Senate Committee on Small Business

Mar. 9, 2000

Testimony of Roger Farnsworth

Cisco Systems Inc.

Chairman Bond, Senator Kerry, distinguished Members of the Senate Small Business Committee, I appreciate the opportunity to speak with you today about security on the Internet for small and medium businesses. My name is Roger Farnsworth and I am a manager for security products marketing with Cisco Systems Inc. As you may know, Cisco is the world’s largest manufacturer of equipment that connects people and businesses to the Internet. It is also a leading provider of security systems and expertise. Cisco employs 26,000 people, is headquartered in San Jose, California, and also has significant operations in Massachusetts, North Carolina and Texas.

Questions of security are particularly timely right now, as you know, in light of the recent wave of distributed denial of service attacks against big-name Web sites such as CNN.Com, EBay, E*Trade and Yahoo! And these issues are important to companies of every size as they begin to realize the power and value of e-commerce. The No. 1 reason people cite for not buying on-line is fear over security or privacy. Today I’m here to suggest that these concerns can be addressed, and that security fears should not deter America’s small businessmen and women from going online.

A few years ago, when Cisco Systems boldly predicted that the Internet would change the way we work, live, play and learn, hacking incidents of this type might have been mildly interesting but certainly wouldn't have been cause for alarm. Today, it's a different story. An attack against the digital domain can be considered an attack on us all because the Internet has become such a driving force behind the new global economy.

• Nearly 40% of small businesses in the United States are now online, up from 19% in 1998.
• Last year, the Internet Economy generated more than $500 billion in revenues and 2.3 million jobs in the United States, according to a University of Texas study.
• Of 3,400 businesses surveyed to measure the size of the Internet Economy, more than a third did not exist before 1996.

This expansion so far is astounding, yet the growth is likely to continue. Analysts estimate more than 3.5 million small businesses will be online by next year, and the Internet Economy will be worth $2.8 trillion by 2003.

Business leaders recognize the strategic role the Internet plays in their company's ability to survive and compete in the new millennium. If you're a retailer, you went out of business a few years ago if you didn't have an ad in the yellow pages. Now, you've got to have a Web site or you lose a large portion of your potential shoppers. If you were a bank in the 1980s, you had to add an ATM machine outside your branch or risk losing deposits. Today, you'd better be looking into online banking, bill payment and lending or your competitors will do it first and put you out of businesses.

Making money in the new millennium means facing up to the reality that you either go online or go home. This is particularly true for small and medium businesses because, frankly, the competition from large operators has never been more fierce. The big dog isn't just the chain operation across the street; in the Internet Economy it can be a company you've never seen because it's out of town, out of state, or out of the country.

For some, that's going to be pretty frightening. But there's also a great opportunity here for small and medium businesses because everyone is the same size in that box sitting on customer desktops. The Internet levels the playing field between large and small businesses. Amazon.com, for example, realized it could leverage the efficiencies of the Internet to take on the likes of Crown Books and Barnes & Noble. Online booksellers can charge just 5% gross margin while equaling the return on investment capital that brick-and-mortar booksellers can only achieve by charging 30% margins. Similar economies of scale can be applied to many small and medium business categories and we're starting to see many companies taking advantage of that. Smaller companies will continue to seek online opportunities to increase their visibility and compete with larger establishments.

The key to competing in the Internet Economy is in recognizing the efficiencies of online commerce and moving faster than the other guy to take advantage of them. Time becomes the great differentiator rather than size. The big no longer beat the small. In the Internet Century, the fast defeat the slow.

To accommodate this new model, we as an industry have worked very hard to build wider digital highways to carry more online traffic more quickly. Everyone agrees that faster access to the Web is a good thing. But, as we saw with the recent hacker attacks, that's a double-edged sword. By continually improving this efficient highway system, we make it possible for a few misguided or malicious individuals to block traffic on the highway for everyone else. Unfortunately, you can't always stop people from running into the middle of the road to cause a problem. The key is how quickly you detect, respond and clear the traffic jam.

The Internet is still by-and-large a very safe place to be. It's still an essential part of today’s business. What we've seen in recent weeks was a pothole on the information superhighway. Potholes happen. But Internet commerce didn't stop, and it won't stop any more than you'd expect a restaurant to shut its door after a break-in or a power company to shut down after a storm-caused outage.

However, businesses do need to step up to improve their Internet security and awareness. Security is essential if a company is going to successfully compete in the Internet Economy. Whether you're a small, medium or large business, you have to take a holistic approach to securing a network. At home, you leave a light on at night to deter burglars. You lock your doors and windows. You might have an alarm system, and when triggered that alarm might call the local police department. Network security deserves the same attention – no more, no less – that you give to your brick-and-mortar business.

