Printer Sets Good Example for Small Business Security

When it comes to security, the good news is that some small businesses are prepared for the potential breaches and persistent malware threats that come with technological advances.

Take, for example, Massachusetts-based Arlington Lithograph. Like virtually all commercial printers, the 42-year old, family-owned business has evolved from a labor-intensive manufacturing process to a digital workflow. Gone are the room-size cameras, film-stripping tables and other remnants of printing plants of yesterday (dating way back to the ’90s).

“We were protected, but we had gotten complacent.” — Mike Faiola, Arlington Lithograph

Today, files go from the customer’s CD straight into the computer, which then images it onto a plate that is then attached to an offset press for printing. (At some printers, even that step has evolved to point where the computer directly images to the press.) According to the company’s owner, Mike Faiola, “something that might have taken a week’s worth of time ten years ago is now condensed to about four hours.”

Of course, with that automation comes the need to ensure that data is safe and computers are untainted. An infected computer can bring down the entire production process.

Faiola said the company learned first-hand the importance of maintaining a secure environment when, in 1998, it was hit by AutoStart virus. The printing firm, which Faiola said specializes in working with not-for-profit institutions and universities such as Harvard, MIT and Tufts, noticed one machine started to act strange when they put in a customer’s disk, so they went to the next machine and so on, in effect, infecting their own computers. Faiola said he contacted the system integrator who had worked with them to install the computer systems.

They downloaded and installed the latest updates to Norton Antivirus. “It took about eight hours,” he said. “We were protected, but we had gotten complacent.” A mistake it hasn’t made since.

Survey Says: Small Business Unprepared
The lesson Arlington Lithograph learned years ago hasn’t sunk in yet with a large percentage of small businesses, according to a survey of 1,000 companies with between 1 and 100 employees conducted by the Small Business Technology Institute. The Small Business Information Security Readiness report, which was produced in conjunction with Symantec Corp, indicates that information security exposure is growing as small businesses deploy increasingly sophisticated technology and automate more of their operation.

“Small businesses are reactive and usually make purchases of information security products only after suffering an information security incident. ” — The Small Business Technology Institute

The message the SBTI hopes the report delivers is a straightforward yet critical one: If you haven’t already, you need to protect your business from the productivity and economic losses that can occur when data is compromised as a result of viruses, hackers, privacy threats or disasters. The report says that small businesses are “largely unaware and uneducated about information security risks and their economic repercussions.”

Small businesses have a “complacent and passive attitude toward information security protection,” according to the report. Many small businesses do not have even the most basic security measures in place, and they are not increasing their level of investment in information security products to match the level of risk.

Here are some rather sobering findings from the Small Business Information Security Readiness report:

• Twenty percent of small businesses have yet to implement even virus scanning on their e-mail.
  
• Most small business respondents (56 percent) report at least one security incident in the past year. Those incidents include unexplained changes to system data; systems failure; information loss or data corruption; theft or fraud involving computers; staff misuse of information systems; unauthorized access by insiders; unauthorized access by outsiders; computer virus, spyware or other malware.
  
• Most small businesses (about 70 percent) consider information security a very high or high priority and exhibit a generally high level of confidence in their existing protective measures (about 80 percent) — a confidence that seems to contradict the prevalence of security incidents reported by those surveyed (see above).
  
• The biggest impact of information security incidents for small businesses is on personal productivity. Because it’s difficult to measure the financial impact of productivity loss, small businesses may ignore or downplay the effects of information security incidents.
  
• Less than 30 percent of small businesses have increased their security spending in the past 12 months.
  
• Only 43 percent of small businesses allocate specific budget for information security.
  
• Seventy-five percent of small businesses undertake no information security planning at all.
  
• Small businesses are reactive, the report suggests, and usually buy information security products only after suffering an information security incident.

Back at the Printing Plant
Not wanting to join the ranks of the survey respondents who have experienced security-related incidents, Faiola and Arlington Lithograph’s 25 employees keep a vigil for malware and other threats to their network and their customer’s data.

The nature of Arlington Lithograph customers is both a blessing and a potential curse. On the plus side, almost of all the printer’s customers use Macs, which have been traditionally less prone to viruses. “I don’t remember the last time someone gave us a PC file.” Also, the company doesn’t receive many job files through e-mail, due the size of those files (although the office staff does receive e-mail from customers).

Faiola said Arlington Lithograph doesn’t maintain its own FTP server (“if companies are big enough to transmit files, they have their own FTP servers”). “Companies would rather FedEx than upload big files. Also, between sales people and delivery people, we can get the disk.”

On the downside, Faiola said, his customers aren’t the most stringent in terms of their own computer cleanliness. “Designers tend to be artistic. They don’t think about it [security]. Last year, we were hit with the NetSky virus. I could tell from the addresses that it was coming from graphics industry people.”

Having the Tools Isn’t Enough
While the company has used Symantec’s Norton AntiVirus since the late 1980s, it wasn’t until the AutoStart scare in 1998 that Arlington Lithograph understood the need to maintain an up-to-date system. When they contracted the virus, they realized that they didn’t have the updated Norton AntiVirus definitions. “We downloaded the current virus definitions and scanned the computers, cleaned the customer’s media,” said Faiola. The company continued to receive the AutoStart virus from customers for the next four years, but Norton AntiVirus corrected and repaired it each time.

“We have some very sophisticated printing software installed on several of our machines. If we were to lose those systems, it would require expertise to re-install and we don’t have that in-house. ” — Mike Faiola, Arlington Lithograph

Currently, the printer uses Norton Internet Security 2005 (for both PCs and Macs) and Norton SystemWorks 2005 Premier. Faiola said the company also has Symantec Ghost (Norton SystemWorks 2005 Premier) standing by, “but we haven’t had to use it.” He said that Ghost is good insurance because of the elaborate computer settings needed to output files to proofing systems, computer-to-plate systems, RIPs and so on. “We have some very sophisticated printing software installed on several of our machines. If we were to lose those systems, it would require expertise to re-install and we don’t have that in-house. We’ve used Ghost to image the hard drives, so that if a computer fails, we can pop the Ghost disk in.”

As an added safeguard, Faiola said, “every six months to a year, we take off all the applications from production computers and do a low-level reformat.” The company also backs up both production and office computers every night. “It’s all CDs, no tape,” he said.

Faiola credits Symantec’s products with keeping the company out of trouble and said he has no plans to change how it secures its operation, “but we have no loyalty to one vendor if we needed to change.” A reminder that vendors serving small business best not get complacent themselves.

Dan Muse is executive editor of internet.com’s Small Business Channel, EarthWeb’s Networking Channel and ServerWatch.

Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today!