The way the security-industry experts see it, if you're a small-business owner, Internet security is your problem.
Not your IT department's problem. Your problem, and your responsibility.
That doesn't mean you, as CEO, must fiddle with the actual nuts and bolts protecting your valuable information. But it's in your best interest to understand what's at stake, help craft an overarching strategy, and stay on top of security initiatives -- just as you would with any other major activity in your company. Following are three suggestions for doing that.
1. Make security a business priority.
The National Cyber Security Summit Task Force, an industry group, recently issued a "Call to Action " urging companies of all sizes to help "strengthen America's homeland security" by taking a comprehensive, high-level approach to shielding their systems. "Information security is not only a technical issue, but also a business and governance challenge," says the report, which suggests specific security-related tasks for CEOs and other top executives. "Effective security requires the active engagement of executive management to assess emerging threats and provide strong cyber security leadership."
That approach is at least as important for small companies as big ones, says Larry Clinton, chief operating officer of the Internet Security Alliance , a nonprofit trade association based in Arlington, Va. However, he continues, many SMB owners don't understand just how vulnerable their companies may be. According to ISA research, SMB executives generally feel they're safer than their Fortune 500 brethren when it comes to network break-ins, crippling virus attacks, and other security breaches. That's a dangerous misconception.
In fact, most hackers are equal-opportunity intruders, meaning they scan the Internet for any available security loophole, whether it's at a global financial institution, a midsized manufacturer, a local retailer, or a home-based business. Viruses and Internet worms don't necessarily target companies of any particular size, according to the ISA and other organizations specializing in online security . But because small enterprises often have less stringent security than large corporations, Clinton says, they often get hit more frequently.
Case in point: The Mydoom worm (and several later spinoffs) that flooded the Internet in January 2004, slowing servers and, in some cases, installing programs that could allow outsiders to penetrate systems, steal information, and remotely control computers. "One in three small businesses was affected by Mydoom," Clinton says. "For larger companies, it was one in six."
And the damage may be proportionately more severe for SMBs, says Clinton, who recently testified about SMB issues at a U.S. House of Representatives subcommittee hearing on improving public awareness about cybersecurity measures. "Large companies can afford to take some hits," he points out. "Smaller ones have smaller margins. A major outage or million-dollar damage can put them out of business." Substandard or outdated security also puts SMBs at greater risk from targeted attacks from, for instance, disgruntled former employees or shady competitors.
For that reason, small-business CEOs "need to understand that, in today's world, their security plan is just as important as their marketing plan," Clinton says. "It's now an integral part of their business. They don't need to do the work themselves, but they do need to have it in their business plan."
2. View and treat security as a work in progress.
New threats keep evolving, as do new solutions for combating them. Among the latest at this writing are browser-based attacks , which rose 25% between 2003 and 2004, according to the Computing Technology Industry Association . Those attacks involve harmless-looking websites that are actually booby-trapped with malicious code that crashes visitors' browsers, sabotages their computers, or lets attackers access sensitive or confidential information. For that reason, it's important to realize that security is always, always a work in progress: "The idea that 'I just bought security software, so now I'm safe for the next four years' is a fallacious one," Clinton says. The growing use of wireless networks, instant messaging, and other new technologies creates new security risks.
SMBs must also constantly adjust policies and practices to cope with threats and keep employees, contractors, and customers posted on those changes. One widespread example: Many companies now restrict or ban the use of e-mail attachments, which can carry viruses.
3. Start with the basics -- but don't stop there.
First, if you haven't already done so, take those simple low- and no-cost steps that security experts have drummed into our heads for years: Choose hard-to-guess passwords and change them often. Back up all important data frequently. Use and update virus-scanning software.
In addition, disseminate security best practices. For example, encourage employees to turn off their computers or disconnect them from the Internet when they're not in use. Limit access to sensitive and confidential information. Enlist managers in making sure unused e-mail, voice mail, system access, and other accounts are shut down as soon as workers or contractors leave the company. (For more recommendations, see ISA's free, downloadable SMB cybersecurity guide . Written specifically for small-business entrepreneurs and executives, the 37-page PDF includes actual case histories as well as advice.
Meanwhile, develop a business-oriented security plan. A free downloadable Cisco Systems Inc. report , What You Need to Implement a Network Security Solution , recommends considering the following strategic questions as you do:
- Government regulations, industry standards: If applicable, what must you fix to comply?
- Customer protection: How can you safeguard individual and corporate customers' confidential information -- and how can you assure them that it's protected?
- Risk level: What are your most mission-critical applications? What do you see as an acceptable level of risk?
- Corporate policies: What in-house rules will you establish? How will you monitor and enforce them?
Finally, keep in mind that nothing is ever 100% safe. Your best bet is to aim for flexible, scalable, well-integrated approach to security so that when problems arise -- and it's smartest to assume that they will -- you can respond quickly and minimize the impact.
With that in mind, security expert Tom Kellermann, senior data risk manager for The World Bank in Washington, D.C., suggests in his "Electronic Safety and Soundness" guidelines that you approach any security initiative with three sobering axioms in mind:
- Attacks and losses are inevitable.
- Security buys time.
- The network is only as secure as its weakest link.
Internet Security Alliance
Resources include Common Sense Guide to Cyber Security for Small Businesses , a free downloadable 37-page PDF file with information and real-life examples.
National Cyber Security Alliance
Resources include an online beginner's guide to Internet security threats and a quick online self-test to help determine your organization's vulnerability. Also maintains a user-friendly security glossary .
U.S. Computer Emergency Readiness Team (US-CERT)
Resources include the National Cyber Alert System , part of the U.S. Department of Homeland Security; system provides updates on Internet security threats.
Additional Online Resources
Overview of Internet attack trends , from the CERT Coordination Center at Carnegie Mellon University
Information on the federal government's National Strategy to Secure Cyberspace , part of the larger National Strategy for Homeland Security
CSO (Chief Security Officer) magazine resource center
Seven simple computer-security tips for small-business and home-computer users, form the National Infrastructure Protection Center
Microsoft Corp.'s e-Security Guide for Small Businesses .
ServGate Technologies Inc.'s white papers on network security, spam control, and virus protection
Cisco Systems Inc.'s white paper, What You Need to Implement a Network Security Solution, a seven-page PDF file
VeriSign Inc.'s Internet Security Intelligence Briefings , updated periodically with information about fraud and attack trends