An old-school newspaperman, Dubroff initially focused his efforts on production, printing and circulation. Soon enough, though, he added a website where subscribers could snag news updates on a daily basis. Securing the whole operation amounted to installing a heavy deadbolt on the door to company headquarters.
"During the early years, we didn't even think of needing a firewall, much less a good one," says Dubroff, 57.
Then came the attack. Back in 1999, the firm's research director downloaded a vicious computer virus masquerading as a legitimate data file that tore through the advertising run sheets and wiped out the company's main hard drive. Dubroff spent $15,000 on IT jocks to clean up the mess and recover what they could — not exactly chump change for a young company then pulling in a wee $1 million in annual revenues.
Says Dubroff: "There's nothing like being on the receiving end of a big Internet attack to re-focus your attention."
Since the attack, Dubroff regularly backs up core company data and stores it in a secure location. He also makes sure accounting and billing data isn't stored on hard drives connected to his company's network.
Like it or not, running a competitive small business involves having at least a decent grasp on technology. That's why, with help from the smart folks at technology publisher O'Reilly Media, we've assembled a glossary of security tech terms that every entrepreneur should know.
Don't let the jargon scare you. If entrepreneurs want to achieve operational excellence while keeping technology investment in check, they have to be able to at least speak the language. And you don't have to be a member of the geek squad to fathom the implications these issues — especially security — have on strategy and budgeting. Even if you don't move billions of dollars or reams of proprietary data through your systems, security breaches can seriously disrupt you business.
After the nasty attack, Dubroff knew he needed consistent, dependable IT help. His accountant recommended Limotta Internet Technologies, in nearby Solvang, Calif., which continues to maintain Pacific Coast's firewalls and provides security system updates remotely.
"They help us use [a system based on] PGP — for 'pretty good privacy' — which deals with 90 per cent of security problems that come up," says Dubroff, who has since added more than a few terms to his technology vocabulary. "That's how I've learned the widespread benefits of asymmetric encryption." (Translation: This form of tech armor uses a pair of "keys," one public and one private, to encrypt data and verify its contents; if you encrypt data with a private key, only people with your public key can decrypt it and visa versa.)
While Dubroff still refuses to put any of his company's financial information on a computer connected to the Internet, he has beefed up his own online marketing assault to boost circulation. The journal blasts 5,000 e-mails three times a week, alerting select subscribers to special features and breaking stories.
Of course, the more you put yourself out there, the more bad guys you attract.
Phishing is the most pressing external security threat Dubroff must dodge — and the attacks get better each time, he says. In this scam, fraudsters forge counterfeit e-mails with corporate logos in an effort to fool victims into logging onto bogus websites. And it's not just marquee names like Wells Fargo that scammers choose to mimic; overseas scammers can even disguise themselves as your local and trusted savings and loan. From there, the attackers can steal login information, often to online bank accounts. Slimy stuff.
A variant on this maneuver is something called a man in the middle attack. Here, the offender inserts himself into an online conversation and acts as transparent proxy between both sides in order to steal private information.
Yet another security challenge Dubroff and his fellow publishers face stems from supporting a so-called hybrid environment run on both personal computers and Apple Macs. The problem: PCs are more prone to security breaches, which could, in turn, infect the Macs.
"That's why it's never bad to set up a DMZ," says Dubroff, by which he means a no-man's land where companies place servers that must serve both external requests from the Internet and a company's internal intranet.
The DMZ typically consists of an external firewall, an intermediate network and another internal firewall leading to the intranet; even if an attacker hacks through the external firewall into a server in the DMZ, he would still have to breach another firewall to reach the intranet.
Maybe he's overly paranoid, but Dubroff always considers the possibility that, as his business grows, more ex-employees will be floating around in cyberspace with a host of company log-ins. Authentication measures ensure that only legitimate outsiders can access the company's proprietary databases. Access controls add further protection: These keep users out specific areas of the system.
There's the user-experience to think about, too, of course. After all, having to keep track of myriad passwords is enough to drive anyone nuts.
Tough, says Dubroff, who abhors the single sign-on approach, which uses "wallets" that store user names and passwords for various sites. (When users revisit a site, the sign-on system automatically "unlocks" the user name and password for that site.) He'd rather his staff be a bit inconvenienced than have access to a master code that could easily fall into the wrong hands.
If you need IT help, Dubroff suggests avoiding large vendors who might not take the time to learn your business and determine what you really need. Instead, ask local law firms, bankers and accountants whom they use.
"They're the guys who will know what's best for your growing business, especially if you're not a techie," he says. "Trust me: Spending a couple hundred dollars a month on a privacy/security routine is money well spent."