In Depth

Three Companies that Fought Back

Standing your ground isn't always easy—or popular. But three business leaders tackled their security challenges head-on, and won.

By Scott Berinato, Sarah Scalet

October 01, 2006 — CSO — Not every company can afford a security executive. Even if you're from a large company with a chief security officer and full security staff, you know this from working with companies who don't have that

luxury. And if you're from a smaller company, then you know that you face the same threats the big guys facemalicious code, piracy, counterfeiting, identity theft.

But when a small or midsize business faces a real and serious threat, without a full complement of security staffers, an executive leader and a considerable security budget to fend it off, what is that company to do? Pierre Corneille, a 17th century French playwright once said, "Flee an enemy who knows your weakness," and some companies will, understandably, do just that.

But a few brave people at a few small businesses have a different reaction. They decide to fight back, to play the role of CSO themselves, with help from law enforcement and others, in an attempt to stop the steady flow of attacks on their businesses. They make loose calculations in their heads that a little more pain and cost now could lead to a lot less later on, if they can just break the cycle.

Here we present three of those stories, each focusing on a different threat and a different reaction to the threat:

Peter Capolino, president of Mitchell & Ness Nostalgia, which makes popular—and

popularly counterfeited—pro-team jerseys, had enough with fakes being sold on eBay, so he turned his administrative assistant into an anticounterfeiting crusader.

The network administrator at a healthcare company that suffered a three-day network outage dueto a denial-of-service (DoS) attack didn't have the resources to fight back. But then during a sales pitch by a security vendor, he got an idea.

Finally, at US Digital Media, Alane Pignotti wanted to stop the diversion of her blank CDs and DVDs to pirates. So she set up a sting operation.

All three stories provide valuable insight into how small and midsize businesses can fend off security threats, what kind of mind-set it takes and what those businesses can hope for as a return on their investment in Doing the Right Thing. We'd love to say that the ROI is obvious, that all three of these stories have fairy tale endings with the good guys coming out on top and the bad guys vanquished, but security (or life) doesn't work like that.

So is the decision to fight back noble or quixotic? Smart business or a huge risk? Worth it or not worth it?