselves Against Hackers

Email
|
Print

    NEWSLETTERS

    In the years following Sandra Bullock's cyber-thriller "The Net," cyber crimes and hackers have gone from fantastical threats to real-life ones.

    Perhaps no one has more to lose with the Internet security than scrimping entrepreneurs and small startups. In an age when Sony's networks can be hacked for weeks on end, it's a reminder than none of us are 100 percent safe.

    But there are ways to get a little closer to that mark, which is why I called up GiveForward's Chris McKeever. He's the director of technology for the Chicago-based site that provides personalized fundraising web sites for individuals in medical crises. Their goal is to provide a safe, supportive way for friends and family to donate to support their loved ones in need.

    If anyone knows how to secure web sites, it's McKeever... not Bullock.

    How can smaller companies and entrepreneurs avoid getting hacked?

    Chris McKeever: A lot of smaller startups initially go for the cheapest hosted solutions for their website. A lot of times those are running services that aren't well locked down and lead to potential vulnerability. Those services can get hacked or have a breach of the system that gets them access.

    What we did and are doing is we're running on Rackspace. Although it's a little bit more expensive than some of the other services we have, it's actually in the long run cheaper. Instead of having someone that wears a network hat and a service-admin hat, they handle that for us. A lot of the lockdown and best practices they handle on a day-to-day operation. We really have one less team member, we're gaining that expertise. It's well worth it.

    That said, they handle all those security updates and patches and really handle locking that down. With that we have gotten PCI compliance, which is the kind of compliance you need to have for handling credit-card transactions. We got that relatively easily because they handle a lot of the system backend.

    What can people expect in terms of what to pay? What's reasonable for services they can get in return?

    CM: I think now people are expecting Secure Sockets Layer, or SSL, for order-form processing. For what we do, even down the login level, is provide SSL. It makes no difference how many pages you lock down using SSL. It's based on your domain. So, a lot of people don't realize that when they're at a Starbucks or an Internet café on an open wireless and they log into some of their websites, be it Twitter or Facebook, a lot of those go over clear. So people sniffing the line or the air can grab those user names and passwords.

    Twitter actually had this problem just a few months ago with Ashton Kutcher. His account got hacked because someone sniffed his password and picked it up. Since then Twitter has put SSL on their login. Again, it's a little bit expensive. If you go with VeriSign, who is industry known, it costs roughly about $800 a year for your domain. You can get that exact level of service for $50 to $60 a year and don't actually limit or compromise any of your safety. VeriSign is the leading name, and people when they see that, they know what it is. But really, people are just getting smarter that when it says "https://" they know it's secure. They just know the browser has verified it's a secure connection. You can get it for $40 all the way up to $800, but there's no difference in security. It's like buying Cheerios and buying Cheery-Os or whatever.

    Are there potential discounts people can get on those prices? Or is it pretty standard for all customers?

    CM: It's pretty standard. They do have multiple-domain discounts. So if you are running multiple domains it does go down exponentially per added subdomain. That's really the only place you can say it's there.

    Since we are processing credit cards, we don't store credit-card information. That's one key vital place I think a lot of people forget when they're processing credit cards. If you're not PCI compliant on the ultimate level, you're really not supposed to store credit-card information at all. You're supposed to use it and forget it. It's very simple to do.

    When people are shopping around for solutions, are there resources or certain websites they should use to vet their options?

    CM: One of the one's that really good is called Fee Fighters. What they provide is a service that'll find you the most competitive credit-card transaction rate that's out there for your means. I think that's a great service. You go out there and there are companies that'll charge you between four and eight percent, or even more. They'll find you the best rate with notable companies. So you'll know you'll get the security as well as the best price point.

    You mentioned Ashton Kutcher, but is everyone -- even non-celebrities -- at equal risk for being hacked?

    CM: I think what happens is people get mischievous. Someone sitting at a coffee shop and they're bored and will be like, "Let me see whose passwords are out there." It happens. Sometimes people are just doing it for fun; sometimes people are doing it for profit. The relative ease of it to do it for fun shows you how easy it is for someone doing it for profit.

    People can't go with the cheap and easy hosting solution, because those are always getting compromised. They run services to make it easy for people to use, and those kinds of services make it easy for people to hack into.