Cisco has a well-respected security consulting team that has evaluated the security posture of hundreds of networks over the past few years. Based upon our extensive evaluations of the strengths and vulnerabilities in all types of systems, we acknowledge that no network can ever be 100% secure. However, companies that are serious users of the Internet should take a proactive approach to Internet security with the goal of developing an intelligent self-defending network that eliminates most risks. This would be a systems approach to security where an array of products work together to recognize threats, implement policy in a distributed fashion and enforce security in a consistent manner, dynamically and in real-time.

A number of technologies and services are increasingly important to Internet security. These include the ability to provide identity infrastructure, perimeter security, data privacy, security monitoring tools and policy management. Cisco believes that, in the future, these types of solutions will become increasingly integrated in the fabric of customer networks. They will be ubiquitous, appearing at all access points and all places in the network where information moves. Most importantly, we believe these tools will be transparent to the end users -- the customers. This is critical because users have a strong aversion to roadblocks that make it more difficult to get where they're going on the Internet, things like password windows, grant/deny authorizations and so on. By implementing a transparent, ubiquitous and integrated security solution -- or an "intelligent self defending network" -- small and medium businesses can enable customers to reap the benefits of the Internet Economy.

Now many small and medium businesses don't want to deal directly with any or all of these issues. They cannot afford complex defensive systems or teams of security professionals. And the good news is, they won’t need them. More than half of small businesses will outsource responsibility for running their corporate Web sites to an Internet Service Provider or Web Hosting company. The ISP or Web Host will be tasked with securing the sites. And smaller sites with fewer points of contact to the network are generally less likely to face the same attacks that high profile sites invite.

Nevertheless, small and medium businesses can take some basic online precautions to protect themselves, their employees and their customers that do not increase costs or require full-time experts. Included with my printed testimony are a preliminary list of 10 Basic Cyber Security Tips for Small and Medium businesses. These are also available on Cisco’s public Web Site at www.cisco.com/go/gov, under Net News.

I hope that my comments today have been helpful to you and your constituents. Again, thank you for having me here. I'd now be happy to walk through our ten cyber tips or entertain any questions you may have.

CISCO SYSTEMS’ "10 BASIC CYBER SECURITY TIPS FOR SMALL BUSINESSES"

1. Encourage or require employees to choose strong passwords. Hacker programs available on the Internet contain tens of thousands of common passwords, which can be used to break into unsecured computer systems. A password should have a minimum of 8 characters. They should be non-dictionary words. They should combine upper and lower case characters. You can even mix in a symbol, like a $. An ideal password might be something like 2B3#N3$.
2. Require new passwords every 90 days. By the time a hacker gets your password, it will already be outdated.
3. Make sure your virus protection subscription is current.Most businesses purchase virus protection programs from companies like Norton or McAfee. These companies regularly offer patches and updates to their programs to respond to new threats. Companies should regularly check for defense improvements and be sure their subscription to virus protection updates remains current.
4. Educate employees about attachments.Just because it's in the "in-box" doesn't mean it's been cleared through any security mechanism. Attachments, particularly executables (with .exe at the end) can be dangerous, dropping off a little software code called a "Trojan Horse" that corrupts your system or allows it to be infiltrated at a later time. Employees should be educated about security basics, including the need to avoid opening attachments from unknown sources.
5. Install a total solution.If you’re securing your own system (instead of relying upon an ISP or web host), don't just throw a firewall at a network and call it secure. Firewalls do a great job of securing a perimeter, but no one device will do the trick. Complete solutions should include firewalling, intrusion detection and policy management.
6. Assess your security posture regularly.Don't secure and run. Hackers are constantly updating their technology. Small and medium businesses need to know how they stack up against the most current types of attack. If you’re relying on a Web host or ISP, be sure to choose a vendor who is security savvy. Compare their offerings to those of other companies.
7. When an employee leaves a company, remove the employee's network access immediately. When asked to evaluate the internal security posture of networks, the Cisco Security Consulting team finds vulnerabilities in almost every network tested. Just as you ask departing employees to turn in their keys to the front door, you should take away their key to the network when they leave. Disgruntled employees are the greatest threat to any systems’ security.
8. If you allow people to work at home, provide a secure, centrally managed server for remote traffic.Telecommuting increases worker satisfaction and productivity. But it also presents a security challenge. It makes little sense to spend $10,000 on a security system for your Web site while you allow people to dial-in to your network unabated.
9. Update your Web server software regularly.Stay on top of security updates and patches. These are often available for free over the Web. Make sure you're always running the latest versions of software to stay ahead of hackers, who are certainly working to stay ahead of you.
10. Don't run any unnecessary network services.If your employees don't need Web access, don't provide it. If you don't need services such as NFS, Finger, Echo or some of the other programs that are routinely provided with software suites, make sure they're turned off. Often, a variety of services are provided by default in a program. Exploitation of these services is one of the most common hacks seen by Cisco's customers.