Case Study

What would you do with this business?

Daniel Rosenbaum for The New York Times Peter Justen: ” I had known him for more than 15 years.”

Last week we wrote about the situation faced by Peter Justen, chief executive of MyBizHomepage, after the company’s former chief technology officer set in motion a series of crippling cyberattacks against the company’s Web site.

Once valued by its investors at $100 million, MyBizHomepage was founded in 2006 by Mr. Justen as a way to help small-business owners access financial metrics that can help them run their companies. But then, apparently angered by Mr. Justen’s decision not to sell the company, the chief technology officer tried to start a competing company. When Mr. Justen found out, he fired the officer along with two co-conspirators. And that’s when the cyberattacks began. They rendered the site all but useless, and Mr. Justen struggled with what to do next.

In February 2009, Mr. Justen and his board concluded that they would have to take the site offline, which would effectively close the business and saddle board members like Joe Silbaugh, who had invested more than $1 million, with a devastating loss. “We essentially had no choice because we no longer had a product,” Mr. Justen said. “We also decided to be up front about the decision and explain what happened along with an apology. When bad things happen you can hide under the rug and hope it goes away or you can go public with it and take the teeth out of the tiger. Some people were understanding while others were not.”

The decision did not please the company’s vendors, some of whom quickly filed suit over unpaid bills. But many of the company’s channel partners, who helped distribute the product, decided to stay on. “They told me they liked our product, and they were going to stick with us,” Mr. Justen said. “In tough times, you really get to see who your friends really are.”

Ignoring advice from his lawyers, Mr. Justen, who also had invested heavily in the company, decided not to declare corporate bankruptcy because he did not want to give anyone the opportunity to purchase the company’s intellectual property. He also turned down multiple offers to leave the company and take salaried employment. Rather, he asked his original investors to support him in rebuilding the company from scratch. “We held a shareholder meeting and I told them I would kill myself in trying to restore the company to what it should have been,” said Mr. Justen, who also liquidated his 401(k) and his children’s college funds and invested the money in the company. “Fortunately, they gave me that chance.”

Mr. Justen spent the next two years rebuilding the company, which is now called Five Plus. It features an online subscription software package that synchronizes with a company’s QuickBooks software and presents an easy-to-digest version of critical financial figures such as accounts payable, accounts receivable, cost of goods sold and cash on hand. The new software also embraces social media technology, enabling users to connect with each other and to compare their financial results with those of their industry peers.

While the new business is up and running, Mr. Justen said he and the business remain under cyberattack. In one instance, he was forced to fend off a denial-of-service attack against the new site that attempted to redirect his customers to a site where fraud claims against Mr. Justen and the company’s investors (including Mr. Justen’s 87-year-old mother and deceased father) had been posted. Mr. Justen said he continues to work with the United States Secret Service in attempting to track down the former chief technology officer.

After this case study was published last week, the unnamed former employee contacted The New York Times and identified himself as James Bird. He denied that he had been on the lam and offered an address in Santa Monica, Calif., where he said he is living. While asserting that Mr. Justen owes him $25,000, Mr. Bird acknowledged that he had in fact hacked the MyBizHomepage site.

Mr. Justen discussed the experience — and responded to reader comments — in a brief interview that has been condensed and edited.

You have said that you discovered after the attacks that Mr. Bird had been living off the grid — no driver’s license, not paying taxes. Didn’t you have to have his Social Security number to pay him?

Yes, we paid him as a contractor and did have a Social Security number for him. But what are you going to do with it? He doesn’t use it for anything we could track him with. He doesn’t have credit cards or bank accounts. He paid cash for everything, including his car.

Why didn’t you run a background check on him before hiring?

I had known him for more than 15 years. I was like a mentor to him. He came over to our house for dinner six times a month and played with my kids. He was a very talented software engineer and I highly trusted him.

Why was he upset after the sale of the company didn’t go through? What was in it for him?

He had stock options in the company that would vest over different triggers or events, like a sale. He was in line to make a substantial amount of money.

Were you surprised that two of your senior officers went along with Mr. Bird?

Yes, I was quite surprised. One of them had worked for me for three years as a trusted financial adviser. I think they just got caught up in the drama of it all. I terminated all three individuals on the same day.

Do you think Mr. Bird had help in sabotaging the company?

Yes, I think all three of them worked together. Jim did the technical stuff and the other guys did the rest. They went to our clients and told them they were starting a new company and that Peter’s company had failed. They would even pull up the site, which Jim would then crash, as proof.

What lessons do you draw from this experience?

I realize I made many mistakes and I have learned a number of things from this experience. Inspect what you expect and trust but verify come to mind. A big lesson I learned was to separate business from personal. I let my personal emotions cloud my better business judgment.

What do you say to the readers who asked why you didn’t conduct a security audit on the system?

When you’re a start-up, you have to make some tough calls about where to spend your money. You throw nickels around like they’re manhole covers. At the time, there didn’t seem to be any reason for us to spend $70,000 to verify something that didn’t seem to be a risk. Jim was a cyber security expert. Our software was rock solid against attacks from the outside. I just never expected someone I trusted so much and had known for so long to do what he did from the inside. That’s why with our new system, no one else has all the keys to the kingdom and we keep multiple copies of our backup code in different locations. We’ve taken as much precaution as is humanly possible to make sure this doesn’t happen again.

What did you do to protect your customers once you knew the system had been hacked?

The customer information was never a target. As part of our design, we never collected any personal data on our customers like bank account information. That was part of our design. All we collected was data like company revenues and receivables. But it wasn’t connected to any personally identifiable information.

Were you surprised by the reactions of readers?

I’ll admit that I thought some of the comments must have come from people who have never stepped foot in the arena and tried to start a company — people who never shed blood, sweat and tears trying to build something. But when you hear from customers who tell you that what you built helped save their company, that’s what makes it all worthwhile.

Article source: http://boss.blogs.nytimes.com/2012/08/29/starting-over-after-a-cyberattack-shuts-down-the-business/?partner=rss&emc=rss